internal/rosa/libseccomp: fix upstream out-of-bounds read

This was revealed by optimisation changes in the latest toolchain. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-03-26 10:43:11 +09:00
parent bbe178be3e
commit 5319ea994c
1 changed files with 17 additions and 0 deletions
--- a/internal/rosa/libseccomp.go
+++ b/internal/rosa/libseccomp.go
@@ -16,6 +16,23 @@ func (t Toolchain) newLibseccomp() (pkg.Artifact, string) {
 		ScriptEarly: `
 ln -s ../system/bin/bash /bin/
 `,
+
+		Patches: [][2]string{
+			{"fix-export-oob-read", `diff --git a/src/api.c b/src/api.c
+index adccef3..65a277a 100644
+--- a/src/api.c
+++ b/src/api.c
+@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+                if (BPF_PGM_SIZE(program) > *len)
+                        rc = _rc_filter(-ERANGE);
+                else
+-                       memcpy(buf, program->blks, *len);
+                       memcpy(buf, program->blks, BPF_PGM_SIZE(program));
+        }
+        *len = BPF_PGM_SIZE(program);
+ 
+`},
+		},
 	}, (*MakeHelper)(nil),
 		Bash,
 		Diffutils,