Blame SOURCES/openscap-1.3.5-memory-PR_1627.patch

a1b1ec
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
a1b1ec
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
a1b1ec
Date: Tue, 10 Nov 2020 11:16:00 +0100
a1b1ec
Subject: [PATCH] Fix memory allocation
a1b1ec
a1b1ec
We can't assume that size of a structure is a sum of sizes of its
a1b1ec
members because padding and alignment can be involved. In fact,
a1b1ec
we need to allocate more bytes for the structure than the
a1b1ec
sum of sizes of its members.
a1b1ec
a1b1ec
The wrong assumption caused invalid writes and invalid reads
a1b1ec
which can be discovered by valgrind. Moreover, when run with
a1b1ec
MALLOC_CHECK_ environment variable set to non-zero value, the
a1b1ec
program aborted.
a1b1ec
a1b1ec
The memory issue happened only when NDEBUG is defined, eg. when cmake
a1b1ec
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
a1b1ec
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
a1b1ec
most likely because in debug mode the struct SEXP contains 2 additional
a1b1ec
members which are the magic canaries and therefore is bigger.
a1b1ec
a1b1ec
This commit wants to fix the problem by 2 step allocation in which
a1b1ec
first the size of the struct SEXP_val_lblk is used and then the
a1b1ec
array of SEXPs is allocated separately.
a1b1ec
a1b1ec
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
a1b1ec
---
a1b1ec
 src/OVAL/probes/SEAP/_sexp-value.h |  2 +-
a1b1ec
 src/OVAL/probes/SEAP/sexp-value.c  | 12 ++++++------
a1b1ec
 2 files changed, 7 insertions(+), 7 deletions(-)
a1b1ec
a1b1ec
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
a1b1ec
index 426cd2c3d..e66777ef9 100644
a1b1ec
--- a/src/OVAL/probes/SEAP/_sexp-value.h
a1b1ec
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
a1b1ec
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
a1b1ec
         uintptr_t nxsz;
a1b1ec
         uint16_t  real;
a1b1ec
         uint16_t  refs;
a1b1ec
-        SEXP_t    memb[];
a1b1ec
+	SEXP_t *memb;
a1b1ec
 };
a1b1ec
 
a1b1ec
 size_t    SEXP_rawval_list_length (struct SEXP_val_list *list);
a1b1ec
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
a1b1ec
index a11cbc70c..b8b3ed609 100644
a1b1ec
--- a/src/OVAL/probes/SEAP/sexp-value.c
a1b1ec
+++ b/src/OVAL/probes/SEAP/sexp-value.c
a1b1ec
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
a1b1ec
 {
a1b1ec
         _A(sz < 16);
a1b1ec
 
a1b1ec
-	struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
a1b1ec
-		sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
a1b1ec
-		SEXP_LBLK_ALIGN
a1b1ec
-	);
a1b1ec
+	struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
a1b1ec
+	lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
a1b1ec
 
a1b1ec
         lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
a1b1ec
         lblk->refs = 1;
a1b1ec
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
a1b1ec
                         func (lblk->memb + lblk->real);
a1b1ec
                 }
a1b1ec
 
a1b1ec
-		oscap_aligned_free(lblk);
a1b1ec
+		free(lblk->memb);
a1b1ec
+		free(lblk);
a1b1ec
 
a1b1ec
                 if (next != NULL)
a1b1ec
                         SEXP_rawval_lblk_free ((uintptr_t)next, func);
a1b1ec
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
a1b1ec
                         func (lblk->memb + lblk->real);
a1b1ec
                 }
a1b1ec
 
a1b1ec
-		oscap_aligned_free(lblk);
a1b1ec
+		free(lblk->memb);
a1b1ec
+		free(lblk);
a1b1ec
         }
a1b1ec
 
a1b1ec
         return;
a1b1ec
-- 
a1b1ec
2.26.2
a1b1ec