UB in autrace

[mimicria]

Hi
A bug was found in the autrace utility when the -r parameter is passed, but its value is omitted.
At the beginning, cmd is initialized by 1:

audit-userspace/src/autrace.c

Line 162 in caca81d

int pid,cmd=1;

If -r argument is found, the value of cmd is incremented

audit-userspace/src/autrace.c

Lines 173 to 175 in caca81d

	if (strcmp(argv[cmd], "-r") == 0) {
	threat = 1;
	cmd++;

Next access to the argv[cmd] element without checking its presence

audit-userspace/src/autrace.c

Line 182 in caca81d

if (access(argv[cmd], X_OK)) {

Steps to reproduce:

1. build with UBSAN (-fsanitize=undefined)
2. run autrace -r

autrace.c:182:13: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/unistd.h:287:60: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior autrace.c:182:13 in
Error checking (null) (Bad address)

Bug was found with Svace static analyzer

[stevegrubb]

autrace was removed in the 4.0 release.

[mimicria]

in the 4.0 release

I know about this, but is release 3.1 still maintained?

[stevegrubb]

The SECURITY.md file has marked 3.x as unsupported back last August. It was a hard call, but the fact is that there is no distribution I can think of to test a collection of backported patches on to do a new release. I wouldn't put a completely untested combination of patches on RHEL. We like to run them on Fedora to make sure there are no issues before promoting it to RHEL. Fedora has moved to the 4.x series since back around Fedora 40. So, it would be up to distributions to do any backporting and testing.