Re: ASAN still reports a one-byte read underrun in path_norm() from libauparse
Hello,
On Thursday, August 7, 2025 12:31:24 PM Eastern Daylight Time Bogdan Harjoc
wrote:
the function path_norm() from libauparse.so in audit-4.1.1 still
reads one
byte below the allocated "working" buffer and triggers AddressSanitizer and
valgrind reports for inputs like "a/../.." or "a/.././..".
Attached is a test that produces the asan report.
Thanks. I added something like that to the auparse self tests.
Process paths like these were generated when processing audit
syscall
events for clone and probably others.
Most of the read underruns in path_norm() were fixed in 2025 and the issue
mentioned above is apparently the only one remaining in that code.
Would replacing the while loop with the code below ensure that path_norm
does not read below the "working" buffer ?
- while (dest > rpath && (--dest)[-1] != '/');
+ char *slash = (char *)memrchr(rpath, '/', dest - rpath);
+ if (slash)
+ dest = (slash == rpath) ? (rpath + 1) : slash;
+ else
+ dest = rpath;
The fix is simple, see commit 4f01ca0. I want to keep this mostly "as is"
since it mirrors code from glibc's realpath.
-Steve