Bug 2111040

Summary: Potential invalid scan results in OpenSCAP
Product: Red Hat Enterprise Linux 8 Reporter: Matus Marhefka <mmarhefk>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: amepatil, ekolesni, jcerny, mhaicman, mmarhefk, qe-baseos-security, rmetrich
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openscap-1.3.6-4.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2109485 Environment:
Last Closed: 2022-11-08 10:01:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2109485, 2111041    
Bug Blocks:    
Deadline: 2022-08-01   

Description Matus Marhefka 2022-07-26 11:35:10 UTC 
+++ This bug was initially created as a clone of Bug #2109485 +++

Description of problem:
Evaluating certain rules trigger an error message "Failed to check available memory" in OpenSCAP.

Version-Release number of selected component (if applicable):
openscap-1.3.6-3.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Build RHEL9 content from upstream https://github.com/ComplianceAsCode/content/ as of HEAD 169b4e8cb5b331aef65375214de2920b3fde6619 (2022-07-21) or download the attachment of this BZ
2. Make sure there is enough word-writable files on your system, or create them artificially:
for x in $(seq 1000) ; do touch file$x; chmod o+w file$x ; done
3. Run scan
sudo oscap xccdf eval --profile 'stig' --rule xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs --results-arf arf.xml ./ssg-rhel9-ds.xml

Actual results:
E: oscap:       Failed to check available memory

Expected results:
no error

Additional info:
- other rules can also trigger this error message, eg. accounts_user_dot_group_ownership, accounts_users_home_files_permissions
- the scanner doesn't crash, but validity of produced results is questionable
- also tracked in upstream in https://github.com/OpenSCAP/openscap/issues/1867

--- Additional comment from Jan Černý on 2022-07-21 11:34:26 UTC ---

Analysis:

--- Additional comment from Jan Černý on 2022-07-21 11:46:38 UTC ---

Analysis:
- The code that checks for available memory can return a negative value due to an incorrect handling of errno in read_common_sizet

--- Additional comment from Jan Černý on 2022-07-21 11:47:15 UTC ---

This has been fixed upstream in https://github.com/OpenSCAP/openscap/pull/1861

--- Additional comment from Jan Černý on 2022-07-22 15:04:45 UTC ---

We can use unit test proposed in https://github.com/OpenSCAP/openscap/pull/1874/ for testing.

--- Additional comment from Jan Černý on 2022-07-26 08:28:48 UTC ---

There are also additional occurrences of not resetting errno to 0 before strtol() in the OpenSCAP code base and we are going to fix these in https://github.com/OpenSCAP/openscap/pull/1875.
Comment 8 Renaud Métrich 2022-09-08 11:04:51 UTC 
*** Bug 2124867 has been marked as a duplicate of this bug. ***
Comment 12 errata-xmlrpc 2022-11-08 10:01:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7635