From ce1fea72c1c5841a95a88bffc50c1c92b186752d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 16 Aug 2024 17:41:50 +0200
Subject: [PATCH 1/3] Plug a memory leak

Addressing:

5. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1076:5: alloc_fn: Storage is returned from allocation function "oscap_concat".
6. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1076:5: var_assign: Assigning: "block" = storage returned from "oscap_concat(block, "\n")".
12. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1119:2: leaked_storage: Variable "block" going out of scope leaks the storage it points to.
---
 src/XCCDF_POLICY/xccdf_policy_remediate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 9837dc4551..02f737cbdc 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1113,6 +1113,7 @@ static int _xccdf_policy_rule_generate_kickstart_fix(struct xccdf_policy *policy
 	if (state != KS_R_P_NORMAL) {
 		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Unfinished block in kickstart remediation in rule %s\n", xccdf_rule_get_id(rule));
 	}
+	free(block);
 	free(lines);
 	free(dup);
 	free(fix_text);

From e03941b4f024191613149a2ff6908b2f45ca6088 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 19 Aug 2024 09:23:06 +0200
Subject: [PATCH 2/3] Fix a use after free defect

Addressing:

9. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1835:2: closed_arg: "_generate_kickstart_oscap_post(struct kickstart_commands *, char const *, char const *, struct oscap_source *, int)" closes "output_fd".
11. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1840:3: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd".

5. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1638:2: closed_arg: "_write_tailoring_to_fd(struct oscap_source *, int)" closes "output_fd".
6. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1642:2: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd".

5. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1638:2: closed_arg: "_write_tailoring_to_fd(struct oscap_source *, int)" closes "output_fd".
6. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1641:2: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd".

5. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1638:2: closed_arg: "_write_tailoring_to_fd(struct oscap_source *, int)" closes "output_fd".
6. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1640:2: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd".

5. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1638:2: closed_arg: "_write_tailoring_to_fd(struct oscap_source *, int)" closes "output_fd".
6. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1639:2: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd_and_free".

2. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1612:2: closed_arg: "oscap_source_to_fd(struct oscap_source *, int)" closes "output_fd".
3. openscap-1.4.0/src/XCCDF_POLICY/xccdf_policy_remediate.c:1613:2: pass_closed_arg: Passing closed handle "output_fd" as an argument to "_write_text_to_fd".
---
 src/XCCDF_POLICY/xccdf_policy_remediate.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 02f737cbdc..9233913d9c 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1605,18 +1605,22 @@ static int _generate_kickstart_packages(struct kickstart_commands *cmds, int out
 	return 0;
 }
 
-static void _write_tailoring_to_fd(struct oscap_source *tailoring, int output_fd)
+static int _write_tailoring_to_fd(struct oscap_source *tailoring, int output_fd)
 {
 	if (tailoring == NULL)
-		return;
+		return 0;
 	_write_text_to_fd(output_fd, "cat >/root/oscap_tailoring.xml <<END_OF_TAILORING\n");
-	oscap_source_to_fd(tailoring, output_fd);
+	if (oscap_source_to_fd(tailoring, output_fd) != 0)
+		return -1;
 	_write_text_to_fd(output_fd, "END_OF_TAILORING\n");
+	return 0;
 }
 
 static int _generate_kickstart_oscap_post(struct kickstart_commands *cmds, const char *profile_id, const char *input_path, struct oscap_source *tailoring, int output_fd)
 {
 	_write_text_to_fd(output_fd, "%post --erroronfail\n");
+	if (_write_tailoring_to_fd(tailoring, output_fd) != 0)
+		return -1;
 	const char *fmt = "oscap xccdf eval --remediate%s--results-arf /root/oscap_arf.xml --report /root/oscap_report.html%s/usr/share/xml/scap/ssg/content/%s\n";
 	const char *tailoring_part;
 	if (tailoring != NULL) {
@@ -1636,7 +1640,6 @@ static int _generate_kickstart_oscap_post(struct kickstart_commands *cmds, const
 	char *oscap_command = oscap_sprintf(fmt, tailoring_part, profile_part, basename);
 	free(profile_part);
 	free(basename);
-	_write_tailoring_to_fd(tailoring, output_fd);
 	_write_text_to_fd_and_free(output_fd, oscap_command);
 	_write_text_to_fd(output_fd, "[ $? -eq 0 -o $? -eq 2 ] || exit 1\n");
 	_write_text_to_fd(output_fd, "%end\n");
@@ -1833,13 +1836,17 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
 	if (raw == 0)
 		_write_text_to_fd(output_fd, "# Perform OpenSCAP hardening (required for security compliance)\n");
 	const char *profile_id = xccdf_profile_get_id(xccdf_policy_get_profile(policy));
-	_generate_kickstart_oscap_post(&cmds, profile_id, input_file_name, tailoring, output_fd);
+	if (_generate_kickstart_oscap_post(&cmds, profile_id, input_file_name, tailoring, output_fd) != 0) {
+		ret = -1;
+		goto cleanup;
+	}
 
 	_generate_kickstart_post(&cmds, output_fd, raw);
 
 	if (raw == 0)
 		_write_text_to_fd(output_fd, "# Reboot after the installation is complete\nreboot\n");
 
+cleanup:
 	oscap_list_free(cmds.package_install, free);
 	oscap_list_free(cmds.package_remove, free);
 	oscap_list_free(cmds.service_enable, free);

From 8afec250f65932ecb460889829e2e8f72691ea41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 19 Aug 2024 10:19:04 +0200
Subject: [PATCH 3/3] Fix a double free

Addresssing:
18. openscap-1.4.0/src/OVAL/probes/independent/textfilecontent_probe.c:217:3: freed_arg: "free" frees "substrs".
22. openscap-1.4.0/src/OVAL/probes/independent/textfilecontent_probe.c:217:3: double_free: Calling "free" frees pointer "substrs" which has already been freed.
---
 src/OVAL/probes/independent/textfilecontent_probe.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/OVAL/probes/independent/textfilecontent_probe.c b/src/OVAL/probes/independent/textfilecontent_probe.c
index 54c9ab1be1..bbea95d837 100644
--- a/src/OVAL/probes/independent/textfilecontent_probe.c
+++ b/src/OVAL/probes/independent/textfilecontent_probe.c
@@ -214,7 +214,6 @@ static int process_file(const char *prefix, const char *path, const char *filena
 			for (k = 0; k < substr_cnt; ++k)
 				free(substrs[k]);
 		}
-		free(substrs);
 	}
 
  cleanup: