Fix issues discovered by static analysis

Applu 4 patches that fix various minor issues: - v29~5 "libkmod: fix an overflow with wrong modules.builtin.modinfo" - v31~29 "libkmod: do not crash on unknown signature algorithm" - v31~18 "libkmod: error out on unknown hash algorithm" - v33~1 "libkmod: avoid undefined behaviour in libkmod-builtin.c:get_string" * 0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch: New file. * 0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch: Likewise. * 0001-libkmod-error-out-on-unknown-hash-algorithm.patch: Likewise. * 0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch: Likewise. * kmod.spec (Release): Bump to 10. (Patch02, Patch03, Patch04, Patch05): New patches. (%changelog): New record. Resolves: RHEL-34073 Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
2024-08-16 15:16:28 +02:00 · 2024-08-16 15:16:28 +02:00 · 62e12e062c
commit 62e12e062c
parent 36aca425e7
5 changed files with 168 additions and 1 deletions
--- a/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch
+++ b/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch
@ -0,0 +1,44 @@
+From 5c22362b6b97af9c6b7587f0c3450001e9893115 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Tue, 13 Aug 2024 16:17:27 +0200
+Subject: [PATCH] libkmod: avoid undefined behaviour in
+ libkmod-builtin.c:get_string
+
+Static analysis has reported a potential UB:
+
+    kmod-31/libkmod/libkmod-builtin.c:125: use_invalid: Using "nullp", which points to an out-of-scope variable "buf".
+    #  123|   	size_t linesz = 0;
+    #  124|
+    #  125|-> 	while (!nullp) {
+    #  126|   		char buf[BUFSIZ];
+    #  127|   		ssize_t sz;
+
+It seems to be indeed an UB, as nullp is getting assined an address
+inside object buf, which has a lifetime of the while loop body,
+and is not available outside of it (specifically, in the while
+condition, where nullp is checked for NULL).  Fix it by putting
+buf definition in the outer block.
+---
+ libkmod/libkmod-builtin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
+index fd0f549..40a7d61 100644
+--- a/libkmod/libkmod-builtin.c
+++ b/libkmod/libkmod-builtin.c
+@@ -105,11 +105,11 @@ static off_t get_string(struct kmod_builtin_iter *iter, off_t offset,
+ 			char **line, size_t *size)
+ {
+ 	int sv_errno;
+	char buf[BUFSIZ];
+ 	char *nullp = NULL;
+ 	size_t linesz = 0;
+ 
+ 	while (!nullp) {
+-		char buf[BUFSIZ];
+ 		ssize_t sz;
+ 		size_t partsz;
+ 
+-- 
+2.13.6
+
--- a/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch
+++ b/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch
@ -0,0 +1,38 @@
+From d5950b0b5e66a5ec1c21b638dec3974056aaabeb Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Sun, 25 Sep 2022 17:46:08 +0300
+Subject: [PATCH] libkmod: do not crash on unknown signature algorithm
+
+Example kernel module:
+https://file-store.rosalinux.ru/download/7281f97e0c04c0f818ad3f936706f4a407e8dc7e
+(/lib/modules/5.15.67-generic-1rosa2021.1-x86_64/kernel/drivers/usb/host/xhci-pci.ko.zst)
+It is signed with Streebog 512.
+
+libkmod v30 crashed in libkmod-module.c:2413 in this code:
+
+n = kmod_module_info_append(list,
+	"sig_hashalgo", strlen("sig_hashalgo"),
+	sig_info.hash_algo, strlen(sig_info.hash_algo));
+
+because strlen() got null.
+---
+ libkmod/libkmod-signature.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
+index 4ae5af6..092f396 100644
+--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
+@@ -278,6 +278,9 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ 	X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
+ 
+ 	sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
+	// hash algo has not been recognized
+	if (sig_info->hash_algo == NULL)
+		goto err3;
+ 	sig_info->id_type = pkey_id_type[modsig->id_type];
+ 
+ 	pvt = malloc(sizeof(*pvt));
+-- 
+2.13.6
+
--- a/0001-libkmod-error-out-on-unknown-hash-algorithm.patch
+++ b/0001-libkmod-error-out-on-unknown-hash-algorithm.patch
@ -0,0 +1,44 @@
+From b9605c63b859adfffc0b4b9420d720aa323b90e9 Mon Sep 17 00:00:00 2001
+From: Emil Velikov <emil.velikov@collabora.com>
+Date: Mon, 6 Feb 2023 14:32:59 +0000
+Subject: [PATCH] libkmod: error out on unknown hash algorithm
+
+Currently if we see unknown algorithm, we'll do an OOB read in
+pkey_hash_algo. This can happen for example if OPENSSL_NO_SM3 is set and
+the kernel module uses a SM3 hash.
+
+Cc: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
+Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
+---
+ libkmod/libkmod-signature.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
+index 092f396..b749a81 100644
+--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
+@@ -219,6 +219,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ 	unsigned char *key_id_str;
+ 	struct pkcs7_private *pvt;
+ 	const char *issuer_str;
+	int hash_algo;
+ 
+ 	size -= sig_len;
+ 	pkcs7_raw = mem + size;
+@@ -277,7 +278,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ 
+ 	X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
+ 
+-	sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
+	hash_algo = obj_to_hash_algo(o);
+	if (hash_algo < 0)
+		goto err3;
+	sig_info->hash_algo = pkey_hash_algo[hash_algo];
+ 	// hash algo has not been recognized
+ 	if (sig_info->hash_algo == NULL)
+ 		goto err3;
+-- 
+2.13.6
+
--- a/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch
+++ b/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch
@ -0,0 +1,29 @@
+From 1cab02ecf6ee2a0aa34f3615dfd99c59f7e04e90 Mon Sep 17 00:00:00 2001
+From: Seung-Woo Kim <sw0312.kim@samsung.com>
+Date: Tue, 13 Apr 2021 20:23:14 +0900
+Subject: [PATCH] libkmod: fix an overflow with wrong modules.builtin.modinfo
+
+Fix a possbile overflow with exact PATH_MAX length modname
+in wrong modules.builtin.modinfo.
+
+Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
+---
+ libkmod/libkmod-builtin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
+index fc9a376..a75a542 100644
+--- a/libkmod/libkmod-builtin.c
+++ b/libkmod/libkmod-builtin.c
+@@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter,
+ 
+ 	len = dot - line;
+ 
+-	if (len > PATH_MAX) {
+	if (len >= PATH_MAX) {
+ 		sv_errno = ENAMETOOLONG;
+ 		goto fail;
+ 	}
+-- 
+2.13.6
+
--- a/kmod.spec
+++ b/kmod.spec
@ -1,6 +1,6 @@
 Name:		kmod
 Version:	28
-Release:	9%{?dist}
+Release:	10%{?dist}
 Summary:	Linux kernel module management utilities

 License:	GPLv2+
@ -11,6 +11,14 @@ Source2:	depmod.conf.dist
 Exclusiveos:	Linux

 Patch01:	man-rmmod-explain-why-modprobe-r-is-more-useful.patch
+# v29~5 "libkmod: fix an overflow with wrong modules.builtin.modinfo"
+Patch02:	0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch
+# v31~29 "libkmod: do not crash on unknown signature algorithm"
+Patch03:	0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch
+# v31~18 "libkmod: error out on unknown hash algorithm"
+Patch04:	0001-libkmod-error-out-on-unknown-hash-algorithm.patch
+# v33~1 "libkmod: avoid undefined behaviour in libkmod-builtin.c:get_string"
+Patch05:	0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch

 BuildRequires:  gcc
 BuildRequires:	chrpath
@ -111,6 +119,10 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 %{_libdir}/libkmod.so

 %changelog
+* Thu Aug 15 2024 Eugene Syromiatnikov <esyr@redhat.com> - 28-10
+- Fix issues discovered by static analysis
+- Resolves: RHEL-34073
+
 * Thu May 11 2023 Eugene Syromiatnikov <esyr@redhat.com> - 28-9
 - Add symvers.xz support to weak-modules
 - Resolves: rhbz#2192895