Partition probe broken with PCRE2 #2026

jan-cerny · 2023-09-07T10:59:33Z

Description of Problem:

When OpenSCAP is built with PCRE2, the partition probe doesn't evaluate properly OVAL partition objects that contain a regular expression pattern.

This breaks rule audit_rules_privileged_commands from scap-security-guide-0.1.69.

OpenSCAP Version:

current upstream maint-1.3 branch as of HEAD 9b3e756

Operating System & Version:

Fedora 38

Steps to Reproduce:

Reproducer OVAL: reproducer.zip

cmake -DWITH_PCRE2=ON -DCMAKE_BUILD_TYPE=Debug .. && make
./oscap_wrapper oval eval --results results.xml reproducer.xml

Actual Results:

Definition oval:x:def:1 is evaluated as false, the XML results shows that the object doesn't exist.

Expected Results:

Behavior should be the same as when built with PCRE1. Specifically, definition oval:x:def:1 is evaluated as true, the XML results contains many items matching the partition object.

Additional Information / Debugging Steps:

This patch seems to fix the problem:

diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c
index cd0e10413..eea7bc348 100644
--- a/src/OVAL/probes/unix/linux/partition_probe.c
+++ b/src/OVAL/probes/unix/linux/partition_probe.c
@@ -402,7 +402,7 @@ int partition_probe_main(probe_ctx *ctx, void *probe_arg)
                                 rc = oscap_pcre_exec(re, mnt_entp->mnt_dir,
                                                strlen(mnt_entp->mnt_dir), 0, 0, NULL, 0);
 
-                                if (rc == 0) {
+                                if (rc >= 0) {
                                        if (
 #if defined(HAVE_BLKID_GET_TAG_VALUE)
                                                collect_item(ctx, obj_over, mnt_entp, blkcache)

Additionally, you can discover this by running Automatus test scenarios for the rule audit_rules_privileged_commands on a VM back end where the VM contains a custom build of OpenSCAP with the PCRE2.

The text was updated successfully, but these errors were encountered:

evgenyz · 2023-09-08T10:08:35Z

We should try and reproduce the problem in OpenSCAP upstream unit tests on top of fixing the problem. Good catch!

The pcre_exec function can return a positive number or zero, zero is returned if the buffer isn't large enough. Therefore, we should allow also positive number return code. The commit also extends the test to cover the bug situation. Fixes: OpenSCAP#2026

jan-cerny added the bug label Sep 7, 2023

evgenyz added this to the 1.3.10 milestone Sep 8, 2023

evgenyz added the release blocker label Sep 8, 2023

jan-cerny mentioned this issue Sep 8, 2023

Fix partition probe for PCRE2 #2027

Merged

evgenyz closed this as completed in #2027 Sep 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Partition probe broken with PCRE2 #2026

Partition probe broken with PCRE2 #2026

jan-cerny commented Sep 7, 2023 •

edited

Loading

evgenyz commented Sep 8, 2023

Partition probe broken with PCRE2 #2026

Partition probe broken with PCRE2 #2026

Comments

jan-cerny commented Sep 7, 2023 • edited Loading

Description of Problem:

OpenSCAP Version:

Operating System & Version:

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information / Debugging Steps:

evgenyz commented Sep 8, 2023

jan-cerny commented Sep 7, 2023 •

edited

Loading