Thanks! Would it make sense to add a similar fix to the 3.1 branch as well ? On 3.1.x the dest pointer can go below rpath until it reaches a "/" character.
Bogdan On Fri, Aug 8, 2025 at 1:14 AM Steve Grubb <sgr...@redhat.com> wrote: > Hello, > > On Thursday, August 7, 2025 12:31:24 PM Eastern Daylight Time Bogdan > Harjoc > wrote: > > the function path_norm() from libauparse.so in audit-4.1.1 still reads > one > > byte below the allocated "working" buffer and triggers AddressSanitizer > and > > valgrind reports for inputs like "a/../.." or "a/.././..". > > > > Attached is a test that produces the asan report. > > Thanks. I added something like that to the auparse self tests. > > > Process paths like these were generated when processing audit syscall > > events for clone and probably others. > > > > Most of the read underruns in path_norm() were fixed in 2025 and the > issue > > mentioned above is apparently the only one remaining in that code. > > > > Would replacing the while loop with the code below ensure that path_norm > > does not read below the "working" buffer ? > > > > - while (dest > rpath && (--dest)[-1] != '/'); > > > > + char *slash = (char *)memrchr(rpath, '/', dest - rpath); > > + if (slash) > > + dest = (slash == rpath) ? (rpath + 1) : slash; > > + else > > + dest = rpath; > > The fix is simple, see commit 4f01ca0. I want to keep this mostly "as is" > since it mirrors code from glibc's realpath. > > -Steve > > >
_______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
