From 5319ea994c1c93617d7814e710d922a7b147932b Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Thu, 26 Mar 2026 10:43:11 +0900
Subject: [PATCH] internal/rosa/libseccomp: fix upstream out-of-bounds read

This was revealed by optimisation changes in the latest toolchain.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/rosa/libseccomp.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/internal/rosa/libseccomp.go b/internal/rosa/libseccomp.go
index 814c839b..972fff21 100644
--- a/internal/rosa/libseccomp.go
+++ b/internal/rosa/libseccomp.go
@@ -16,6 +16,23 @@ func (t Toolchain) newLibseccomp() (pkg.Artifact, string) {
 		ScriptEarly: `
 ln -s ../system/bin/bash /bin/
 `,
+
+		Patches: [][2]string{
+			{"fix-export-oob-read", `diff --git a/src/api.c b/src/api.c
+index adccef3..65a277a 100644
+--- a/src/api.c
++++ b/src/api.c
+@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+                if (BPF_PGM_SIZE(program) > *len)
+                        rc = _rc_filter(-ERANGE);
+                else
+-                       memcpy(buf, program->blks, *len);
++                       memcpy(buf, program->blks, BPF_PGM_SIZE(program));
+        }
+        *len = BPF_PGM_SIZE(program);
+ 
+`},
+		},
 	}, (*MakeHelper)(nil),
 		Bash,
 		Diffutils,