adamwill / rpms / openscap

Forked from rpms/openscap 4 years ago
Clone

Blame SOURCES/openscap-1.3.4-fix-no-more-recursion.patch

a39e27
From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001
a39e27
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
a39e27
Date: Wed, 27 May 2020 10:38:56 +0200
a39e27
Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370
a39e27
a39e27
There is a non-optimal behavior of file probe. It happens when file path
a39e27
is specified using a variable with 2 values with `operation="equals"`
a39e27
and `var_check="all"`. The probe recurses into a file system tree even
a39e27
if it's obvious that it won't find any match. If one of values is a big
a39e27
tree (for example `/`) it eventually runs out of memory and crashes. The
a39e27
OVAL doesn't make sense because it's impossible that a single file would
a39e27
have 2 different paths. But despite that it's a valid OVAL document.
a39e27
The test is expected to fail because the bug hasn't been fixed.
a39e27
---
a39e27
 tests/probes/file/CMakeLists.txt              |  1 +
a39e27
 .../test_probes_file_multiple_file_paths.sh   | 39 +++++++++++++++++
a39e27
 .../test_probes_file_multiple_file_paths.xml  | 42 +++++++++++++++++++
a39e27
 3 files changed, 82 insertions(+)
a39e27
 create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh
a39e27
 create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml
a39e27
a39e27
diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt
a39e27
index 12718603f..35b4c1169 100644
a39e27
--- a/tests/probes/file/CMakeLists.txt
a39e27
+++ b/tests/probes/file/CMakeLists.txt
a39e27
@@ -1,3 +1,4 @@
a39e27
 if(ENABLE_PROBES_UNIX)
a39e27
 	add_oscap_test("test_probes_file.sh")
a39e27
+	add_oscap_test("test_probes_file_multiple_file_paths.sh")
a39e27
 endif()
a39e27
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh
a39e27
new file mode 100755
a39e27
index 000000000..1cececbb0
a39e27
--- /dev/null
a39e27
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh
a39e27
@@ -0,0 +1,39 @@
a39e27
+#!/bin/bash
a39e27
+
a39e27
+set -e -o pipefail
a39e27
+
a39e27
+. $builddir/tests/test_common.sh
a39e27
+
a39e27
+probecheck "file" || exit 255
a39e27
+which strace || exit 255
a39e27
+
a39e27
+function check_strace_output {
a39e27
+	strace_log="$1"
a39e27
+	grep -q "/tmp/numbers/1" $strace_log && return 1
a39e27
+	grep -q "/tmp/numbers/1/2" $strace_log && return 1
a39e27
+	grep -q "/tmp/numbers/1/2/3" $strace_log && return 1
a39e27
+	grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1
a39e27
+	grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1
a39e27
+	grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a/b" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a/b/c" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1
a39e27
+	grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1
a39e27
+	return 0
a39e27
+}
a39e27
+
a39e27
+rm -rf /tmp/numbers
a39e27
+mkdir -p /tmp/numbers/1/2/3/4/5/6
a39e27
+rm -rf /tmp/letters
a39e27
+mkdir -p /tmp/letters/a/b/c/d/e/f
a39e27
+strace_log=$(mktemp)
a39e27
+strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml"
a39e27
+ret=0
a39e27
+check_strace_output $strace_log || ret=$?
a39e27
+rm -f $strace_log
a39e27
+rm -f results.xml
a39e27
+rm -rf /tmp/numbers
a39e27
+rm -rf /tmp/letters
a39e27
+exit $ret
a39e27
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml
a39e27
new file mode 100644
a39e27
index 000000000..893a3fe97
a39e27
--- /dev/null
a39e27
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml
a39e27
@@ -0,0 +1,42 @@
a39e27
+
a39e27
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
a39e27
+  <generator>
a39e27
+    <oval:schema_version>5.10</oval:schema_version>
a39e27
+    <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
a39e27
+  </generator>
a39e27
+
a39e27
+  <definitions>
a39e27
+    <definition class="compliance" version="1" id="oval:x:def:1">
a39e27
+      <metadata>
a39e27
+        <title>Specify a file path using variable with two values</title>
a39e27
+        <description>x</description>
a39e27
+        <affected family="unix">
a39e27
+          <platform>multi_platform_all</platform>
a39e27
+        </affected>
a39e27
+      </metadata>
a39e27
+          <criteria operator="AND">
a39e27
+            <criterion comment="Check multiple paths" test_ref="oval:x:tst:1"/>
a39e27
+          </criteria>
a39e27
+    </definition>
a39e27
+  </definitions>
a39e27
+
a39e27
+  <tests>
a39e27
+        <file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:tst:1" version="1" comment="Verify all paths exist" check_existence="all_exist" check="all">
a39e27
+          <object object_ref="oval:x:obj:1"/>
a39e27
+        </file_test>
a39e27
+  </tests>
a39e27
+
a39e27
+  <objects>
a39e27
+        <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:obj:1" version="1" comment="uses var_check=all together with operation=equals">
a39e27
+          <path datatype="string" var_ref="oval:x:var:1" var_check="all" operation="equals"/>
a39e27
+          <filename xsi:nil="true" datatype="string"/>
a39e27
+        </file_object>
a39e27
+  </objects>
a39e27
+
a39e27
+  <variables>
a39e27
+        <constant_variable datatype="string" comment="2 file paths" version="1" id="oval:x:var:1">
a39e27
+            <value>/tmp/numbers</value>
a39e27
+            <value>/tmp/letters</value>
a39e27
+        </constant_variable>
a39e27
+  </variables>
a39e27
+</oval_definitions>
a39e27
a39e27
From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001
a39e27
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
a39e27
Date: Tue, 2 Jun 2020 15:11:37 +0200
a39e27
Subject: [PATCH 2/3] Add strace to the list of test dependencies
a39e27
a39e27
---
a39e27
 docs/developer/developer.adoc | 2 +-
a39e27
 1 file changed, 1 insertion(+), 1 deletion(-)
a39e27
a39e27
diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
a39e27
index 823a1504e..0f01ace74 100644
a39e27
--- a/docs/developer/developer.adoc
a39e27
+++ b/docs/developer/developer.adoc
a39e27
@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do
a39e27
 that you need to have these additional packages installed:
a39e27
 
a39e27
 ----
a39e27
-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build
a39e27
+wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace
a39e27
 ----
a39e27
 
a39e27
 On Ubuntu 18.04, also install:
a39e27
a39e27
From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001
a39e27
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
a39e27
Date: Wed, 17 Jun 2020 11:00:02 +0200
a39e27
Subject: [PATCH 3/3] Terminate matching to prevent recursion
a39e27
a39e27
Fixes: RHBZ#1686370
a39e27
---
a39e27
 src/OVAL/probes/oval_fts.c | 9 +++++++++
a39e27
 1 file changed, 9 insertions(+)
a39e27
a39e27
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
a39e27
index 696997942..2b7314c38 100644
a39e27
--- a/src/OVAL/probes/oval_fts.c
a39e27
+++ b/src/OVAL/probes/oval_fts.c
a39e27
@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts)
a39e27
 
a39e27
 		if (ores == OVAL_RESULT_TRUE)
a39e27
 			break;
a39e27
+		if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) {
a39e27
+			/* At this point the comparison result isn't OVAL_RESULT_TRUE. Since
a39e27
+			we passed the exact path (from filepath or path elements) to
a39e27
+			fts_open() we surely know that we can't find other items that would
a39e27
+			be equal. Therefore we can terminate the matching. This can happen
a39e27
+			if the filepath or path element references a variable that has
a39e27
+			multiple different values. */
a39e27
+			return NULL;
a39e27
+		}
a39e27
 	} /* for (;;) */
a39e27
 
a39e27
 	/*