Skip to content

fix: post-audit verification findings (timestamp month, install perms, OOM leaks, errno)#388

Merged
BANANASJIM merged 1 commit into
mainfrom
fix/audit-followups-roundtwo
Jun 7, 2026
Merged

fix: post-audit verification findings (timestamp month, install perms, OOM leaks, errno)#388
BANANASJIM merged 1 commit into
mainfrom
fix/audit-followups-roundtwo

Conversation

@BANANASJIM

@BANANASJIM BANANASJIM commented Jun 7, 2026

Copy link
Copy Markdown
Owner

Five findings from a post-audit verification pass, each re-confirmed against the current worktree before fixing.

Changes

  • Timestamp month off-by-one (src/log.zig, src/cli/dump.zig): removed the erroneous + 1 on the month field. std.time.epoch.Month is 1-based, so @intFromEnum already yields the calendar month; the +1 made June print as 07 and December as 13. Sibling formatters in cli/install/udev.zig / cli/install/mappings.zig were already correct (no +1).
  • Install copy drops deterministic perms (src/cli/install/plan.zig): copyFile switched to copyFileAbsolute for atomicity but dropped the explicit chmod. copyFileAbsolute creates the dest via open(O_CREAT) subject to umask, so under a restrictive umask a 0644 /usr/share/padctl/devices TOML could become 0600 (unreadable by a non-root daemon). Re-apply src mode & 0o777 via fchmodat after the copy.
  • Supervisor SWITCH OOM leak (src/supervisor.zig): in handleSwitch, the stem_copy dupe catch and the txs.append catch returned without freeing new_mapper + parsed_ptr (not yet in txs, so cleanupSwitchTxs could not reach them). Both blocks now free them, mirroring cleanupSwitchTxs semantics.
  • hidraw discover OOM leak (src/io/hidraw.zig): in discoverAllWithRoot, the duped path leaked if append OOMed before it entered paths.items (the errdefer only iterates paths.items). Added errdefer allocator.free(owned).
  • timerfd errno decoder (src/event_loop.zig): decode the raw timerfd_settime return with linux.E.init(rc) instead of std.posix.errno(rc) (which reads C errno under libc). Diagnostic-only (debug log @tagName), no functional change — same class as the merged systemic fix.

Test plan

  • ./scripts/padctl-docker test -> EXIT=0.
  • New Layer-0 tests added and proven falsifiable (reintroduce bug -> test fails -> restore):
    • dump: formatTimestamp month is 1-based — asserts epoch 1717200000 formats as 2024-06-01... (fails as 2024-07-01 with the +1).
    • install: copyFile preserves source mode regardless of umask — asserts copied mode is 0644 under umask 0077 (fails as 0600 without the explicit chmod).
  • No targeted test for the supervisor/hidraw OOM leaks: handleSwitch uses self.allocator (not an injectable param) and its setup harness is not OOM-safe for checkAllAllocationFailures; the hidraw leak path requires a real hidraw char device to populate paths. Both fixes are standard cleanup idioms verified by inspection against the existing cleanup paths.
  • event_loop errno change is a diagnostic path; no test.

refs: codebase audit (verification pass)

fix: post-audit verification findings (timestamp month, install perms…
5757945 
…, OOM leaks, errno)

- log.zig/cli/dump.zig: drop the erroneous +1 on the month field;
  std.time.epoch.Month is 1-based, so @intFromEnum already yields the
  calendar month (June was printing as 07, December as 13). Add a
  Layer-0 test asserting a known epoch formats June as 06.
- cli/install/plan.zig: copyFile via copyFileAbsolute creates the dest
  with open(O_CREAT) subject to umask, dropping the deterministic source
  permissions; re-apply src mode & 0o777 with an explicit fchmodat so a
  0644 device TOML stays readable under a restrictive umask. Add a test
  asserting the copied mode equals the source mode under umask 0077.
- supervisor.zig: handleSwitch leaked new_mapper + parsed_ptr in the
  stem_copy dupe and txs.append catch blocks (not yet in txs, so
  cleanupSwitchTxs could not reach them); free both, mirroring
  cleanupSwitchTxs semantics.
- io/hidraw.zig: discoverAllWithRoot leaked the duped path if append
  OOMed before it entered paths.items; add errdefer free(owned).
- event_loop.zig: decode the raw timerfd_settime return with
  linux.E.init instead of std.posix.errno (which reads C errno under
  libc) for a correct diagnostic errno string.

Test plan:
- ./scripts/padctl-docker test -> EXIT=0
- New month test and copyFile-perms test both proven falsifiable
  (reintroduce the bug -> test fails -> restore).
- Supervisor/hidraw OOM leaks: no targeted test added; handleSwitch
  uses self.allocator (not an injectable param) and the leak paths
  require either a heavy non-OOM-safe Supervisor harness or a real
  hidraw char device, so they are not practically reachable at Layer 0.
- event_loop errno is diagnostic-only (debug log); no test.

refs: codebase audit (verification pass)
@qodo-code-review

qodo-code-review Bot commented Jun 7, 2026

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@BANANASJIM, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 18 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f54df00-e346-4f49-a11b-03b0d5db38b4

📥 Commits

Reviewing files that changed from the base of the PR and between e4742a8 and 5757945.

📒 Files selected for processing (7)
  • src/cli/dump.zig
  • src/cli/install/plan.zig
  • src/cli/install/tests.zig
  • src/event_loop.zig
  • src/io/hidraw.zig
  • src/log.zig
  • src/supervisor.zig
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/audit-followups-roundtwo

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@BANANASJIM BANANASJIM merged commit 9915680 into main Jun 7, 2026
36 checks passed
@BANANASJIM BANANASJIM deleted the fix/audit-followups-roundtwo branch June 7, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BANANASJIM