packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!104 [sync] PR-100: backport patches from upstream

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @huangzq6 
Signed-off-by: @huangzq6
This commit is contained in:
openeuler-ci-bot 2024-02-21 07:03:50 +00:00 committed by Gitee
commit e7fddd3694
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
10 changed files with 1009 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
audit.spec
View File

@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing
Name: audit
Epoch: 1
Version: 3.0.1
Release: 12
Release: 13
License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -46,11 +46,20 @@ Patch34: backport-Try-to-interpret-OPENAT2-fields-correctly.patch
Patch35: backport-Add-a-buffer-limit-just-in-case.patch
Patch36: backport-Teardown-SIGCONT-watcher-on-exit.patch
Patch37: backport-Correct-path-of-config-file.patch
Patch38: backport-Fix-the-error-found-by-clang-tidy-313.patch
Patch39: backport-Fix-segfault-in-python-bindings-around-the-feed-API.patch
Patch40: backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch
Patch41: backport-Error-out-if-required-zos-parameters-missing.patch
Patch42: backport-Fix-deprecated-python-function.patch
Patch38: backport-Fix-the-error-found-by-clang-tidy-313.patch
Patch39: backport-Fix-segfault-in-python-bindings-around-the-feed-API.patch
Patch40: backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch
Patch41: backport-Error-out-if-required-zos-parameters-missing.patch
Patch42: backport-Fix-deprecated-python-function.patch
Patch43: backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch
Patch44: backport-lib-enclose-macro-to-avoid-precedence-issues.patch
Patch45: backport-memory-allocation-updates-341.patch
Patch46: backport-lib-cast-to-unsigned-char-for-character-test-functio.patch
Patch47: backport-Make-session-id-consistently-typed-327.patch
Patch48: backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch
Patch49: backport-fix-the-use-of-isdigit-everywhere.patch
Patch50: backport-Fix-new-warnings-for-unused-results.patch
Patch51: backport-Change-the-first-iteration-test-so-static-analysis-b.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -386,6 +395,9 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog
* Thu Feb 1 2024 xuraoqing <xuraoqing@huawei.com> - 1:3.0.1-13
- backport patches from upstream
* Wed Dec 20 2023 jinlun <jinlun@huawei.com> - 1:3.0.1-12
- backport patches from upstream

119
backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch Normal file
View File

@ -0,0 +1,119 @@
From 2663987c5088924bce510fcf8e7891d6aae976ba Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Sat, 4 Nov 2023 03:48:39 +0100
Subject: [PATCH] Avoid file descriptor leaks in multi-threaded applications
(#339)
* lib: set close-on-exec flag
libaudit may be called from a multi-threaded application.
Avoid leaking local file descriptors on a concurrent execve.
* lib: simplify SOCK_CLOEXEC
SOCK_CLOEXEC is supported since Linux 2.6.27.
Reference:https://github.com/linux-audit/audit-userspace/commit/2663987c5088924bce510fcf8e7891d6aae976ba
Conflict:lib/audit_logging.c,lib/libaudit.c,lib/netlink.c
---
lib/audit_logging.c | 2 +-
lib/libaudit.c | 10 +++++-----
lib/netlink.c | 12 +-----------
3 files changed, 7 insertions(+), 17 deletions(-)
diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index a9f3257..1e521fe 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -177,7 +177,7 @@ static char *_get_commname(const char *comm, char *commname, unsigned int size)
if (comm == NULL) {
int len;
- int fd = open("/proc/self/comm", O_RDONLY);
+ int fd = open("/proc/self/comm", O_RDONLY|O_CLOEXEC);
if (fd < 0) {
strcpy(commname, "\"?\"");
return commname;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 5843ac0..eda51e8 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -220,7 +220,7 @@ static int load_libaudit_config(const char *path)
char buf[128];
/* open the file */
- rc = open(path, O_NOFOLLOW|O_RDONLY);
+ rc = open(path, O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (rc < 0) {
if (errno != ENOENT) {
audit_msg(LOG_ERR, "Error opening %s (%s)",
@@ -260,7 +260,7 @@ static int load_libaudit_config(const char *path)
}
/* it's ok, read line by line */
- f = fdopen(fd, "rm");
+ f = fdopen(fd, "rme");
if (f == NULL) {
audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
strerror(errno));
@@ -894,7 +894,7 @@ uid_t audit_getloginuid(void)
char buf[16];
errno = 0;
- in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+ in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (in < 0)
return -1;
do {
@@ -922,7 +922,7 @@ int audit_setloginuid(uid_t uid)
errno = 0;
count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
- o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC|O_CLOEXEC);
if (o >= 0) {
int block, offset = 0;
@@ -958,7 +958,7 @@ uint32_t audit_get_session(void)
char buf[16];
errno = 0;
- in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
+ in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (in < 0)
return -2;
do {
diff --git a/lib/netlink.c b/lib/netlink.c
index 4d0670a..6168eb3 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -51,7 +51,7 @@ static int check_ack(int fd);
int audit_open(void)
{
int saved_errno;
- int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ int fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
if (fd < 0) {
saved_errno = errno;
@@ -64,16 +64,6 @@ int audit_open(void)
"Error opening audit netlink socket (%s)",
strerror(errno));
errno = saved_errno;
- return fd;
- }
- if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
- saved_errno = errno;
- audit_msg(LOG_ERR,
- "Error setting audit netlink socket CLOEXEC flag (%s)",
- strerror(errno));
- close(fd);
- errno = saved_errno;
- return -1;
}
return fd;
}
--
2.33.0

39
backport-Change-the-first-iteration-test-so-static-analysis-b.patch Normal file
View File

@ -0,0 +1,39 @@
From b84b007cd0ef504e8c86b8cc73646f3119ed343c Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 29 Nov 2023 15:49:21 -0500
Subject: [PATCH] Change the first iteration test so static analysis better
understands the code
Reference:https://github.com/linux-audit/audit-userspace/commit/b84b007cd0ef504e8c86b8cc73646f3119ed343c
Conflict:NA
---
tools/aulast/aulast-llist.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tools/aulast/aulast-llist.c b/tools/aulast/aulast-llist.c
index 87638ebc..d7765ba4 100644
--- a/tools/aulast/aulast-llist.c
+++ b/tools/aulast/aulast-llist.c
@@ -140,11 +140,15 @@ int list_update_logout(llist* l, time_t t, unsigned long serial)
lnode *list_delete_cur(llist *l)
{
register lnode *cur, *prev;
-
- prev = cur = l->head; /* start at the beginning */
+
+ if (l == NULL || l->head == NULL)
+ return NULL;
+
+ prev = cur = l->head; /* start at the beginning */
while (cur) {
if (cur == l->cur) {
- if (cur == prev && cur == l->head) {
+ // If the first iteration
+ if (prev == l->head && cur == l->head) {
l->head = cur->next;
l->cur = cur->next;
free((void *)cur->name);
--
2.33.0

107
backport-Fix-new-warnings-for-unused-results.patch Normal file
View File

@ -0,0 +1,107 @@
From a4e8b7e18f249fe5decdd2fe748a5068ffeaee57 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Mon, 20 Nov 2023 16:37:46 -0500
Subject: [PATCH] Fix new warnings for unused results
Reference:https://github.com/linux-audit/audit-userspace/commit/a4e8b7e18f249fe5decdd2fe748a5068ffeaee57
Conflict:audisp/plugins/ids/ids.c
---
audisp/plugins/ids/ids.c | 5 +++--
audisp/plugins/ids/ids.h | 2 +-
audisp/plugins/statsd/audisp-statsd.c | 4 ++--
lib/libaudit.c | 3 ++-
lib/netlink.c | 3 ++-
src/auditd.c | 3 ++-
6 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/audisp/plugins/ids/ids.c b/audisp/plugins/ids/ids.c
index f9f312d..8fe3699 100644
--- a/audisp/plugins/ids/ids.c
+++ b/audisp/plugins/ids/ids.c
@@ -91,9 +91,10 @@ static void destroy_audit(void)
audit_close(audit_fd);
}
-void log_audit_event(int type, const char *text, int res)
+int log_audit_event(int type, const char *text, int res)
{
- audit_log_user_message(audit_fd, type, text, NULL, NULL, NULL, res);
+ return audit_log_user_message(audit_fd, type, text,
+ NULL, NULL, NULL, res);
}
diff --git a/audisp/plugins/ids/ids.h b/audisp/plugins/ids/ids.h
index eb1d83c..2cf13b6 100644
--- a/audisp/plugins/ids/ids.h
+++ b/audisp/plugins/ids/ids.h
@@ -14,6 +14,6 @@
extern int debug;
extern void my_printf(const char *fmt, ...)
__attribute__ (( format(printf, 1, 2) ));
-extern void log_audit_event(int type, const char *text, int res);
+extern int log_audit_event(int type, const char *text, int res);
#endif
diff --git a/audisp/plugins/statsd/audisp-statsd.c b/audisp/plugins/statsd/audisp-statsd.c
index e562afa..934db5c 100644
--- a/audisp/plugins/statsd/audisp-statsd.c
+++ b/audisp/plugins/statsd/audisp-statsd.c
@@ -216,9 +216,9 @@ static void get_kernel_status(void)
struct audit_reply rep;
audit_request_status(audit_fd);
- audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0);
+ int rc = audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0);
- if (rep.type == AUDIT_GET) {
+ if (rc > 0 && rep.type == AUDIT_GET) {
// add info to global audit event struct
r.lost = rep.status->lost;
r.backlog = rep.status->backlog;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index eda51e8..86c333c 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -467,7 +467,8 @@ int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
rc = poll(pfd, 1, 100); /* .1 second */
} while (rc < 0 && errno == EINTR);
- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0))
+ ; // intentionally empty
return 1;
}
diff --git a/lib/netlink.c b/lib/netlink.c
index 4d0670a..9b438b8 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -300,7 +300,8 @@ retry:
else if (rc > 0 && rep.type == NLMSG_ERROR) {
int error = rep.error->error;
/* Eat the message */
- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0))
+ ; // intentionally empty
/* NLMSG_ERROR can indicate success, only report nonzero */
if (error) {
diff --git a/src/auditd.c b/src/auditd.c
index 8ab2fe1..5cb4394 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -1152,7 +1152,8 @@ static void clean_exit(void)
audit_msg(LOG_INFO, "The audit daemon is exiting.");
if (fd >= 0) {
if (!opt_aggregate_only)
- audit_set_pid(fd, 0, WAIT_NO);
+ if (audit_set_pid(fd, 0, WAIT_NO))
+ ; // intentionally empty
audit_close(fd);
}
if (pidfile)
--
2.33.0

62
backport-Make-session-id-consistently-typed-327.patch Normal file
View File

@ -0,0 +1,62 @@
From 8359a7004de5e22c5a9b85c01c56e3b376d84a81 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <mt@debian.org>
Date: Thu, 2 Nov 2023 21:53:29 +0100
Subject: [PATCH] Make session id consistently typed (#327)
This fixes type-conflicting definitions and declarations.
Reference:https://github.com/linux-audit/audit-userspace/commit/8359a7004de5e22c5a9b85c01c56e3b376d84a81
Conflict:src/ausearch-options.c
---
src/aureport-options.c | 3 ++-
src/ausearch-options.c | 10 ++++++----
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 167157a..7a8d92a 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -61,7 +61,8 @@ const char *event_uuid = NULL;
const char *event_vmname = NULL;
long long event_exit = 0;
int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+pid_t event_ppid = -1;
+uint32_t event_session_id = -2;
int event_debug = 0, event_machine = -1;
time_t arg_eoe_timeout = (time_t)0;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index 5f6aace..eff0596 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -888,19 +888,21 @@ int check_params(int count, char *vars[])
size_t len = strlen(optarg);
if (isdigit(optarg[0])) {
errno = 0;
- event_session_id = strtoul(optarg,NULL,10);
- if (errno)
+ unsigned long optval = strtoul(optarg,NULL,10);
+ if (errno || optval >= (1ul << 32))
retval = -1;
+ event_session_id = optval;
c++;
} else if (len >= 2 && *(optarg)=='-' &&
(isdigit(optarg[1]))) {
errno = 0;
- event_session_id = strtoul(optarg, NULL, 0);
- if (errno) {
+ long optval = strtol(optarg, NULL, 0);
+ if (errno || optval < INT_MIN || optval > INT_MAX) {
retval = -1;
fprintf(stderr, "Error converting %s\n",
optarg);
}
+ event_session_id = optval;
c++;
} else {
fprintf(stderr,
--
2.33.0

388
backport-fix-the-use-of-isdigit-everywhere.patch Normal file
View File

@ -0,0 +1,388 @@
From 149a3464ef35fbaa98c57e2775a7a4ab20c2ee75 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Sun, 5 Nov 2023 14:24:49 -0500
Subject: [PATCH] fix the use of isdigit everywhere
Reference:https://github.com/linux-audit/audit-userspace/commit/149a3464ef35fbaa98c57e2775a7a4ab20c2ee75
Conflict:audisp/plugins/af_unix/audisp-af_unix.c,src/ausearch-options.c
---
audisp/plugins/ids/ids_config.c | 2 +-
audisp/plugins/remote/remote-config.c | 2 +-
audisp/plugins/zos-remote/zos-remote-config.c | 6 ++--
auparse/auditd-config.c | 2 +-
auparse/interpret.c | 6 ++--
src/auditctl.c | 6 ++--
src/aureport-options.c | 4 +--
src/aureport-output.c | 2 +-
src/ausearch-options.c | 36 +++++++++----------
src/ausearch-parse.c | 2 +-
tools/ausyscall/ausyscall.c | 4 +--
11 files changed, 36 insertions(+), 36 deletions(-)
diff --git a/audisp/plugins/ids/ids_config.c b/audisp/plugins/ids/ids_config.c
index 4da5ca9..f773794 100644
--- a/audisp/plugins/ids/ids_config.c
+++ b/audisp/plugins/ids/ids_config.c
@@ -345,7 +345,7 @@ static int unsigned_int_parser(struct nv_pair *nv, int line, unsigned int *val)
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
syslog(LOG_ERR,
"Value %s should only be numbers - line %d",
nv->value, line);
diff --git a/audisp/plugins/remote/remote-config.c b/audisp/plugins/remote/remote-config.c
index 7d80752..1f05cdd 100644
--- a/audisp/plugins/remote/remote-config.c
+++ b/audisp/plugins/remote/remote-config.c
@@ -484,7 +484,7 @@ static int parse_uint (const struct nv_pair *nv, int line, unsigned int *valp,
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
syslog(LOG_ERR,
"Value %s should only be numbers - line %d",
nv->value, line);
diff --git a/audisp/plugins/zos-remote/zos-remote-config.c b/audisp/plugins/zos-remote/zos-remote-config.c
index b92dc77..2f7e42f 100644
--- a/audisp/plugins/zos-remote/zos-remote-config.c
+++ b/audisp/plugins/zos-remote/zos-remote-config.c
@@ -301,7 +301,7 @@ static int port_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
@@ -327,7 +327,7 @@ static int timeout_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
@@ -376,7 +376,7 @@ static int q_depth_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
diff --git a/auparse/auditd-config.c b/auparse/auditd-config.c
index bdb9cf8..d0fa746 100644
--- a/auparse/auditd-config.c
+++ b/auparse/auditd-config.c
@@ -341,7 +341,7 @@ static int eoe_timeout_parser(auparse_state_t *au, const char *val, int line,
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
audit_msg(au, LOG_ERR,
"Value %s should only be numbers - line %d",
val, line);
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 84c41ea..cc03a15 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -321,7 +321,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode)
static int is_int_string(const char *str)
{
while (*str) {
- if (!isdigit(*str))
+ if (!isdigit((unsigned char)*str))
return 0;
str++;
}
@@ -1381,7 +1381,7 @@ static const char *print_success(const char *val)
{
int res;
- if (isdigit(*val)) {
+ if (isdigit((unsigned char)*val)) {
errno = 0;
res = strtoul(val, NULL, 10);
if (errno) {
@@ -2185,7 +2185,7 @@ static const char *print_fanotify(const char *val)
{
int res;
- if (isdigit(*val)) {
+ if (isdigit((unsigned char)*val)) {
errno = 0;
res = strtoul(val, NULL, 10);
if (errno) {
diff --git a/src/auditctl.c b/src/auditctl.c
index 1eb424c..778b374 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -631,7 +631,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'r':
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t rate;
errno = 0;
rate = strtoul(optarg,NULL,0);
@@ -650,7 +650,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'b':
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t limit;
errno = 0;
limit = strtoul(optarg,NULL,0);
@@ -1061,7 +1061,7 @@ process_keys:
case 2:
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
HAVE_DECL_AUDIT_STATUS_BACKLOG_WAIT_TIME == 1
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t bwt;
errno = 0;
bwt = strtoul(optarg,NULL,0);
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 7a8d92a..7264d5e 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -384,7 +384,7 @@ int check_params(int count, char *vars[])
// } else {
// UNIMPLEMENTED;
// set_detail(D_SPECIFIC);
-// if (isdigit(optarg[0])) {
+// if (isdigit((unsigned char)optarg[0])) {
// errno = 0;
// event_id = strtoul(optarg,
// NULL, 10);
@@ -763,7 +763,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10);
if (errno || arg_eoe_timeout == 0) {
diff --git a/src/aureport-output.c b/src/aureport-output.c
index a635d53..27a2ce2 100644
--- a/src/aureport-output.c
+++ b/src/aureport-output.c
@@ -976,7 +976,7 @@ static void do_user_summary_output(slist *sptr)
long uid;
char name[64];
- if (sn->str[0] == '-' || isdigit(sn->str[0])) {
+ if (sn->str[0] == '-' || isdigit((unsigned char)sn->str[0])) {
uid = strtol(sn->str, NULL, 10);
printf("%u ", sn->hits);
safe_print_string(aulookup_uid(uid, name,
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index eff0596..aa13590 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -253,7 +253,7 @@ static int convert_str_to_msg(const char *optarg)
{
int tmp, retval = 0;
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
tmp = strtoul(optarg, NULL, 10);
if (errno) {
@@ -335,7 +335,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_id = strtoul(optarg, NULL, 10);
if (errno) {
@@ -357,7 +357,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10);
if (errno || arg_eoe_timeout == 0) {
@@ -463,7 +463,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_gid = strtoul(optarg,NULL,10);
if (errno) {
@@ -497,7 +497,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_egid = strtoul(optarg,NULL,10);
if (errno) {
@@ -529,7 +529,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_gid = strtoul(optarg,NULL,10);
if (errno) {
@@ -648,7 +648,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_ppid = strtol(optarg,NULL,10);
if (errno)
@@ -669,7 +669,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_pid = strtol(optarg,NULL,10);
if (errno)
@@ -787,7 +787,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_syscall = (int)strtoul(optarg, NULL, 10);
if (errno) {
@@ -886,7 +886,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
unsigned long optval = strtoul(optarg,NULL,10);
if (errno || optval >= (1ul << 32))
@@ -894,7 +894,7 @@ int check_params(int count, char *vars[])
event_session_id = optval;
c++;
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
long optval = strtol(optarg, NULL, 0);
if (errno || optval < INT_MIN || optval > INT_MAX) {
@@ -926,7 +926,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_exit = strtoll(optarg, NULL, 0);
if (errno) {
@@ -935,7 +935,7 @@ int check_params(int count, char *vars[])
optarg);
}
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
event_exit = strtoll(optarg, NULL, 0);
if (errno) {
@@ -1067,7 +1067,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_uid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1100,7 +1100,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_euid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1133,7 +1133,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_uid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1177,7 +1177,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_loginuid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1187,7 +1187,7 @@ int check_params(int count, char *vars[])
retval = -1;
}
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
event_loginuid = strtol(optarg, NULL, 0);
if (errno) {
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 7ee7bd4..f34e21d 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1115,7 +1115,7 @@ try_again:
return 25;
ptr = str + 4;
term = ptr;
- while (isdigit(*term))
+ while (isdigit((unsigned char)*term))
term++;
if (term == ptr)
return 14;
diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c
index 206e9ff..2ef4ad1 100644
--- a/tools/ausyscall/ausyscall.c
+++ b/tools/ausyscall/ausyscall.c
@@ -47,9 +47,9 @@ int main(int argc, char *argv[])
usage();
} else if (argc < 2)
usage();
-
+
for (i=1; i<argc; i++) {
- if (isdigit(argv[i][0])) {
+ if (isdigit((unsigned char)argv[i][0])) {
if (syscall_num != -1) {
fputs("Two syscall numbers not allowed\n",
stderr);
--
2.33.0

156
backport-lib-cast-to-unsigned-char-for-character-test-functio.patch Normal file
View File

@ -0,0 +1,156 @@
From 3aa3ccb2bb1c8804fbf43b260c93b65e831242c1 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 2 Nov 2023 21:20:40 +0100
Subject: [PATCH] lib: cast to unsigned char for character test functions
(#338)
Passing a value not representable by unsigned char is undefined
behavior.
Reference:https://github.com/linux-audit/audit-userspace/commit/3aa3ccb2bb1c8804fbf43b260c93b65e831242c1
Conflict:lib/libaudit.c
---
lib/libaudit.c | 30 +++++++++++++++---------------
lib/lookup_table.c | 2 +-
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 02c263e..5843ac0 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1006,7 +1006,7 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
return -2;
nr = audit_name_to_syscall(scall, machine);
if (nr < 0) {
- if (isdigit(scall[0]))
+ if (isdigit((unsigned char)scall[0]))
nr = strtol(scall, NULL, 0);
}
if (nr >= 0)
@@ -1535,11 +1535,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_OBJ_UID:
// Do positive & negative separate for 32 bit systems
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1559,7 +1559,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SGID:
case AUDIT_FSGID:
case AUDIT_OBJ_GID:
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1575,11 +1575,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags != AUDIT_FILTER_EXIT)
return -EAU_EXITONLY;
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1594,7 +1594,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
flags != AUDIT_FILTER_USER)
return -EAU_MSGTYPEEXCLUDEUSER;
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else
@@ -1665,7 +1665,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_ARCHMISPLACED;
if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
- if (isdigit((char)*(v))) {
+ if (isdigit((unsigned char)*(v))) {
int machine;
errno = 0;
@@ -1706,7 +1706,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_STRTOOLONG;
for (i = 0; i < len; i++) {
- switch (tolower(v[i])) {
+ switch (tolower((unsigned char)v[i])) {
case 'r':
val |= AUDIT_PERM_READ;
break;
@@ -1740,7 +1740,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_FIELDUNAVAIL;
if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else
@@ -1753,11 +1753,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_ARG0...AUDIT_ARG3:
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else
@@ -1773,11 +1773,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_FIELDNOFILTER;
// Do positive & negative separate for 32 bit systems
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else if (strcmp(v, "unset") == 0)
@@ -1803,7 +1803,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
return -EAU_EXITONLY;
- if (!isdigit((char)*(v)))
+ if (!isdigit((unsigned char)*(v)))
return -EAU_FIELDVALNUM;
if (field == AUDIT_INODE)
diff --git a/lib/lookup_table.c b/lib/lookup_table.c
index 23678a4..d97c5fb 100644
--- a/lib/lookup_table.c
+++ b/lib/lookup_table.c
@@ -223,7 +223,7 @@ int audit_name_to_msg_type(const char *msg_type)
strncpy(buf, msg_type + 8, len);
errno = 0;
return strtol(buf, NULL, 10);
- } else if (isdigit(*msg_type)) {
+ } else if (isdigit((unsigned char)*msg_type)) {
errno = 0;
return strtol(msg_type, NULL, 10);
}
--
2.33.0

35
backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch Normal file
View File

@ -0,0 +1,35 @@
From 3f928b21486369c495d9eaca46eb9d506ae576b3 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Wed, 1 Nov 2023 20:35:40 +0100
Subject: [PATCH] lib: close audit socket in load_feature_bitmap() (#334)
Reference:https://github.com/linux-audit/audit-userspace/commit/3f928b21486369c495d9eaca46eb9d506ae576b3
Conflict:NA
---
lib/libaudit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index ded3ab47..4c317c87 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -657,12 +657,14 @@ static void load_feature_bitmap(void)
/* Found it... */
features_bitmap = rep.status->feature_bitmap;
+ audit_close(fd);
return;
}
}
}
#endif
features_bitmap = AUDIT_FEATURES_UNSUPPORTED;
+ audit_close(fd);
}
uint32_t audit_get_features(void)
--
2.33.0

29
backport-lib-enclose-macro-to-avoid-precedence-issues.patch Normal file
View File

@ -0,0 +1,29 @@
From e97c79260a2e7bdbf02c5162b0c40451c9555111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 31 Oct 2023 16:49:10 +0100
Subject: [PATCH] lib: enclose macro to avoid precedence issues
Reference:https://github.com/linux-audit/audit-userspace/commit/e97c79260a2e7bdbf02c5162b0c40451c9555111
Conflict:NA
---
lib/audit_logging.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index 8b8b6207..e8b79d3e 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -38,7 +38,7 @@
#include "private.h"
#define TTY_PATH 32
-#define MAX_USER (UT_NAMESIZE * 2) + 8
+#define MAX_USER ((UT_NAMESIZE * 2) + 8)
// NOTE: The kernel fills in pid, uid, and loginuid of sender. Therefore,
// these routines do not need to send them.
--
2.33.0

56
backport-memory-allocation-updates-341.patch Normal file
View File

@ -0,0 +1,56 @@
From b92027ac9e29659483a5e920e548fe74126f72af Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Wed, 1 Nov 2023 22:15:40 +0100
Subject: [PATCH] memory allocation updates (#341)
* Check memory allocation
Avoid later NULL dereference.
* Check memory allocation and merge zeroing
Avoid later NULL dereference.
Reference:https://github.com/linux-audit/audit-userspace/commit/b92027ac9e29659483a5e920e548fe74126f72af
Conflict:NA
---
auparse/interpret.c | 2 ++
lib/libaudit.c | 7 +++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/auparse/interpret.c b/auparse/interpret.c
index ecde07ae..76ca2814 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -366,6 +366,8 @@ char *au_unescape(char *buf)
// strlen(buf) / 2.
olen = strlen(buf);
str = malloc(olen+1);
+ if (!str)
+ return NULL;
saved = *ptr;
*ptr = 0;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 6a42871b..d90d83b8 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -891,9 +891,12 @@ int audit_make_equivalent(int fd, const char *mount_point,
struct {
uint32_t sizes[2];
unsigned char buf[];
- } *cmd = malloc(sizeof(*cmd) + len1 + len2);
+ } *cmd = calloc(1, sizeof(*cmd) + len1 + len2);
- memset(cmd, 0, sizeof(*cmd) + len1 + len2);
+ if (!cmd) {
+ audit_msg(LOG_ERR, "Cannot allocate memory!");
+ return -ENOMEM;
+ }
cmd->sizes[0] = len1;
cmd->sizes[1] = len2;
--
2.33.0