From 66a45b49e1e45b047edf10dbc61b97a8f01f00b9 Mon Sep 17 00:00:00 2001
From: Tao Liu <ltao@redhat.com>
Date: Wed, 1 May 2024 19:08:24 +0800
Subject: [PATCH] Release 1.9.4-1

Rebase to upstream commit (f2c8309a41)

Resolves: RHEL-32598

Signed-off-by: Tao Liu <ltao@redhat.com>
---
 ...eck-if-using-a-negative-index-of-buf.patch | 38 +++++++++++++++++
 0002-Check-fflush-return-value.patch          | 41 +++++++++++++++++++
 0003-Drop-ProtectKernelTunables.patch         | 25 +++++++++++
 ...nce-1.9.0-environment-file-sysconfig.patch |  7 ++--
 irqbalance.spec                               | 14 +++++--
 sources                                       |  2 +-
 6 files changed, 118 insertions(+), 9 deletions(-)
 create mode 100644 0001-irqbalance-ui-check-if-using-a-negative-index-of-buf.patch
 create mode 100644 0002-Check-fflush-return-value.patch
 create mode 100644 0003-Drop-ProtectKernelTunables.patch

diff --git a/0001-irqbalance-ui-check-if-using-a-negative-index-of-buf.patch b/0001-irqbalance-ui-check-if-using-a-negative-index-of-buf.patch
new file mode 100644
index 0000000..f1125bc
--- /dev/null
+++ b/0001-irqbalance-ui-check-if-using-a-negative-index-of-buf.patch
@@ -0,0 +1,38 @@
+From c0cd6149722ca525cf31a363dbe724689bef4d87 Mon Sep 17 00:00:00 2001
+From: Tao Liu <ltao@redhat.com>
+Date: Wed, 13 Mar 2024 14:30:48 +0800
+Subject: [PATCH 1/3] irqbalance-ui: check if using a negative index of buffer
+
+A negative index will be used when recv() fails, which is unexpected for
+the data buffer. The issue was found by Static Application Security
+Testing (SAST), which is a potential weakness.
+
+This patch will check the negative index before data buffer referencing.
+
+Signed-off-by: Tao Liu <ltao@redhat.com>
+---
+ ui/irqbalance-ui.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ui/irqbalance-ui.c b/ui/irqbalance-ui.c
+index b7f9b62..c26eff6 100644
+--- a/ui/irqbalance-ui.c
++++ b/ui/irqbalance-ui.c
+@@ -127,9 +127,13 @@ try_again:
+ 	char *data = malloc(default_bufsz);
+ 	int len = recv(socket_fd, data, default_bufsz, MSG_TRUNC);
+ 	close(socket_fd);
+-	data[len] = '\0';
+ 	free(msg->msg_control);
+ 	free(msg);
++	if (len < 0) {
++		free(data);
++		return NULL;
++	}
++	data[len] = '\0';
+ 	if (len >= default_bufsz) {
+ 		/* msg was truncated, increase bufsz and try again */
+ 		default_bufsz += 8192;
+-- 
+2.40.1
+
diff --git a/0002-Check-fflush-return-value.patch b/0002-Check-fflush-return-value.patch
new file mode 100644
index 0000000..baebfc8
--- /dev/null
+++ b/0002-Check-fflush-return-value.patch
@@ -0,0 +1,41 @@
+From 8301666f3029ff4d9089a273a45ec47671d964c1 Mon Sep 17 00:00:00 2001
+From: Andrew Zaborowski <andrew.zaborowski@intel.com>
+Date: Fri, 29 Mar 2024 18:43:55 -0700
+Subject: [PATCH 2/3] Check fflush() return value
+
+Since fprintf() may buffer output, as noted in 470a64b19062, fclose()'s
+error value was also being checked for the write errors.  However in
+8d7c78304fb9 an fflush() was added in between meaning that these
+buffered write errors were again unchecked.  Some actual errors were
+not being logged, in my case -ENOSPCs.
+
+Make the fclose and fflush branches look similar.
+
+Fixes: 8d7c78304fb9 ("Flush file before closing")
+---
+ activate.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/activate.c b/activate.c
+index e30d0f0..0c1e7a1 100644
+--- a/activate.c
++++ b/activate.c
+@@ -82,10 +82,13 @@ static void activate_mapping(struct irq_info *info, void *data __attribute__((un
+ 	cpumask_scnprintf(buf, PATH_MAX, applied_mask);
+ 	ret = fprintf(file, "%s", buf);
+ 	errsave = errno;
+-	fflush(file);
++	if (ret >= 0 && fflush(file)) {
++		ret = -1;
++		errsave = errno;
++	}
+ 	if (fclose(file)) {
++		ret = -1;
+ 		errsave = errno;
+-		goto error;
+ 	}
+ 	if (ret < 0)
+ 		goto error;
+-- 
+2.40.1
+
diff --git a/0003-Drop-ProtectKernelTunables.patch b/0003-Drop-ProtectKernelTunables.patch
new file mode 100644
index 0000000..f6fa428
--- /dev/null
+++ b/0003-Drop-ProtectKernelTunables.patch
@@ -0,0 +1,25 @@
+From f2c8309a4198d8f51069a783905049c5b7eb7600 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Mon, 1 Apr 2024 08:05:14 -0400
+Subject: [PATCH 3/3] Drop ProtectKernelTunables
+
+It makes /proc/irq read only
+---
+ misc/irqbalance.service | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/misc/irqbalance.service b/misc/irqbalance.service
+index 87e19c1..b731cc6 100644
+--- a/misc/irqbalance.service
++++ b/misc/irqbalance.service
+@@ -23,7 +23,6 @@ PrivateNetwork=yes
+ PrivateUsers=true
+ ProtectHostname=yes 
+ ProtectClock=yes 
+-ProtectKernelTunables=yes 
+ ProtectKernelModules=yes 
+ ProtectKernelLogs=yes 
+ ProtectControlGroups=yes 
+-- 
+2.40.1
+
diff --git a/irqbalance-1.9.0-environment-file-sysconfig.patch b/irqbalance-1.9.0-environment-file-sysconfig.patch
index 1cc15e5..db997bc 100644
--- a/irqbalance-1.9.0-environment-file-sysconfig.patch
+++ b/irqbalance-1.9.0-environment-file-sysconfig.patch
@@ -18,9 +18,8 @@ index 0f79c3e..9bc63b6 100644
 -EnvironmentFile=-/usr/lib/irqbalance/defaults.env
 -EnvironmentFile=-/path/to/irqbalance.env
 +EnvironmentFile=-/etc/sysconfig/irqbalance
- ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
- ReadOnlyPaths=/
- ReadWritePaths=/proc/irq
+ ExecStart=/usr/sbin/irqbalance $IRQBALANCE_ARGS
+ CapabilityBoundingSet=
+ NoNewPrivileges=yes
 -- 
 2.37.1
-
diff --git a/irqbalance.spec b/irqbalance.spec
index 2acba52..92fdc29 100644
--- a/irqbalance.spec
+++ b/irqbalance.spec
@@ -1,16 +1,19 @@
 Name:           irqbalance
-Version:        1.9.2
-Release:        4%{?dist}
+Version:        1.9.4
+Release:        1%{?dist}
 Epoch:          2
 Summary:        IRQ balancing daemon
 License:        GPL-2.0-only
 URL:            https://github.com/Irqbalance/irqbalance
 Source0:        %{url}/archive/v%{version}/irqbalance-%{version}.tar.gz
 Patch1:         irqbalance-1.9.0-environment-file-sysconfig.patch
+Patch2: 	0001-irqbalance-ui-check-if-using-a-negative-index-of-buf.patch
+Patch3: 	0002-Check-fflush-return-value.patch
+Patch4: 	0003-Drop-ProtectKernelTunables.patch
 
 BuildRequires:  autoconf automake libtool libcap-ng
 BuildRequires:  glib2-devel pkgconf libcap-ng-devel
-BuildRequires:  systemd ncurses-devel
+BuildRequires:  systemd ncurses-devel systemd-devel
 BuildRequires:  make
 Requires: ncurses-libs
 
@@ -30,7 +33,7 @@ multiple CPUs for enhanced performance.
 
 %build
 ./autogen.sh
-%configure
+%configure --with-systemd
 %{make_build}
 
 %install
@@ -60,6 +63,9 @@ make check
 %systemd_postun_with_restart irqbalance.service
 
 %changelog
+* Wed May 01 2024 Tao Liu <ltao@redhat.com> - 2:1.9.4-1
+- Rebase to upstream commit (f2c8309a41)
+
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.9.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
diff --git a/sources b/sources
index 442b3fe..2ba99b7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (irqbalance-1.9.2.tar.gz) = d0fb157fbfc096fa9cfb4562e51fd4c3f4fa8788f72377c58b27df67c70073b787bba05e39809dcbe17532bb5b8e74b6d27c5e5b3d9af09bc9ce1a9b6aab9378
+SHA512 (irqbalance-1.9.4.tar.gz) = abdcac9dccabb18ae644b73dc2a8528c03279811c1f9182a5a5b0af43b30c5982d7bb14e79d4430b5d4f2cea8e17115e6038851c74de1ff3bdfc4e303392479a