From 81a3e8b9636f80f4ddfb4b659e6132457fc78b83 Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Tue, 5 Jul 2016 09:58:59 +0300
Subject: [PATCH] meta-security-isafw: Fixing the excessive memory usage
 reported in issue #62

Fixing it by processing the output from tools already in
process_file function and only passing the short results further

(From meta-security-isafw rev: 2e05daeb5a64035150301b11a952234152ce7382)

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 .../lib/isafw/isaplugins/ISA_cfa_plugin.py    | 38 +++++++++++--------
 .../lib/isafw/isaplugins/ISA_la_plugin.py     |  4 +-
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
index ee843549ef3..1dcee258fb1 100644
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
@@ -125,18 +125,14 @@ def process_results(self, results):
                 if "No PIE" in result[1]:
                     self.no_pie.append(result[0].replace(fs_path, ""))
             if result[2]:
-                if result[2].startswith("X "):
+                if result[2] == "execstack":
                     self.execstack.append(result[0].replace(fs_path, ""))
-                elif result[2].startswith("? "):
+                elif result[2] == "not_defined":
                     self.execstack_not_defined.append(result[0].replace(fs_path, ""))
-            if result[3]:
-                if ("setgid@GLIBC" in result[3]) or ("setegid@GLIBC" in result[3]) or ("setresgid@GLIBC" in result[3]):
-                    if ("setuid@GLIBC" in result[3]) or ("seteuid@GLIBC" in result[3]) or ("setresuid@GLIBC" in result[3]):
-                        if ("setgroups@GLIBC" not in result[3]) and ("initgroups@GLIBC" not in result[3]):
-                            self.nodrop_groups.append(result[0].replace(fs_path, ""))
-            if result[4]:
-                if ("bndcu" not in result[4]) and ("bndcl" not in result[4]) and ("bndmov" not in result[4]):
-                    self.no_mpx.append(result[0].replace(fs_path, ""))
+            if result[3] and (result[3] == True):
+                self.nodrop_groups.append(result[0].replace(fs_path, ""))
+            if result[4] and (result[4] == True):
+                self.no_mpx.append(result[0].replace(fs_path, ""))
             self.write_full_report(result)
         self.write_report()
         self.write_report_xml()
@@ -318,7 +314,7 @@ def get_security_flags(file_name):
 
 def process_file(file):
     log = "File from map " + file
-    fun_results = [file, [], "", "", "", log]
+    fun_results = [file, [], "", False, False, log]
     if not os.path.isfile(file):
         return fun_results
     env = copy.deepcopy(os.environ)
@@ -328,7 +324,7 @@ def process_file(file):
     try:
         result = subprocess.check_output(cmd, env=env).decode('utf-8')
     except:
-        fun_results[-1] += "\nNot able to decode mime type " + str(sys.exc_info())
+        fun_results[-1] += "\nNot able to decode mime type"
         return fun_results
     file_type = result.split()[-1]
     # looking for links
@@ -338,7 +334,7 @@ def process_file(file):
         try:
             result = subprocess.check_output(cmd, env=env).decode('utf-8')
         except:
-            fun_results[-1] += "\nNot able to decode mime type " + str(sys.exc_info())
+            fun_results[-1] += "\nNot able to decode mime type"
             return fun_results
         file_type = result.split()[-1]
     # checking security flags if applies
@@ -351,9 +347,19 @@ def process_file(file):
             ("pdf" in file_type)):
         return fun_results
     fun_results[1] = get_security_flags(file)
-    fun_results[2] = get_info("execstack", '-q', file)
-    fun_results[3] = get_info("readelf", '-s', file)
-    fun_results[4] = get_info("objdump", '-d', file)
+    tmp = get_info("execstack", '-q', file)
+    if tmp.startswith("X "):
+        fun_results[2] = "execstack"
+    elif tmp.startswith("? "):
+        fun_results[2] = "not_defined"
+    tmp = get_info("readelf", '-s', file)
+    if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp):
+        if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp):
+            if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp):
+                fun_results[3] = True
+    tmp = get_info("objdump", '-d', file)
+    if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp):
+        fun_results[4] = True
     return fun_results
 
 def process_file_wrapper(file):
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
index 72484a171a6..5ef0f653e27 100644
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
@@ -28,7 +28,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 import subprocess
-import os
+import os, sys
 
 LicenseChecker = None
 
@@ -93,7 +93,7 @@ def process_package(self, ISA_pkg):
                                 self.initialized = False
                                 with open(self.logfile, 'a') as flog:
                                     flog.write(
-                                        "Error in executing rpm query: " + sys.exc_info())
+                                        "Error in executing rpm query: " + str(sys.exc_info()))
                                     flog.write(
                                         "\nNot able to process package: " + ISA_pkg.name)
                                 return