diff --git a/.gitignore b/.gitignore index f977994..b4cac2c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/kmod-25.tar.xz +kmod-31.tar.xz diff --git a/.kmod.metadata b/.kmod.metadata deleted file mode 100644 index a9f99a6..0000000 --- a/.kmod.metadata +++ /dev/null @@ -1 +0,0 @@ -761ee76bc31f5db10d470dad607a5f9d68acef68 SOURCES/kmod-25.tar.xz diff --git a/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch b/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch new file mode 100644 index 0000000..bc47622 --- /dev/null +++ b/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch @@ -0,0 +1,44 @@ +From 5c22362b6b97af9c6b7587f0c3450001e9893115 Mon Sep 17 00:00:00 2001 +From: Eugene Syromiatnikov +Date: Tue, 13 Aug 2024 16:17:27 +0200 +Subject: [PATCH] libkmod: avoid undefined behaviour in + libkmod-builtin.c:get_string + +Static analysis has reported a potential UB: + + kmod-31/libkmod/libkmod-builtin.c:125: use_invalid: Using "nullp", which points to an out-of-scope variable "buf". + # 123| size_t linesz = 0; + # 124| + # 125|-> while (!nullp) { + # 126| char buf[BUFSIZ]; + # 127| ssize_t sz; + +It seems to be indeed an UB, as nullp is getting assined an address +inside object buf, which has a lifetime of the while loop body, +and is not available outside of it (specifically, in the while +condition, where nullp is checked for NULL). Fix it by putting +buf definition in the outer block. +--- + libkmod/libkmod-builtin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c +index fd0f549..40a7d61 100644 +--- a/libkmod/libkmod-builtin.c ++++ b/libkmod/libkmod-builtin.c +@@ -105,11 +105,11 @@ static off_t get_string(struct kmod_builtin_iter *iter, off_t offset, + char **line, size_t *size) + { + int sv_errno; ++ char buf[BUFSIZ]; + char *nullp = NULL; + size_t linesz = 0; + + while (!nullp) { +- char buf[BUFSIZ]; + ssize_t sz; + size_t partsz; + +-- +2.13.6 + diff --git a/SOURCES/0001-depmod-prevent-module-dependency-files-missing-durin.patch b/SOURCES/0001-depmod-prevent-module-dependency-files-missing-durin.patch deleted file mode 100644 index 0f62724..0000000 --- a/SOURCES/0001-depmod-prevent-module-dependency-files-missing-durin.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c2996b5fa880e81f63c25e80a4157b2239e32c5d Mon Sep 17 00:00:00 2001 -From: Michal Suchanek -Date: Mon, 10 Dec 2018 22:29:32 +0100 -Subject: [PATCH 1/2] depmod: prevent module dependency files missing during - depmod invocation - -depmod deletes the module dependency files before moving the temporary -files in their place. This results in user seeing no dependency files -while they are updated. Remove the unlink call. The rename call should -suffice to move the new file in place and unlink the old one. It should -also do both atomically so there is no window when no dependency file -exists. - -Signed-off-by: Michal Suchanek ---- - tools/depmod.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/tools/depmod.c b/tools/depmod.c -index 989d9077926c..18c0d61b2db3 100644 ---- a/tools/depmod.c -+++ b/tools/depmod.c -@@ -2451,7 +2451,6 @@ static int depmod_output(struct depmod *depmod, FILE *out) - break; - } - -- unlinkat(dfd, itr->name, 0); - if (renameat(dfd, tmp, dfd, itr->name) != 0) { - err = -errno; - CRIT("renameat(%s, %s, %s, %s): %m\n", --- -2.33.0 - diff --git a/SOURCES/0002-depmod-prevent-module-dependency-files-corruption-du.patch b/SOURCES/0002-depmod-prevent-module-dependency-files-corruption-du.patch deleted file mode 100644 index f2fa4db..0000000 --- a/SOURCES/0002-depmod-prevent-module-dependency-files-corruption-du.patch +++ /dev/null @@ -1,62 +0,0 @@ -From a06bacf500d56b72b5f9b121ebf7f6af9e3df185 Mon Sep 17 00:00:00 2001 -From: Michal Suchanek -Date: Mon, 17 Dec 2018 23:46:28 +0100 -Subject: [PATCH 2/2] depmod: prevent module dependency files corruption due to - parallel invocation. - -Depmod does not use unique filename for temporary files. There is no -guarantee the user does not attempt to run mutiple depmod processes in -parallel. If that happens a temporary file might be created by -depmod(1st), truncated by depmod(2nd), and renamed to final name by -depmod(1st) resulting in corrupted file seen by user. - -Due to missing mkstempat() this is more complex than it should be. -Adding PID and timestamp to the filename should be reasonably reliable. -Adding O_EXCL as mkstemp does fails creating the file rather than -corrupting existing file. - -Signed-off-by: Michal Suchanek ---- - tools/depmod.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/tools/depmod.c b/tools/depmod.c -index 18c0d61b2db3..0f7e33ccfd59 100644 ---- a/tools/depmod.c -+++ b/tools/depmod.c -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - #include - - #include -@@ -2398,6 +2399,9 @@ static int depmod_output(struct depmod *depmod, FILE *out) - }; - const char *dname = depmod->cfg->dirname; - int dfd, err = 0; -+ struct timeval tv; -+ -+ gettimeofday(&tv, NULL); - - if (out != NULL) - dfd = -1; -@@ -2416,11 +2420,12 @@ static int depmod_output(struct depmod *depmod, FILE *out) - int r, ferr; - - if (fp == NULL) { -- int flags = O_CREAT | O_TRUNC | O_WRONLY; -+ int flags = O_CREAT | O_EXCL | O_WRONLY; - int mode = 0644; - int fd; - -- snprintf(tmp, sizeof(tmp), "%s.tmp", itr->name); -+ snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(), -+ tv.tv_usec, tv.tv_sec); - fd = openat(dfd, tmp, flags, mode); - if (fd < 0) { - ERR("openat(%s, %s, %o, %o): %m\n", --- -2.33.0 - diff --git a/SOURCES/kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch b/SOURCES/kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch deleted file mode 100644 index dec995e..0000000 --- a/SOURCES/kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch +++ /dev/null @@ -1,328 +0,0 @@ -From 391b4714b495183baefa9cb10ac8e1600c166a59 Mon Sep 17 00:00:00 2001 -From: Yauheni Kaliuta -Date: Fri, 1 Feb 2019 22:20:02 +0200 -Subject: [PATCH] libkmod-signature: implement pkcs7 parsing with openssl - -The patch adds data fetching from the PKCS#7 certificate using -openssl library (which is used by scripts/sign-file.c in the linux -kernel to sign modules). - -In general the certificate can contain many signatures, but since -kmod (modinfo) supports only one signature at the moment, only first -one is taken. - -With the current sign-file.c certificate doesn't contain signer -key's fingerprint, so "serial number" is used for the key id. - -Signed-off-by: Yauheni Kaliuta ---- - Makefile.am | 4 +- - configure.ac | 11 ++ - libkmod/libkmod-internal.h | 3 + - libkmod/libkmod-module.c | 3 + - libkmod/libkmod-signature.c | 197 +++++++++++++++++++++++++++++++++++- - 5 files changed, 213 insertions(+), 5 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 1ab1db585316..de1026f8bd46 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -35,6 +35,8 @@ SED_PROCESS = \ - -e 's,@liblzma_LIBS\@,${liblzma_LIBS},g' \ - -e 's,@zlib_CFLAGS\@,${zlib_CFLAGS},g' \ - -e 's,@zlib_LIBS\@,${zlib_LIBS},g' \ -+ -e 's,@openssl_CFLAGS\@,${openssl_CFLAGS},g' \ -+ -e 's,@openssl_LIBS\@,${openssl_LIBS},g' \ - < $< > $@ || rm $@ - - %.pc: %.pc.in Makefile -@@ -87,7 +89,7 @@ libkmod_libkmod_la_DEPENDENCIES = \ - ${top_srcdir}/libkmod/libkmod.sym - libkmod_libkmod_la_LIBADD = \ - shared/libshared.la \ -- ${liblzma_LIBS} ${zlib_LIBS} -+ ${liblzma_LIBS} ${zlib_LIBS} ${openssl_LIBS} - - noinst_LTLIBRARIES += libkmod/libkmod-internal.la - libkmod_libkmod_internal_la_SOURCES = $(libkmod_libkmod_la_SOURCES) -diff --git a/configure.ac b/configure.ac -index fbc7391b2d1b..2e33380a0cc2 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -106,6 +106,17 @@ AS_IF([test "x$with_zlib" != "xno"], [ - ]) - CC_FEATURE_APPEND([with_features], [with_zlib], [ZLIB]) - -+AC_ARG_WITH([openssl], -+ AS_HELP_STRING([--with-openssl], [handle PKCS7 signatures @<:@default=disabled@:>@]), -+ [], [with_openssl=no]) -+AS_IF([test "x$with_openssl" != "xno"], [ -+ PKG_CHECK_MODULES([openssl], [openssl]) -+ AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.]) -+], [ -+ AC_MSG_NOTICE([openssl support not requested]) -+]) -+CC_FEATURE_APPEND([with_features], [with_openssl], [OPENSSL]) -+ - AC_ARG_WITH([bashcompletiondir], - AS_HELP_STRING([--with-bashcompletiondir=DIR], [Bash completions directory]), - [], -diff --git a/libkmod/libkmod-internal.h b/libkmod/libkmod-internal.h -index 346579c71aab..a65ddd156f18 100644 ---- a/libkmod/libkmod-internal.h -+++ b/libkmod/libkmod-internal.h -@@ -188,5 +188,8 @@ struct kmod_signature_info { - const char *algo, *hash_algo, *id_type; - const char *sig; - size_t sig_len; -+ void (*free)(void *); -+ void *private; - }; - bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signature_info *sig_info) _must_check_ __attribute__((nonnull(1, 2))); -+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) __attribute__((nonnull)); -diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c -index 889f26479a98..bffe715cdef4 100644 ---- a/libkmod/libkmod-module.c -+++ b/libkmod/libkmod-module.c -@@ -2357,6 +2357,9 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_ - ret = count; - - list_error: -+ /* aux structures freed in normal case also */ -+ kmod_module_signature_info_free(&sig_info); -+ - if (ret < 0) { - kmod_module_info_free_list(*list); - *list = NULL; -diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c -index 429ffbd8a957..48d0145a7552 100644 ---- a/libkmod/libkmod-signature.c -+++ b/libkmod/libkmod-signature.c -@@ -19,6 +19,10 @@ - - #include - #include -+#ifdef ENABLE_OPENSSL -+#include -+#include -+#endif - #include - #include - #include -@@ -115,15 +119,194 @@ static bool fill_default(const char *mem, off_t size, - return true; - } - --static bool fill_unknown(const char *mem, off_t size, -- const struct module_signature *modsig, size_t sig_len, -- struct kmod_signature_info *sig_info) -+#ifdef ENABLE_OPENSSL -+ -+struct pkcs7_private { -+ CMS_ContentInfo *cms; -+ unsigned char *key_id; -+ BIGNUM *sno; -+}; -+ -+static void pkcs7_free(void *s) -+{ -+ struct kmod_signature_info *si = s; -+ struct pkcs7_private *pvt = si->private; -+ -+ CMS_ContentInfo_free(pvt->cms); -+ BN_free(pvt->sno); -+ free(pvt->key_id); -+ free(pvt); -+ si->private = NULL; -+} -+ -+static int obj_to_hash_algo(const ASN1_OBJECT *o) -+{ -+ int nid; -+ -+ nid = OBJ_obj2nid(o); -+ switch (nid) { -+ case NID_md4: -+ return PKEY_HASH_MD4; -+ case NID_md5: -+ return PKEY_HASH_MD5; -+ case NID_sha1: -+ return PKEY_HASH_SHA1; -+ case NID_ripemd160: -+ return PKEY_HASH_RIPE_MD_160; -+ case NID_sha256: -+ return PKEY_HASH_SHA256; -+ case NID_sha384: -+ return PKEY_HASH_SHA384; -+ case NID_sha512: -+ return PKEY_HASH_SHA512; -+ case NID_sha224: -+ return PKEY_HASH_SHA224; -+ default: -+ return -1; -+ } -+ return -1; -+} -+ -+static const char *x509_name_to_str(X509_NAME *name) -+{ -+ int i; -+ X509_NAME_ENTRY *e; -+ ASN1_STRING *d; -+ ASN1_OBJECT *o; -+ int nid = -1; -+ const char *str; -+ -+ for (i = 0; i < X509_NAME_entry_count(name); i++) { -+ e = X509_NAME_get_entry(name, i); -+ o = X509_NAME_ENTRY_get_object(e); -+ nid = OBJ_obj2nid(o); -+ if (nid == NID_commonName) -+ break; -+ } -+ if (nid == -1) -+ return NULL; -+ -+ d = X509_NAME_ENTRY_get_data(e); -+ str = (const char *)ASN1_STRING_get0_data(d); -+ -+ return str; -+} -+ -+static bool fill_pkcs7(const char *mem, off_t size, -+ const struct module_signature *modsig, size_t sig_len, -+ struct kmod_signature_info *sig_info) -+{ -+ const char *pkcs7_raw; -+ CMS_ContentInfo *cms; -+ STACK_OF(CMS_SignerInfo) *sis; -+ CMS_SignerInfo *si; -+ int rc; -+ ASN1_OCTET_STRING *key_id; -+ X509_NAME *issuer; -+ ASN1_INTEGER *sno; -+ ASN1_OCTET_STRING *sig; -+ BIGNUM *sno_bn; -+ X509_ALGOR *dig_alg; -+ X509_ALGOR *sig_alg; -+ const ASN1_OBJECT *o; -+ BIO *in; -+ int len; -+ unsigned char *key_id_str; -+ struct pkcs7_private *pvt; -+ const char *issuer_str; -+ -+ size -= sig_len; -+ pkcs7_raw = mem + size; -+ -+ in = BIO_new_mem_buf(pkcs7_raw, sig_len); -+ -+ cms = d2i_CMS_bio(in, NULL); -+ if (cms == NULL) { -+ BIO_free(in); -+ return false; -+ } -+ -+ BIO_free(in); -+ -+ sis = CMS_get0_SignerInfos(cms); -+ if (sis == NULL) -+ goto err; -+ -+ si = sk_CMS_SignerInfo_value(sis, 0); -+ if (si == NULL) -+ goto err; -+ -+ rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); -+ if (rc == 0) -+ goto err; -+ -+ sig = CMS_SignerInfo_get0_signature(si); -+ if (sig == NULL) -+ goto err; -+ -+ CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); -+ -+ sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); -+ sig_info->sig_len = ASN1_STRING_length(sig); -+ -+ sno_bn = ASN1_INTEGER_to_BN(sno, NULL); -+ if (sno_bn == NULL) -+ goto err; -+ -+ len = BN_num_bytes(sno_bn); -+ key_id_str = malloc(len); -+ if (key_id_str == NULL) -+ goto err2; -+ BN_bn2bin(sno_bn, key_id_str); -+ -+ sig_info->key_id = (const char *)key_id_str; -+ sig_info->key_id_len = len; -+ -+ issuer_str = x509_name_to_str(issuer); -+ if (issuer_str != NULL) { -+ sig_info->signer = issuer_str; -+ sig_info->signer_len = strlen(issuer_str); -+ } -+ -+ X509_ALGOR_get0(&o, NULL, NULL, dig_alg); -+ -+ sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)]; -+ sig_info->id_type = pkey_id_type[modsig->id_type]; -+ -+ pvt = malloc(sizeof(*pvt)); -+ if (pvt == NULL) -+ goto err3; -+ -+ pvt->cms = cms; -+ pvt->key_id = key_id_str; -+ pvt->sno = sno_bn; -+ sig_info->private = pvt; -+ -+ sig_info->free = pkcs7_free; -+ -+ return true; -+err3: -+ free(key_id_str); -+err2: -+ BN_free(sno_bn); -+err: -+ CMS_ContentInfo_free(cms); -+ return false; -+} -+ -+#else /* ENABLE OPENSSL */ -+ -+static bool fill_pkcs7(const char *mem, off_t size, -+ const struct module_signature *modsig, size_t sig_len, -+ struct kmod_signature_info *sig_info) - { - sig_info->hash_algo = "unknown"; - sig_info->id_type = pkey_id_type[modsig->id_type]; - return true; - } - -+#endif /* ENABLE OPENSSL */ -+ - #define SIG_MAGIC "~Module signature appended~\n" - - /* -@@ -167,8 +350,14 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat - - switch (modsig->id_type) { - case PKEY_ID_PKCS7: -- return fill_unknown(mem, size, modsig, sig_len, sig_info); -+ return fill_pkcs7(mem, size, modsig, sig_len, sig_info); - default: - return fill_default(mem, size, modsig, sig_len, sig_info); - } - } -+ -+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) -+{ -+ if (sig_info->free) -+ sig_info->free(sig_info); -+} --- -2.20.1 - diff --git a/SOURCES/kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch b/SOURCES/kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch deleted file mode 100644 index 69c1bd5..0000000 --- a/SOURCES/kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 52a0ba82e1ad180f9f91920db70a758fac49466a Mon Sep 17 00:00:00 2001 -From: Yauheni Kaliuta -Date: Thu, 31 Oct 2019 20:12:53 +0200 -Subject: [PATCH] modprobe: ignore builtin module on recursive removing - -If there are built-in dependencies and any of them is built-in in -the kernel, modprobe -r fails with - -modprobe: FATAL: Module module_name is builtin. - -It makes sense to ignore such dependencies for the case when -removing is called for non-top level module. - -Example: cifs module, it declares bunch of softdeps and the first -one fails on some kernel configs: - -modprobe: FATAL: Module gcm is builtin. - -Signed-off-by: Yauheni Kaliuta ---- - tools/modprobe.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tools/modprobe.c b/tools/modprobe.c -index a9e2331567af..44cd15c2bf57 100644 ---- a/tools/modprobe.c -+++ b/tools/modprobe.c -@@ -353,7 +353,8 @@ static int rmmod_do_remove_module(struct kmod_module *mod) - return err; - } - --static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies); -+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies, -+ bool ignore_builtin); - - static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors) - { -@@ -361,7 +362,7 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors) - - kmod_list_foreach_reverse(l, list) { - struct kmod_module *m = kmod_module_get_module(l); -- int r = rmmod_do_module(m, false); -+ int r = rmmod_do_module(m, false, true); - kmod_module_unref(m); - - if (r < 0 && stop_on_errors) -@@ -371,7 +372,8 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors) - return 0; - } - --static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies) -+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies, -+ bool ignore_builtin) - { - const char *modname = kmod_module_get_name(mod); - struct kmod_list *pre = NULL, *post = NULL; -@@ -401,8 +403,12 @@ static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies) - } - goto error; - } else if (state == KMOD_MODULE_BUILTIN) { -- LOG("Module %s is builtin.\n", modname); -- err = -ENOENT; -+ if (ignore_builtin) { -+ err = 0; -+ } else { -+ LOG("Module %s is builtin.\n", modname); -+ err = -ENOENT; -+ } - goto error; - } - } -@@ -462,7 +468,7 @@ static int rmmod(struct kmod_ctx *ctx, const char *alias) - - kmod_list_foreach(l, list) { - struct kmod_module *mod = kmod_module_get_module(l); -- err = rmmod_do_module(mod, true); -+ err = rmmod_do_module(mod, true, false); - kmod_module_unref(mod); - if (err < 0) - break; --- -2.24.0 - diff --git a/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch b/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch deleted file mode 100644 index 03d62d5..0000000 --- a/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch +++ /dev/null @@ -1,116 +0,0 @@ -From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001 -From: Yauheni Kaliuta -Date: Fri, 16 Nov 2018 10:56:34 +0200 -Subject: [PATCH] signature: do not report wrong data for pkc#7 signature - -when PKC#7 signing method is used the old structure doesn't contain -any useful data, but the data are encoded in the certificate. - -The info getting/showing code is not aware of that at the moment and -since 0 is a valid constant, shows, for example, wrong "md4" for the -hash algo. - -The patch splits the 2 mothods of gethering the info and reports -"unknown" for the algo. - -Signed-off-by: Yauheni Kaliuta ---- - libkmod/libkmod-module.c | 2 +- - libkmod/libkmod-signature.c | 56 +++++++++++++++++++++++++------------ - 2 files changed, 39 insertions(+), 19 deletions(-) - -diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c -index ee420f4ec2bf..889f26479a98 100644 ---- a/libkmod/libkmod-module.c -+++ b/libkmod/libkmod-module.c -@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_ - struct kmod_elf *elf; - char **strings; - int i, count, ret = -ENOMEM; -- struct kmod_signature_info sig_info; -+ struct kmod_signature_info sig_info = {}; - - if (mod == NULL || list == NULL) - return -ENOENT; -diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c -index 1f3e26dea203..429ffbd8a957 100644 ---- a/libkmod/libkmod-signature.c -+++ b/libkmod/libkmod-signature.c -@@ -92,6 +92,38 @@ struct module_signature { - uint32_t sig_len; /* Length of signature data (big endian) */ - }; - -+static bool fill_default(const char *mem, off_t size, -+ const struct module_signature *modsig, size_t sig_len, -+ struct kmod_signature_info *sig_info) -+{ -+ size -= sig_len; -+ sig_info->sig = mem + size; -+ sig_info->sig_len = sig_len; -+ -+ size -= modsig->key_id_len; -+ sig_info->key_id = mem + size; -+ sig_info->key_id_len = modsig->key_id_len; -+ -+ size -= modsig->signer_len; -+ sig_info->signer = mem + size; -+ sig_info->signer_len = modsig->signer_len; -+ -+ sig_info->algo = pkey_algo[modsig->algo]; -+ sig_info->hash_algo = pkey_hash_algo[modsig->hash]; -+ sig_info->id_type = pkey_id_type[modsig->id_type]; -+ -+ return true; -+} -+ -+static bool fill_unknown(const char *mem, off_t size, -+ const struct module_signature *modsig, size_t sig_len, -+ struct kmod_signature_info *sig_info) -+{ -+ sig_info->hash_algo = "unknown"; -+ sig_info->id_type = pkey_id_type[modsig->id_type]; -+ return true; -+} -+ - #define SIG_MAGIC "~Module signature appended~\n" - - /* -@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat - const struct module_signature *modsig; - size_t sig_len; - -- - size = kmod_file_get_size(file); - mem = kmod_file_get_contents(file); - if (size < (off_t)strlen(SIG_MAGIC)) -@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat - size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len)) - return false; - -- size -= sig_len; -- sig_info->sig = mem + size; -- sig_info->sig_len = sig_len; -- -- size -= modsig->key_id_len; -- sig_info->key_id = mem + size; -- sig_info->key_id_len = modsig->key_id_len; -- -- size -= modsig->signer_len; -- sig_info->signer = mem + size; -- sig_info->signer_len = modsig->signer_len; -- -- sig_info->algo = pkey_algo[modsig->algo]; -- sig_info->hash_algo = pkey_hash_algo[modsig->hash]; -- sig_info->id_type = pkey_id_type[modsig->id_type]; -- -- return true; -+ switch (modsig->id_type) { -+ case PKEY_ID_PKCS7: -+ return fill_unknown(mem, size, modsig, sig_len, sig_info); -+ default: -+ return fill_default(mem, size, modsig, sig_len, sig_info); -+ } - } --- -2.20.1 - diff --git a/SOURCES/depmod.conf.dist b/depmod.conf.dist similarity index 100% rename from SOURCES/depmod.conf.dist rename to depmod.conf.dist diff --git a/kmod-tip.patch b/kmod-tip.patch new file mode 100644 index 0000000..d57d9f4 --- /dev/null +++ b/kmod-tip.patch @@ -0,0 +1,561 @@ +From 1bb23d7f19d888fbdd96ae0fe929b7086713ef33 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 18 Jul 2023 14:01:52 +0200 +Subject: [PATCH 1/6] configure: Detect openssl sm3 support + +Older openssl versions do not support sm3. The code has an option to +disable the sm3 hash but the lack of openssl support is not detected +automatically. + +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/b97e20faa07e9e31c6eaf96683011aa24e80760c.1689681454.git.msuchanek@suse.de +Signed-off-by: Lucas De Marchi +--- + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 82a8532..e5bceea 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -123,6 +123,13 @@ AC_ARG_WITH([openssl], + AS_IF([test "x$with_openssl" != "xno"], [ + PKG_CHECK_MODULES([libcrypto], [libcrypto >= 1.1.0], [LIBS="$LIBS $libcrypto_LIBS"]) + AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.]) ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include ++ int nid = NID_sm3;]])], [ ++ AC_MSG_NOTICE([openssl supports sm3]) ++ ], [ ++ AC_MSG_NOTICE([openssl sm3 support not detected]) ++ CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3" ++ ]) + ], [ + AC_MSG_NOTICE([openssl support not requested]) + ]) +-- +2.41.0 + + +From 4e7effbdc00307d0d1e83115e0d00cc75aae5cc6 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 18 Jul 2023 14:01:53 +0200 +Subject: [PATCH 2/6] man/depmod.d: Fix incorrect /usr/lib search path + +depmod searches /lib/depmod.d but the man page says /usr/lib/depmod.d is +searched. Align the documentation with the code. + +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/9c5a6356b1a111eb6e17ddb110494b7f1d1b44c0.1689681454.git.msuchanek@suse.de +Signed-off-by: Lucas De Marchi +--- + man/depmod.d.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/depmod.d.xml b/man/depmod.d.xml +index 76548e9..8d3d821 100644 +--- a/man/depmod.d.xml ++++ b/man/depmod.d.xml +@@ -39,7 +39,7 @@ + + + +- /usr/lib/depmod.d/*.conf ++ /lib/depmod.d/*.conf + /usr/local/lib/depmod.d/*.conf + /run/depmod.d/*.conf + /etc/depmod.d/*.conf +-- +2.41.0 + + +From 8463809f8a29b254b2cab2ce755641bc690f07c9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 18 Jul 2023 14:01:54 +0200 +Subject: [PATCH 3/6] libkmod, depmod: Load modprobe.d, depmod.d from + ${prefix}/lib. + +There is an ongoing effort to limit use of files outside of /usr (or +${prefix} on general). Currently all modprobe.d paths are hardcoded to +outside of $prefix. Teach kmod to load modprobe.d from ${prefix}/lib. + +On some distributions /usr/lib and /lib are the same directory because +of a compatibility symlink, and it is possible to craft configuration +files with sideeffects that would behave differently when loaded twice. +However, the override semantic ensures that one 'overrides' the other, +and only one configuration file of the same name is loaded from any of +the search directories. + +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/a290343ce32e2a3c25b134e4f27c13b26e06c9e0.1689681454.git.msuchanek@suse.de +Signed-off-by: Lucas De Marchi +--- + Makefile.am | 1 + + configure.ac | 5 +++++ + libkmod/libkmod.c | 7 ++++--- + man/Makefile.am | 9 +++++++-- + man/depmod.d.xml | 1 + + man/modprobe.d.xml | 1 + + tools/depmod.c | 1 + + 7 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 5b7abfe..e6630a3 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -19,6 +19,7 @@ AM_CPPFLAGS = \ + -include $(top_builddir)/config.h \ + -I$(top_srcdir) \ + -DSYSCONFDIR=\""$(sysconfdir)"\" \ ++ -DDISTCONFDIR=\""$(distconfdir)"\" \ + ${zlib_CFLAGS} + + AM_CFLAGS = $(OUR_CFLAGS) +diff --git a/configure.ac b/configure.ac +index e5bceea..fd88d1f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -79,6 +79,10 @@ AC_COMPILE_IFELSE( + # --with- + ##################################################################### + ++AC_ARG_WITH([distconfdir], AS_HELP_STRING([--with-distconfdir=DIR], [directory to search for distribution configuration files]), ++ [], [with_distconfdir='${prefix}/lib']) ++AC_SUBST([distconfdir], [$with_distconfdir]) ++ + AC_ARG_WITH([rootlibdir], + AS_HELP_STRING([--with-rootlibdir=DIR], [rootfs directory to install shared libraries]), + [], [with_rootlibdir=$libdir]) +@@ -313,6 +317,7 @@ AC_MSG_RESULT([ + + prefix: ${prefix} + sysconfdir: ${sysconfdir} ++ distconfdir: ${distconfdir} + libdir: ${libdir} + rootlibdir: ${rootlibdir} + includedir: ${includedir} +diff --git a/libkmod/libkmod.c b/libkmod/libkmod.c +index 1b8773c..57fac1c 100644 +--- a/libkmod/libkmod.c ++++ b/libkmod/libkmod.c +@@ -65,6 +65,7 @@ static const char *const default_config_paths[] = { + SYSCONFDIR "/modprobe.d", + "/run/modprobe.d", + "/usr/local/lib/modprobe.d", ++ DISTCONFDIR "/modprobe.d", + "/lib/modprobe.d", + NULL + }; +@@ -272,9 +273,9 @@ static enum kmod_file_compression_type get_kernel_compression(struct kmod_ctx *c + * to load from user-defined configuration parameters such as + * alias, blacklists, commands (install, remove). If NULL + * defaults to /etc/modprobe.d, /run/modprobe.d, +- * /usr/local/lib/modprobe.d and /lib/modprobe.d. Give an empty +- * vector if configuration should not be read. This array must +- * be null terminated. ++ * /usr/local/lib/modprobe.d, DISTCONFDIR/modprobe.d, and ++ * /lib/modprobe.d. Give an empty vector if configuration should ++ * not be read. This array must be null terminated. + * + * Create kmod library context. This reads the kmod configuration + * and fills in the default values. +diff --git a/man/Makefile.am b/man/Makefile.am +index 11514d5..2fea8e4 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -17,9 +17,14 @@ EXTRA_DIST = $(MAN5:%.5=%.xml) $(MAN8:%.8=%.xml) + CLEANFILES = $(dist_man_MANS) + + %.5 %.8: %.xml +- $(AM_V_XSLT)$(XSLT) \ ++ $(AM_V_XSLT)if [ '$(distconfdir)' != '/lib' ] ; then \ ++ sed -e 's|@DISTCONFDIR@|$(distconfdir)|g' $< ; \ ++ else \ ++ sed -e '/@DISTCONFDIR@/d' $< ; \ ++ fi | \ ++ $(XSLT) \ + -o $@ \ + --nonet \ + --stringparam man.output.quietly 1 \ + --param funcsynopsis.style "'ansi'" \ +- http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< ++ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl - +diff --git a/man/depmod.d.xml b/man/depmod.d.xml +index 8d3d821..f282a39 100644 +--- a/man/depmod.d.xml ++++ b/man/depmod.d.xml +@@ -40,6 +40,7 @@ + + + /lib/depmod.d/*.conf ++ @DISTCONFDIR@/depmod.d/*.conf + /usr/local/lib/depmod.d/*.conf + /run/depmod.d/*.conf + /etc/depmod.d/*.conf +diff --git a/man/modprobe.d.xml b/man/modprobe.d.xml +index 0ab3e91..2bf6537 100644 +--- a/man/modprobe.d.xml ++++ b/man/modprobe.d.xml +@@ -41,6 +41,7 @@ + + + /lib/modprobe.d/*.conf ++ @DISTCONFDIR@/modprobe.d/*.conf + /usr/local/lib/modprobe.d/*.conf + /run/modprobe.d/*.conf + /etc/modprobe.d/*.conf +diff --git a/tools/depmod.c b/tools/depmod.c +index 1d1d41d..630fef9 100644 +--- a/tools/depmod.c ++++ b/tools/depmod.c +@@ -54,6 +54,7 @@ static const char *const default_cfg_paths[] = { + SYSCONFDIR "/depmod.d", + "/run/depmod.d", + "/usr/local/lib/depmod.d", ++ DISTCONFDIR "/depmod.d", + "/lib/depmod.d", + NULL + }; +-- +2.41.0 + + +From ecef7c131618bbd9c559924ecae55764089db0dd Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Tue, 18 Jul 2023 14:01:55 +0200 +Subject: [PATCH 4/6] kmod: Add pkgconfig file with kmod compile time + configuration + +Show distconfdir (where system configuration files are searched/to be +installed), sysconfdir (where user configuration files are searched), +module compressions, and module signatures supported. + +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/468b3f572d3b84f25bb53ec8fcb15ed4871914d4.1689681454.git.msuchanek@suse.de +Signed-off-by: Lucas De Marchi +--- + Makefile.am | 2 +- + configure.ac | 11 +++++++++++ + tools/kmod.pc.in | 9 +++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 tools/kmod.pc.in + +diff --git a/Makefile.am b/Makefile.am +index e6630a3..2a54c25 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -96,7 +96,7 @@ libkmod_libkmod_internal_la_DEPENDENCIES = $(libkmod_libkmod_la_DEPENDENCIES) + libkmod_libkmod_internal_la_LIBADD = $(libkmod_libkmod_la_LIBADD) + + pkgconfigdir = $(libdir)/pkgconfig +-pkgconfig_DATA = libkmod/libkmod.pc ++pkgconfig_DATA = libkmod/libkmod.pc tools/kmod.pc + + bashcompletiondir=@bashcompletiondir@ + dist_bashcompletion_DATA = \ +diff --git a/configure.ac b/configure.ac +index fd88d1f..7bf8d78 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -21,6 +21,9 @@ LT_INIT([disable-static pic-only]) + AS_IF([test "x$enable_static" = "xyes"], [AC_MSG_ERROR([--enable-static is not supported by kmod])]) + AS_IF([test "x$enable_largefile" = "xno"], [AC_MSG_ERROR([--disable-largefile is not supported by kmod])]) + ++module_compressions="" ++module_signatures="legacy" ++ + ##################################################################### + # Program checks and configurations + ##################################################################### +@@ -94,6 +97,7 @@ AC_ARG_WITH([zstd], + AS_IF([test "x$with_zstd" != "xno"], [ + PKG_CHECK_MODULES([libzstd], [libzstd >= 1.4.4], [LIBS="$LIBS $libzstd_LIBS"]) + AC_DEFINE([ENABLE_ZSTD], [1], [Enable Zstandard for modules.]) ++ module_compressions="zstd $module_compressions" + ], [ + AC_MSG_NOTICE([Zstandard support not requested]) + ]) +@@ -105,6 +109,7 @@ AC_ARG_WITH([xz], + AS_IF([test "x$with_xz" != "xno"], [ + PKG_CHECK_MODULES([liblzma], [liblzma >= 4.99], [LIBS="$LIBS $liblzma_LIBS"]) + AC_DEFINE([ENABLE_XZ], [1], [Enable Xz for modules.]) ++ module_compressions="xz $module_compressions" + ], [ + AC_MSG_NOTICE([Xz support not requested]) + ]) +@@ -116,6 +121,7 @@ AC_ARG_WITH([zlib], + AS_IF([test "x$with_zlib" != "xno"], [ + PKG_CHECK_MODULES([zlib], [zlib], [LIBS="$LIBS $zlib_LIBS"]) + AC_DEFINE([ENABLE_ZLIB], [1], [Enable zlib for modules.]) ++ module_compressions="gzip $module_compressions" + ], [ + AC_MSG_NOTICE([zlib support not requested]) + ]) +@@ -134,6 +140,7 @@ AS_IF([test "x$with_openssl" != "xno"], [ + AC_MSG_NOTICE([openssl sm3 support not detected]) + CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3" + ]) ++ module_signatures="PKCS7 $module_signatures" + ], [ + AC_MSG_NOTICE([openssl support not requested]) + ]) +@@ -298,6 +305,9 @@ AC_DEFINE_UNQUOTED(KMOD_FEATURES, ["$with_features"], [Features in this build]) + # Generate files from *.in + ##################################################################### + ++AC_SUBST([module_compressions], $module_compressions) ++AC_SUBST([module_signatures], $module_signatures) ++ + AC_CONFIG_FILES([ + Makefile + man/Makefile +@@ -305,6 +315,7 @@ AC_CONFIG_FILES([ + libkmod/docs/version.xml + libkmod/libkmod.pc + libkmod/python/kmod/version.py ++ tools/kmod.pc + ]) + + +diff --git a/tools/kmod.pc.in b/tools/kmod.pc.in +new file mode 100644 +index 0000000..2595980 +--- /dev/null ++++ b/tools/kmod.pc.in +@@ -0,0 +1,9 @@ ++prefix=@prefix@ ++sysconfdir=@sysconfdir@ ++distconfdir=@distconfdir@ ++module_compressions=@module_compressions@ ++module_signatures=@module_signatures@ ++ ++Name: kmod ++Description: Tools to deal with kernel modules ++Version: @VERSION@ +-- +2.41.0 + + +From 3af2f475b0b729f20279f2ce488cc9f727f0b763 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Sun, 5 Nov 2023 22:02:25 +0000 +Subject: [PATCH 5/6] tools: depmod: fix -Walloc-size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 14 introduces a new -Walloc-size included in -Wextra which gives: +``` +tools/depmod.c:192:14: warning: allocation of insufficient size ‘1’ for type ‘struct index_node’ with size ‘1048’ [-Walloc-size] +tools/depmod.c:255:11: warning: allocation of insufficient size ‘1’ for type ‘struct index_value’ with size ‘16’ [-Walloc-size] +tools/depmod.c:286:35: warning: allocation of insufficient size ‘1’ for type ‘struct index_node’ with size ‘1048’ [-Walloc-size] +tools/depmod.c:315:44: warning: allocation of insufficient size ‘1’ for type ‘struct index_node’ with size ‘1048’ [-Walloc-size] +``` + +The calloc prototype is: +``` +void *calloc(size_t nmemb, size_t size); +``` + +So, just swap the number of members and size arguments to match the prototype, as +we're initialising 1 struct of size `sizeof(struct ...)`. GCC then sees we're not +doing anything wrong. + +Signed-off-by: Sam James +--- + tools/depmod.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/depmod.c b/tools/depmod.c +index 630fef9..ab8513b 100644 +--- a/tools/depmod.c ++++ b/tools/depmod.c +@@ -190,7 +190,7 @@ static struct index_node *index_create(void) + { + struct index_node *node; + +- node = NOFAIL(calloc(sizeof(struct index_node), 1)); ++ node = NOFAIL(calloc(1, sizeof(struct index_node))); + node->prefix = NOFAIL(strdup("")); + node->first = INDEX_CHILDMAX; + +@@ -253,7 +253,7 @@ static int index_add_value(struct index_value **values, + values = &(*values)->next; + + len = strlen(value); +- v = NOFAIL(calloc(sizeof(struct index_value) + len + 1, 1)); ++ v = NOFAIL(calloc(1, sizeof(struct index_value) + len + 1)); + v->next = *values; + v->priority = priority; + memcpy(v->value, value, len + 1); +@@ -284,7 +284,7 @@ static int index_insert(struct index_node *node, const char *key, + struct index_node *n; + + /* New child is copy of node with prefix[j+1..N] */ +- n = NOFAIL(calloc(sizeof(struct index_node), 1)); ++ n = NOFAIL(calloc(1, sizeof(struct index_node))); + memcpy(n, node, sizeof(struct index_node)); + n->prefix = NOFAIL(strdup(&prefix[j+1])); + +@@ -313,7 +313,7 @@ static int index_insert(struct index_node *node, const char *key, + node->first = ch; + if (ch > node->last) + node->last = ch; +- node->children[ch] = NOFAIL(calloc(sizeof(struct index_node), 1)); ++ node->children[ch] = NOFAIL(calloc(1, sizeof(struct index_node))); + + child = node->children[ch]; + child->prefix = NOFAIL(strdup(&key[i+1])); +-- +2.41.0 + + +From 510c8b7f7455c6613dd1706e5e41ec7b09cf6703 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Sun, 29 Oct 2023 03:03:19 +0200 +Subject: [PATCH 6/6] libkmod: remove pkcs7 obj_to_hash_algo() + +Switch to using OBJ_obj2txt() to calculate and print the pkcs7 +signature hash name. This eliminates the need to duplicate libcrypto +NID to name mapping, detect SM3 openssl compile-time support, and +enables using any hashes that openssl and kernel know about. For +example SHA3 are being added for v6.7 and with this patch are +automatically supported. + +Signed-off-by: Dimitri John Ledkov +Link: https://lore.kernel.org/r/20231029010319.157390-1-dimitri.ledkov@canonical.com +--- + configure.ac | 7 ----- + libkmod/libkmod-signature.c | 59 +++++++++++++------------------------ + 2 files changed, 20 insertions(+), 46 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 7bf8d78..a6b8fa0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -133,13 +133,6 @@ AC_ARG_WITH([openssl], + AS_IF([test "x$with_openssl" != "xno"], [ + PKG_CHECK_MODULES([libcrypto], [libcrypto >= 1.1.0], [LIBS="$LIBS $libcrypto_LIBS"]) + AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.]) +- AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include +- int nid = NID_sm3;]])], [ +- AC_MSG_NOTICE([openssl supports sm3]) +- ], [ +- AC_MSG_NOTICE([openssl sm3 support not detected]) +- CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3" +- ]) + module_signatures="PKCS7 $module_signatures" + ], [ + AC_MSG_NOTICE([openssl support not requested]) +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index b749a81..80f6447 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -127,6 +127,7 @@ struct pkcs7_private { + PKCS7 *pkcs7; + unsigned char *key_id; + BIGNUM *sno; ++ char *hash_algo; + }; + + static void pkcs7_free(void *s) +@@ -137,42 +138,11 @@ static void pkcs7_free(void *s) + PKCS7_free(pvt->pkcs7); + BN_free(pvt->sno); + free(pvt->key_id); ++ free(pvt->hash_algo); + free(pvt); + si->private = NULL; + } + +-static int obj_to_hash_algo(const ASN1_OBJECT *o) +-{ +- int nid; +- +- nid = OBJ_obj2nid(o); +- switch (nid) { +- case NID_md4: +- return PKEY_HASH_MD4; +- case NID_md5: +- return PKEY_HASH_MD5; +- case NID_sha1: +- return PKEY_HASH_SHA1; +- case NID_ripemd160: +- return PKEY_HASH_RIPE_MD_160; +- case NID_sha256: +- return PKEY_HASH_SHA256; +- case NID_sha384: +- return PKEY_HASH_SHA384; +- case NID_sha512: +- return PKEY_HASH_SHA512; +- case NID_sha224: +- return PKEY_HASH_SHA224; +-# ifndef OPENSSL_NO_SM3 +- case NID_sm3: +- return PKEY_HASH_SM3; +-# endif +- default: +- return -1; +- } +- return -1; +-} +- + static const char *x509_name_to_str(X509_NAME *name) + { + int i; +@@ -219,7 +189,8 @@ static bool fill_pkcs7(const char *mem, off_t size, + unsigned char *key_id_str; + struct pkcs7_private *pvt; + const char *issuer_str; +- int hash_algo; ++ char *hash_algo; ++ int hash_algo_len; + + size -= sig_len; + pkcs7_raw = mem + size; +@@ -278,27 +249,37 @@ static bool fill_pkcs7(const char *mem, off_t size, + + X509_ALGOR_get0(&o, NULL, NULL, dig_alg); + +- hash_algo = obj_to_hash_algo(o); +- if (hash_algo < 0) ++ // Use OBJ_obj2txt to calculate string length ++ hash_algo_len = OBJ_obj2txt(NULL, 0, o, 0); ++ if (hash_algo_len < 0) + goto err3; +- sig_info->hash_algo = pkey_hash_algo[hash_algo]; +- // hash algo has not been recognized +- if (sig_info->hash_algo == NULL) ++ hash_algo = malloc(hash_algo_len + 1); ++ if (hash_algo == NULL) + goto err3; ++ hash_algo_len = OBJ_obj2txt(hash_algo, hash_algo_len + 1, o, 0); ++ if (hash_algo_len < 0) ++ goto err4; ++ ++ // Assign libcrypto hash algo string or number ++ sig_info->hash_algo = hash_algo; ++ + sig_info->id_type = pkey_id_type[modsig->id_type]; + + pvt = malloc(sizeof(*pvt)); + if (pvt == NULL) +- goto err3; ++ goto err4; + + pvt->pkcs7 = pkcs7; + pvt->key_id = key_id_str; + pvt->sno = sno_bn; ++ pvt->hash_algo = hash_algo; + sig_info->private = pvt; + + sig_info->free = pkcs7_free; + + return true; ++err4: ++ free(hash_algo); + err3: + free(key_id_str); + err2: +-- +2.41.0 + diff --git a/SPECS/kmod.spec b/kmod.spec similarity index 56% rename from SPECS/kmod.spec rename to kmod.spec index 67587a3..6bbbaf5 100644 --- a/SPECS/kmod.spec +++ b/kmod.spec @@ -1,30 +1,92 @@ +# Fedora does not support CONFIG_MODVERSIONS. Without kabi support +# weak-modules is useless at best, and can be actively harmful. +# Since RHEL *does* support this and offers kabi support, +# turn it on there by default. +%if 0%{?rhel} +%bcond_without weak_modules +%bcond_without dist_conf +%else +%bcond_with weak_modules +%bcond_with dist_conf +%endif + +%bcond_without zlib +%bcond_without xz +%bcond_without zstd + Name: kmod -Version: 25 -Release: 20%{?dist} +Version: 31 +Release: 8%{?dist} Summary: Linux kernel module management utilities -Group: System Environment/Kernel -License: GPLv2+ -URL: http://git.kernel.org/?p=utils/kernel/kmod/kmod.git;a=summary +# https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_license_analysis +# GPL-2.0-or-later: +# build-aux/compile +# build-aux/depcomp +# build-aux/ltmain.sh +# build-aux/ltmain.sh +# build-aux/missing +# build-aux/py-compile +# build-aux/test-driver +# m4/attributes.m4 +# m4/features.m4 +# tools +# GPL-3.0-or-later: +# build-aux/config.guess +# build-aux/config.sub +# build-aux/git-version-gen +# libkmod/docs/gtk-doc.make +# m4/gtk-doc.m4 +# FSFUL: +# configure +# FSFULLRWD: +# aclocal.m4 +# libkmod/docs/Makefile.in +# m4/libtool.m4 +# m4/lt~obsolete.m4 +# m4/ltoptions.m4 +# m4/ltsugar.m4 +# m4/ltversion.m4 +# Makefile.in +# LGPL-2.1-only: +# libkmod/python/kmod/error.py +# libkmod/python/kmod/__init__.py +# libkmod/python/kmod/version.py +# libkmod/python/kmod/version.py.in +# LGPL-2.1-or-later: +# config.h.in (no explicit license, the one in COPYING is assumed) +# libkmod +# man (no explicit license, the one in COPYING is assumed) +# shared +# shell-completion/bash/kmod +# testsuite +# X11: +# build-aux/install-sh +License: GPL-2.0-or-later AND GPL-3.0-or-later AND FSFUL AND FSFULLRWD AND LGPL-2.1-only AND LGPL-2.1-or-later AND X11 +URL: https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git Source0: https://www.kernel.org/pub/linux/utils/kernel/kmod/%{name}-%{version}.tar.xz Source1: weak-modules Source2: depmod.conf.dist +Patch1: kmod-tip.patch +# v33~1 "libkmod: avoid undefined behaviour in libkmod-builtin.c:get_string" +Patch2: 0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch + Exclusiveos: Linux -Patch01: kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch -Patch02: kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch -Patch03: kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch -Patch04: 0001-depmod-prevent-module-dependency-files-missing-durin.patch -Patch05: 0002-depmod-prevent-module-dependency-files-corruption-du.patch - -BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +BuildRequires: gcc BuildRequires: chrpath +%if %{with zlib} BuildRequires: zlib-devel +%endif +%if %{with xz} BuildRequires: xz-devel -BuildRequires: libxslt +%endif +BuildRequires: libxslt docbook-style-xsl BuildRequires: openssl-devel -# Remove it as soon as no need for Patch02 anymore (Makefile.am updated) -BuildRequires: automake autoconf libtool +BuildRequires: make automake +%if %{with zstd} +BuildRequires: libzstd-devel +%endif Provides: module-init-tools = 4.0-1 Obsoletes: module-init-tools < 4.0-1 @@ -38,8 +100,6 @@ examples of loaded and unloaded modules. %package libs Summary: Libraries to handle kernel module loading and unloading -License: LGPLv2+ -Group: System Environment/Libraries %description libs The kmod-libs package provides runtime libraries for any application that @@ -47,7 +107,6 @@ wishes to load or unload Linux kernel modules from the running system. %package devel Summary: Header files for kmod development -Group: Development/Libraries Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description devel @@ -55,30 +114,33 @@ The kmod-devel package provides header files used for development of applications that wish to load or unload Linux kernel modules. %prep -%setup -q -%patch01 -p1 -%patch02 -p1 -%patch03 -p1 -%patch04 -p1 -%patch05 -p1 +%autosetup -p1 %build -export V=1 -aclocal -autoreconf --install --symlink %configure \ + --with-openssl \ +%if %{with zlib} --with-zlib \ - --with-xz \ - --with-openssl -make %{?_smp_mflags} +%endif +%if %{with xz} + --with-xz \ +%endif +%if %{with zstd} + --with-zstd \ +%endif + --enable-debug + +%{make_build} V=1 %install -make install DESTDIR=$RPM_BUILD_ROOT -pushd $RPM_BUILD_ROOT/%{_mandir}/man5 +%{make_install} + +pushd $RPM_BUILD_ROOT%{_mandir}/man5 ln -s modprobe.d.5.gz modprobe.conf.5.gz popd -rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la +find %{buildroot} -type f -name "*.la" -delete + mkdir -p $RPM_BUILD_ROOT%{_sbindir} ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modprobe ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modinfo @@ -91,16 +153,15 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/modprobe.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/modprobe.d -mkdir -p $RPM_BUILD_ROOT/sbin -install -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules +%if %{with weak_modules} +install -pm 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules +%endif + +%if %{with dist_conf} install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf - -%post libs -p /sbin/ldconfig - -%postun libs -p /sbin/ldconfig +%endif %files -%defattr(-,root,root,-) %dir %{_sysconfdir}/depmod.d %dir %{_sysconfdir}/modprobe.d %dir %{_prefix}/lib/modprobe.d @@ -111,101 +172,143 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf %{_sbindir}/rmmod %{_sbindir}/lsmod %{_sbindir}/depmod +%if %{with weak_modules} %{_sbindir}/weak-modules +%endif %{_datadir}/bash-completion/ +%if %{with dist_conf} %{_sysconfdir}/depmod.d/dist.conf -%attr(0644,root,root) %{_mandir}/man5/*.5* +%endif +%attr(0644,root,root) %{_mandir}/man5/mod*.d*.5* +%attr(0644,root,root) %{_mandir}/man5/depmod.d.5* +%{_mandir}/man5/modprobe.conf.5* %attr(0644,root,root) %{_mandir}/man8/*.8* -%doc NEWS README TODO +%doc NEWS README.md TODO %files libs -%{!?_licensedir:%global license %%doc} %license COPYING %{_libdir}/libkmod.so.* %files devel %{_includedir}/libkmod.h +%{_libdir}/pkgconfig/kmod.pc %{_libdir}/pkgconfig/libkmod.pc %{_libdir}/libkmod.so %changelog -* Wed Oct 11 2023 Eugene Syromiatnikov - 25-20 +* Thu Aug 15 2024 Eugene Syromiatnikov - 31-8 +- Fix issues discovered by static analysis +- Resolves: RHEL-44931 + +* Mon Aug 12 2024 Eugene Syromiatnikov - 31-7 +- weak-modules: use either zcat or xzcat based on symvers file extension +- Resolves: RHEL-39388 + +* Mon Jun 24 2024 Troy Dawson - 31-6 +- Bump release for June 2024 mass rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 31-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 31-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Dec 01 2023 Eugene Syromiatnikov - 31-3 +- migrated to SPDX license + +* Thu Nov 09 2023 Josh Boyer - 31-2 +- Add upstream patches to enable SHA3 support +- New upstream v31 +- Resolves: rhbz#2241394 + +* Thu Jul 20 2023 Fedora Release Engineering - 30-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue May 09 2023 Eugene Syromiatnikov - 30-5 - Add symvers.xz support to weak-modules -- Resolves: RHEL-8903 -* Mon Nov 29 2021 Yauheni Kaliuta - 25-19 -- depmod: fix parallel execution issues - Resolves: rhbz#2026938 +* Thu Jan 19 2023 Fedora Release Engineering - 30-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Fri Apr 16 2021 Yauheni Kaliuta - 25-18 -- weak-modules: do not require dracut wneh using --no-initramfs - Resolves: rhbz#1935416 +* Sat Dec 17 2022 Florian Weimer - 30-3 +- Port configure script to C99 -* Fri Dec 18 2020 Yauheni Kaliuta - 25-17 -- weak-modules: reset compatible_modules if configuration is not valid - Resolves: rhbz#1907855 +* Thu Jul 21 2022 Fedora Release Engineering - 30-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Mon Dec 9 2019 Yauheni Kaliuta - 25-16 -- weak-modules: update_modules_for_krel: always finish sandbox -- weak-modules: groupping: use dependencies of extra/ provider - Resolves: rhbz#1778889 +* Mon Jul 4 2022 Yauheni Kaliuta - 30-1 +- New upstream v30 +- Resolves: rhbz#2102796 -* Mon Dec 9 2019 Yauheni Kaliuta - 25-15 -- weak-modules: reverse checking order for add-kernel - Resolves: rhbz#1755196 +* Thu Jan 20 2022 Fedora Release Engineering - 29-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Mon Dec 2 2019 Yauheni Kaliuta - 25-14 -- modprobe: do not fail on built-in modules - Resolves: rhbz#1767513 +* Tue Sep 14 2021 Sahana Prasad - 29-6 +- Rebuilt with OpenSSL 3.0.0 -* Tue Apr 16 2019 Yauheni Kaliuta - 25-13 -- weak-modules: handle independent modules in one run - Resolves: rhbz#1695763 +* Tue Aug 10 2021 Yauheni Kaliuta - 29-5 +- kmod.spec: enable debug +- weak-modules: compare_initramfs_modules: exit on pushd/popd failures +- weak-modules: split modules into array with read -a +- Add default config file, /etc/depmod.d/dist.conf -* Tue Apr 2 2019 Yauheni Kaliuta - 25-12 -- weak-modules: use asterisk for kernel version in sandbox - Resolves: rhbz#1689052 +* Thu Jul 22 2021 Fedora Release Engineering - 29-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Tue Feb 5 2019 Yauheni Kaliuta - 25-11 -- add PKCS7/openssl support. - Resolves: rhbz#1668459. +* Tue Jun 08 2021 Neal Gompa - 29-3 +- Fix conditional to only install weak-modules for RHEL -* Tue Dec 11 2018 Yauheni Kaliuta - 25-10 -- weak-modules: group modules on add-kernel -- weak-modules: do not make groups if there are no extra modules - Resolves: rhbz#1649211 +* Tue May 25 2021 Justin M. Forbes - 29-2 +- Rebuild for weak-modules drop in Fedora -* Tue Oct 2 2018 Yauheni Kaliuta - 25-9 -- Rebuild with updated flags. - Resolves: rhbz#1630574. +* Mon May 24 2021 Justin M. Forbes +- Remove weak-modules for Fedora as it causes problems. -* Tue Sep 4 2018 Yauheni Kaliuta - 25-8 -- weak-modules: fix initial state creation for dry-run -- weak-modules: check compatibility in a temporary directory - Resolves: rhbz#1622990. +* Fri May 14 2021 Josh Boyer - 29-1 +- New upstream v29 +- Resolves: rhbz#1962980 -* Tue Aug 28 2018 Yauheni Kaliuta - 25-7 -- weak-modules: use is_kernel_installed wrapper in update_modules_for_krel. -- weak-modules: more abstract symvers search implementation. -- weak-modules: use additional paths for System.map file. - Resolves: rhbz#1621306. +* Tue Jan 26 2021 Fedora Release Engineering - 28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Thu Aug 09 2018 Eugene Syromiatnikov - 25-6 -- weak-modules: check also for /lib/modules/$krel/symvers.gz as a possible - symvers file path. - Resolves: rhbz#1614119. +* Thu Jan 07 2021 Josh Boyer - 28-1 +- New upstream v28 +- Enable zstd support +- Resolves: rhbz#1913949 -* Mon Jul 30 2018 Yauheni Kaliuta - 25-5 -- weak-modules: handle versions with + and other special regex symbols -- weak-modules: fix misleading message when cannot find dracut. - Resolves: rhbz#1609372. +* Tue Jul 28 2020 Fedora Release Engineering - 27-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Fri Jul 27 2018 Yauheni Kaliuta - 25-4 -- fix dracut path, /usr/bin/dracut +* Wed Mar 25 2020 Yauheni Kaliuta - 27-2 +- add 0001-depmod-do-not-output-.bin-to-stdout.patch + Resolves: rhbz#1808430 -* Wed Jul 25 2018 Yauheni Kaliuta - 25-3 -- Add depmod.d/dist.conf. -- Update weak-modules to RHEL version. +* Thu Feb 20 2020 Peter Robinson - 27-1 +- New upstream v27 + +* Mon Jan 20 2020 Yauheni Kaliuta - 26-5 +- weak-modules: sync with RHEL + +* Thu Jul 25 2019 Fedora Release Engineering - 26-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Feb 25 2019 Yauheni Kaliuta - 26-3 +- weak-modules: sync with RHEL + +* Sun Feb 24 2019 Yauheni Kaliuta - 26-2 +- add PKCS7/openssl support (rhbz 1320921) + +* Sun Feb 24 2019 Yauheni Kaliuta - 26-1 +- Update to version 26 (rhbz 1673749) + +* Fri Feb 01 2019 Fedora Release Engineering - 25-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Oct 29 2018 James Antill - 25-4 +- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc (rhbz 1644063) + +* Fri Jul 13 2018 Fedora Release Engineering - 25-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed Feb 07 2018 Fedora Release Engineering - 25-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -296,7 +399,7 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf - Update to version 13 * Wed Mar 20 2013 Weiping Pan - 12-3 -- Pull in weak-modules for kABI from Jon Masters +- Pull in weak-modules for kABI from Jon Masters * Mon Mar 18 2013 Josh Boyer - Add patch to make rmmod understand built-in modules (rhbz 922187) diff --git a/sources b/sources new file mode 100644 index 0000000..d97b132 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (kmod-31.tar.xz) = 05ca70381808bec5f262b94db625662c385408988178a35e4aaf4960ee0716dc0cbfc327160ea4b61098d0c2130ab1b5142ea8156bea8e06ded7f4d288b6d085 diff --git a/SOURCES/weak-modules b/weak-modules similarity index 98% rename from SOURCES/weak-modules rename to weak-modules index 2aeb9d4..76523a7 100644 --- a/SOURCES/weak-modules +++ b/weak-modules @@ -179,24 +179,24 @@ compare_initramfs_modules() { mkdir "$tmpdir/new_initramfs" decompress_initramfs "$old_initramfs" "$tmpdir/old_initramfs.img" - pushd "$tmpdir/old_initramfs" >/dev/null + pushd "$tmpdir/old_initramfs" >/dev/null || exit cpio -i < "$tmpdir/old_initramfs.img" 2>/dev/null rm "$tmpdir/old_initramfs.img" n=0; for i in `list_module_files|sort`; do old_initramfs_modules[n]="$i" n=$((n+1)) done - popd >/dev/null + popd >/dev/null || exit decompress_initramfs "$new_initramfs" "$tmpdir/new_initramfs.img" - pushd "$tmpdir/new_initramfs" >/dev/null + pushd "$tmpdir/new_initramfs" >/dev/null || exit cpio -i < "$tmpdir/new_initramfs.img" 2>/dev/null rm "$tmpdir/new_initramfs.img" n=0; for i in `list_module_files|sort`; do new_initramfs_modules[n]="$i" n=$((n+1)) done - popd >/dev/null + popd >/dev/null || exit # Compare the length and contents of the arrays if [ "${#old_initramfs_modules[@]}" == "${#new_initramfs_modules[@]}" -a \ @@ -620,7 +620,6 @@ update_modules_for_krel() { if ! validate_weak_links $krel && [[ -z "$force_update" ]]; then global_link_state_restore $krel - compatible_modules=() fi # add compatible to installed @@ -759,6 +758,7 @@ validate_weak_links() { # to return to caller that original proposal is not valid # here 0 is true, 1 is false, since it will be the return code local is_configuration_valid=0 + local cat_prog tmp=$(mktemp -p $tmpdir) compatible_modules=() @@ -767,7 +767,12 @@ validate_weak_links() { local symvers_path=$(find_symvers_file "$krel") [[ -n "$symvers_path" ]] || return - zcat "$symvers_path" > $tmpdir/symvers-$krel + cat_prog="cat" + case "$symvers" in + *.gz) cat_prog="zcat" ;; + *.xz) cat_prog="xzcat" ;; + esac + "$cat_prog" "$symvers_path" > $tmpdir/symvers-$krel fi while ((is_updates_changed)); do @@ -941,7 +946,7 @@ do_make_groups() declare -a mods while read i; do - mods=($i) + read -a mods <<< "$i" echo "${mods[0]}" |grep -q "extra/" || continue @@ -993,7 +998,7 @@ filter_extra_absoluted() # to speed up handling in general cases echo "$i" |grep -q "extra/" || continue - mods=($i) + read -a mods <<< "$i" for j in "${!mods[@]}"; do mod="${mods[$j]}" @@ -1153,7 +1158,7 @@ while :; do shift done -if [ ! -x "$dracut" ] && [ -z "$no_initramfs" ] +if [ ! -x "$dracut" ] then echo "weak-modules: could not find dracut at $dracut" exit 1