Bug 1861301
Summary: | Huge memory leak in probe_rpmverifyfile | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
Component: | openscap | Assignee: | Jan Černý <jcerny> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | urgent | Docs Contact: | Jan Fiala <jafiala> |
Priority: | urgent | ||
Version: | 8.2 | CC: | ekolesni, jafiala, matyc, mhaicman, reg, sboulden |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openscap-1.3.3-4.el8 | Doc Type: | Bug Fix |
Doc Text: |
.OpenSCAP no longer crashes after evaluating large systems
Previously, the OpenSCAP scanner caused memory leaks when evaluating `rpmverifyfile` OVAL tests. As a consequence, the scanner crashed during evaluation of systems with large numbers of files. This affected the Payment Card Industry Data Security Standard (PCI-DSS) and Essential Eight RHEL 8 security profiles included in the `scap-security-guide` package. This update removes the memory leak, and as a result, reduces memory requirements of the `rpmverifyfile` rule to a level recommended for RHEL 8 systems.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:29:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Renaud Métrich
2020-07-28 09:13:48 UTC
The bug is reproducible also with current upstream maint-1.3 branch as of HEAD 802eb801dd083a67bd64d4f9c711ba1426e626cb. It seems to be triggered by any rule that uses rpmverifyfile probe, eg. xccdf_org.ssgproject.content_rule_rpm_verify_permissions, xccdf_org.ssgproject.content_rule_rpm_verify_ownership. For example, on Fedora 32: oscap xccdf eval --profile standard --rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml Valgrind reports the same leak: ==400443== ==400443== 352,256 bytes in 86 blocks are possibly lost in loss record 352 of 353 ==400443== at 0x483A809: malloc (vg_replace_malloc.c:307) ==400443== by 0x51F23A6: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so) ==400443== by 0x489F8EA: oscap_realpath (util.c:251) ==400443== by 0x495E766: rpmverify_collect (rpmverifyfile_probe.c:248) ==400443== by 0x495F4D8: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543) ==400443== by 0x493560F: probe_worker (worker.c:1090) ==400443== by 0x4932F87: probe_worker_runfn (worker.c:81) ==400443== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so) ==400443== by 0x52A99D2: clone (in /usr/lib64/libc-2.31.so) ==400443== ==400443== 2,359,775,232 bytes in 576,117 blocks are definitely lost in loss record 353 of 353 ==400443== at 0x483A809: malloc (vg_replace_malloc.c:307) ==400443== by 0x51F23A6: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so) ==400443== by 0x489F8EA: oscap_realpath (util.c:251) ==400443== by 0x495E766: rpmverify_collect (rpmverifyfile_probe.c:248) ==400443== by 0x495F4D8: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543) ==400443== by 0x493560F: probe_worker (worker.c:1090) ==400443== by 0x4932F87: probe_worker_runfn (worker.c:81) ==400443== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so) ==400443== by 0x52A99D2: clone (in /usr/lib64/libc-2.31.so) *** Bug 1882160 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openscap bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4623 |