Bug 2111041

Summary: Potential invalid scan results in OpenSCAP [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 7.9CC: amepatil, ekolesni, jafiala, jcerny, kpfleming, mhaicman, mmarhefk, qe-baseos-security
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openscap-1.2.17-15.el7_9 Doc Type: Bug Fix
Doc Text:
.OpenSCAP no longer produces incorrect errors when checking available memory Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message `Failed to check available memory` and produced invalid scan results. For example, this occurred for rules `accounts_user_dot_no_world_writable_programs`, `accounts_user_dot_group_ownership`, and `accounts_users_home_files_permissions`. With this update, the bug in error handling is fixed and the error message appears only for real failures.
 Story Points: ---
Clone Of: 2109485 Environment:
Last Closed: 2023-03-07 09:54:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2109485    
Bug Blocks: 2111040    

Description Matus Marhefka 2022-07-26 11:37:19 UTC 
+++ This bug was initially created as a clone of Bug #2109485 +++

Description of problem:
Evaluating certain rules trigger an error message "Failed to check available memory" in OpenSCAP.

Version-Release number of selected component (if applicable):
openscap-1.3.6-3.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Build RHEL9 content from upstream https://github.com/ComplianceAsCode/content/ as of HEAD 169b4e8cb5b331aef65375214de2920b3fde6619 (2022-07-21) or download the attachment of this BZ
2. Make sure there is enough word-writable files on your system, or create them artificially:
for x in $(seq 1000) ; do touch file$x; chmod o+w file$x ; done
3. Run scan
sudo oscap xccdf eval --profile 'stig' --rule xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs --results-arf arf.xml ./ssg-rhel9-ds.xml

Actual results:
E: oscap:       Failed to check available memory

Expected results:
no error

Additional info:
- other rules can also trigger this error message, eg. accounts_user_dot_group_ownership, accounts_users_home_files_permissions
- the scanner doesn't crash, but validity of produced results is questionable
- also tracked in upstream in https://github.com/OpenSCAP/openscap/issues/1867

--- Additional comment from Jan Černý on 2022-07-21 11:34:26 UTC ---

Analysis:

--- Additional comment from Jan Černý on 2022-07-21 11:46:38 UTC ---

Analysis:
- The code that checks for available memory can return a negative value due to an incorrect handling of errno in read_common_sizet

--- Additional comment from Jan Černý on 2022-07-21 11:47:15 UTC ---

This has been fixed upstream in https://github.com/OpenSCAP/openscap/pull/1861

--- Additional comment from Jan Černý on 2022-07-22 15:04:45 UTC ---

We can use unit test proposed in https://github.com/OpenSCAP/openscap/pull/1874/ for testing.

--- Additional comment from Jan Černý on 2022-07-26 08:28:48 UTC ---

There are also additional occurrences of not resetting errno to 0 before strtol() in the OpenSCAP code base and we are going to fix these in https://github.com/OpenSCAP/openscap/pull/1875.
Comment 15 errata-xmlrpc 2023-03-07 09:54:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1094