Fix post integration invalid memory accesses

The crash comes from passing a minimal stub struct to interpretation
routines that now expect the full parser state. To fix this, the stub
now allocates a real parser with auparse_init(""), and each caller
loads interpretations via that parser. This prevents invalid memory
access when caches are cleaned up.

Author: stevegrubb

src/auditctl-listing.c

@@ -469,9 +469,8 @@ static void print_rule(const struct audit_rule_data *r)
 					type = auparse_interp_adjust_type(
 						AUDIT_SYSCALL, name, val);
 					out = auparse_do_interpretation(
-						(auparse_state_t *)&interp_au,
-                                                type, &id,
-                                                AUPARSE_ESC_TTY);
+						interp_au, type, &id,
+						AUPARSE_ESC_TTY);
 					printf(" -F %s%s%s", name,
 						audit_operator_to_symbol(op),
 								out);
@@ -569,8 +568,9 @@ int audit_print_reply(const struct audit_reply *rep, int fd)
 {
 	static int init_done = 0;
 	if (!init_done) {
-		memset(&interp_au, 0, sizeof(interp_au));
-		interp_au.interpretations.cnt = NEVER_LOADED;
+		interp_au = auparse_init(AUSOURCE_BUFFER, "");
+		if (interp_au == NULL)
+			return 0;
 		init_done = 1;
 	}
 	_audit_elf = 0;

src/auparse-stub.h

@@ -1,34 +1,12 @@
 #ifndef AUPARSE_STUB_H
 #define AUPARSE_STUB_H
 
+#include "auparse.h"
 #include "auparse-idata.h"
 
 /*
- * Stub definitions for using interpretation helpers without auparse
- * initialization. Each translation unit that needs them gets its own
- * static copy.
+ * Provide a shared parser instance for interpretation helpers.
  */
-
-typedef struct interp_nvnode {
-	char *name;
-	char *val;
-	char *interp_val;
-	unsigned int item;
-} interp_nvnode;
-
-typedef struct interp_nvlist {
-	interp_nvnode *array;
-	unsigned int cur;
-	unsigned int cnt;
-	unsigned int size;
-	char *record;
-	char *end;
-} interp_nvlist;
-
-typedef struct {
-	interp_nvlist interpretations;
-} interp_state_t;
-
-static interp_state_t interp_au;
+static auparse_state_t *interp_au = NULL;
 
 #endif /* AUPARSE_STUB_H */

src/aureport.c

@@ -100,8 +100,11 @@ int main(int argc, char *argv[])
 	set_aumessage_mode(MSG_STDERR, DBG_NO);
 	(void) umask( umask( 077 ) | 027 );
 	very_first_event.sec = 0;
-	memset(&interp_au, 0, sizeof(interp_au));
-	interp_au.interpretations.cnt = NEVER_LOADED;
+	interp_au = auparse_init(AUSOURCE_BUFFER, "");
+	if (interp_au == NULL) {
+		fprintf(stderr, "cannot init parser\n");
+		return 1;
+	}
 	reset_counters();
 
 	/* Load config so we know where logs are and eoe_timeout */
@@ -242,14 +245,13 @@ static void process_event(llist *entries)
 		// If its a single event or SYSCALL load interpretations
 		if ((entries->cnt == 1) ||
 				(entries->head->type == AUDIT_SYSCALL)) {
-			_auparse_load_interpretations(
-					(auparse_state_t *)&interp_au,
+			_auparse_load_interpretations(interp_au,
 					entries->head->interp);
 		}
 		// This is the per entry action item
 		if (per_event_processing(entries))
 			found = 1;
-               _auparse_free_interpretations((auparse_state_t *)&interp_au);
+		_auparse_free_interpretations(interp_au);
 	}
 }
 

src/ausearch-lookup.c

@@ -76,8 +76,9 @@ const char *aulookup_syscall(llist *l, char *buf, size_t size)
 	const char *sys;
 
 	if (!interp_init) {
-		memset(&interp_au, 0, sizeof(interp_au));
-		interp_au.interpretations.cnt = NEVER_LOADED;
+		interp_au = auparse_init(AUSOURCE_BUFFER, "");
+		if (interp_au == NULL)
+			return NULL;
 		interp_init = 1;
 	}
 
@@ -86,8 +87,8 @@ const char *aulookup_syscall(llist *l, char *buf, size_t size)
 		return buf;
 	}
 
-	sys = _auparse_lookup_interpretation((auparse_state_t *)&interp_au,
-					     "syscall");
+	sys = _auparse_lookup_interpretation(interp_au,
+						"syscall");
 	if (sys) {
 		snprintf(buf, size, "%s", sys);
 		free((void *)sys);
@@ -207,8 +208,9 @@ const char *aulookup_uid(uid_t uid, char *buf, size_t size)
 	int rc;
 
 	if (!interp_init) {
-		memset(&interp_au, 0, sizeof(interp_au));
-		interp_au.interpretations.cnt = NEVER_LOADED;
+		interp_au = auparse_init(AUSOURCE_BUFFER, "");
+		if (interp_au == NULL)
+			return NULL;
 		interp_init = 1;
 	}
 
@@ -221,8 +223,7 @@ const char *aulookup_uid(uid_t uid, char *buf, size_t size)
 		return buf;
 	}
 
-	name = _auparse_lookup_interpretation((auparse_state_t *)&interp_au,
-					      "auid");
+	name = _auparse_lookup_interpretation(interp_au, "auid");
 	if (name) {
 		snprintf(buf, size, "%s", name);
 		free((void *)name);

src/ausearch-parse.c

@@ -217,13 +217,13 @@ static const char *lookup_uid(const char *field, uid_t uid)
 	const char *value;
 
 	if (!interp_init) {
-		memset(&interp_au, 0, sizeof(interp_au));
-		interp_au.interpretations.cnt = NEVER_LOADED;
+		interp_au = auparse_init(AUSOURCE_BUFFER, "");
+		if (interp_au == NULL)
+			return NULL;
 		interp_init = 1;
 	}
 
-	value = _auparse_lookup_interpretation((auparse_state_t *)&interp_au,
-					       field);
+	value = _auparse_lookup_interpretation(interp_au, field);
 	if (value)
 		return value;
 	if (uid == 0)

src/ausearch-report.c

@@ -69,20 +69,20 @@ void ausearch_load_interpretations(const lnode *n)
 {
 	if (loaded == 0) {
 		if (!interp_init) {
-			memset(&interp_au, 0, sizeof(interp_au));
-			interp_au.interpretations.cnt = NEVER_LOADED;
+			interp_au = auparse_init(AUSOURCE_BUFFER, "");
+			if (interp_au == NULL)
+				return;
 			interp_init = 1;
 		}
-		_auparse_load_interpretations((auparse_state_t *)&interp_au,
-                                             n->interp);
+		 _auparse_load_interpretations(interp_au, n->interp);
 		loaded = 1;
 	}
 }
 
 void ausearch_free_interpretations(void)
 {
-	if (loaded) {
-		_auparse_free_interpretations((auparse_state_t *)&interp_au);
+	if (loaded && interp_au) {
+		_auparse_free_interpretations(interp_au);
 		loaded = 0;
 	}
 }
@@ -394,8 +394,7 @@ static void report_interpret(char *name, char *val, int comma, int rtype)
 	id.val = val;
 	id.cwd = NULL;
 
-	char *out = auparse_do_interpretation((auparse_state_t *)&interp_au,
-						type, &id, escape_mode);
+	char *out = auparse_do_interpretation(interp_au,type,&id,escape_mode);
 	if (type == AUPARSE_TYPE_UNCLASSIFIED)
 		printf("%s%c", val, comma ? ',' : ' ');
 	else if (name[0] == 'k' && strcmp(name, "key") == 0) {

src/ausearch.c

@@ -220,7 +220,6 @@ int main(int argc, char *argv[])
 	free((char *)event_tuid);
 	free((char *)event_teuid);
 	free((char *)event_tauid);
-	auparse_destroy(NULL);
 	output_auparse_finish();
 	if (rc)
 		return rc;