From f86fb6be5d78371520a046f486423eb5160fc9f7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Nov 2024 10:51:21 +0000 Subject: [PATCH] import UBI kmod-28-10.el9 --- ...defined-behaviour-in-libkmod-builtin.patch | 44 +++++++++++++++++++ ...crash-on-unknown-signature-algorithm.patch | 38 ++++++++++++++++ ...-error-out-on-unknown-hash-algorithm.patch | 44 +++++++++++++++++++ ...verflow-with-wrong-modules.builtin.m.patch | 29 ++++++++++++ SPECS/kmod.spec | 14 +++++- 5 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch create mode 100644 SOURCES/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch create mode 100644 SOURCES/0001-libkmod-error-out-on-unknown-hash-algorithm.patch create mode 100644 SOURCES/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch diff --git a/SOURCES/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch b/SOURCES/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch new file mode 100644 index 0000000..bc47622 --- /dev/null +++ b/SOURCES/0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch @@ -0,0 +1,44 @@ +From 5c22362b6b97af9c6b7587f0c3450001e9893115 Mon Sep 17 00:00:00 2001 +From: Eugene Syromiatnikov +Date: Tue, 13 Aug 2024 16:17:27 +0200 +Subject: [PATCH] libkmod: avoid undefined behaviour in + libkmod-builtin.c:get_string + +Static analysis has reported a potential UB: + + kmod-31/libkmod/libkmod-builtin.c:125: use_invalid: Using "nullp", which points to an out-of-scope variable "buf". + # 123| size_t linesz = 0; + # 124| + # 125|-> while (!nullp) { + # 126| char buf[BUFSIZ]; + # 127| ssize_t sz; + +It seems to be indeed an UB, as nullp is getting assined an address +inside object buf, which has a lifetime of the while loop body, +and is not available outside of it (specifically, in the while +condition, where nullp is checked for NULL). Fix it by putting +buf definition in the outer block. +--- + libkmod/libkmod-builtin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c +index fd0f549..40a7d61 100644 +--- a/libkmod/libkmod-builtin.c ++++ b/libkmod/libkmod-builtin.c +@@ -105,11 +105,11 @@ static off_t get_string(struct kmod_builtin_iter *iter, off_t offset, + char **line, size_t *size) + { + int sv_errno; ++ char buf[BUFSIZ]; + char *nullp = NULL; + size_t linesz = 0; + + while (!nullp) { +- char buf[BUFSIZ]; + ssize_t sz; + size_t partsz; + +-- +2.13.6 + diff --git a/SOURCES/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch b/SOURCES/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch new file mode 100644 index 0000000..6725d8c --- /dev/null +++ b/SOURCES/0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch @@ -0,0 +1,38 @@ +From d5950b0b5e66a5ec1c21b638dec3974056aaabeb Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Sun, 25 Sep 2022 17:46:08 +0300 +Subject: [PATCH] libkmod: do not crash on unknown signature algorithm + +Example kernel module: +https://file-store.rosalinux.ru/download/7281f97e0c04c0f818ad3f936706f4a407e8dc7e +(/lib/modules/5.15.67-generic-1rosa2021.1-x86_64/kernel/drivers/usb/host/xhci-pci.ko.zst) +It is signed with Streebog 512. + +libkmod v30 crashed in libkmod-module.c:2413 in this code: + +n = kmod_module_info_append(list, + "sig_hashalgo", strlen("sig_hashalgo"), + sig_info.hash_algo, strlen(sig_info.hash_algo)); + +because strlen() got null. +--- + libkmod/libkmod-signature.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index 4ae5af6..092f396 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -278,6 +278,9 @@ static bool fill_pkcs7(const char *mem, off_t size, + X509_ALGOR_get0(&o, NULL, NULL, dig_alg); + + sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)]; ++ // hash algo has not been recognized ++ if (sig_info->hash_algo == NULL) ++ goto err3; + sig_info->id_type = pkey_id_type[modsig->id_type]; + + pvt = malloc(sizeof(*pvt)); +-- +2.13.6 + diff --git a/SOURCES/0001-libkmod-error-out-on-unknown-hash-algorithm.patch b/SOURCES/0001-libkmod-error-out-on-unknown-hash-algorithm.patch new file mode 100644 index 0000000..afd724e --- /dev/null +++ b/SOURCES/0001-libkmod-error-out-on-unknown-hash-algorithm.patch @@ -0,0 +1,44 @@ +From b9605c63b859adfffc0b4b9420d720aa323b90e9 Mon Sep 17 00:00:00 2001 +From: Emil Velikov +Date: Mon, 6 Feb 2023 14:32:59 +0000 +Subject: [PATCH] libkmod: error out on unknown hash algorithm + +Currently if we see unknown algorithm, we'll do an OOB read in +pkey_hash_algo. This can happen for example if OPENSSL_NO_SM3 is set and +the kernel module uses a SM3 hash. + +Cc: Mikhail Novosyolov +Cc: Lucas De Marchi +Signed-off-by: Emil Velikov +Signed-off-by: Lucas De Marchi +--- + libkmod/libkmod-signature.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index 092f396..b749a81 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -219,6 +219,7 @@ static bool fill_pkcs7(const char *mem, off_t size, + unsigned char *key_id_str; + struct pkcs7_private *pvt; + const char *issuer_str; ++ int hash_algo; + + size -= sig_len; + pkcs7_raw = mem + size; +@@ -277,7 +278,10 @@ static bool fill_pkcs7(const char *mem, off_t size, + + X509_ALGOR_get0(&o, NULL, NULL, dig_alg); + +- sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)]; ++ hash_algo = obj_to_hash_algo(o); ++ if (hash_algo < 0) ++ goto err3; ++ sig_info->hash_algo = pkey_hash_algo[hash_algo]; + // hash algo has not been recognized + if (sig_info->hash_algo == NULL) + goto err3; +-- +2.13.6 + diff --git a/SOURCES/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch b/SOURCES/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch new file mode 100644 index 0000000..57ced0d --- /dev/null +++ b/SOURCES/0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch @@ -0,0 +1,29 @@ +From 1cab02ecf6ee2a0aa34f3615dfd99c59f7e04e90 Mon Sep 17 00:00:00 2001 +From: Seung-Woo Kim +Date: Tue, 13 Apr 2021 20:23:14 +0900 +Subject: [PATCH] libkmod: fix an overflow with wrong modules.builtin.modinfo + +Fix a possbile overflow with exact PATH_MAX length modname +in wrong modules.builtin.modinfo. + +Signed-off-by: Seung-Woo Kim +--- + libkmod/libkmod-builtin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c +index fc9a376..a75a542 100644 +--- a/libkmod/libkmod-builtin.c ++++ b/libkmod/libkmod-builtin.c +@@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter, + + len = dot - line; + +- if (len > PATH_MAX) { ++ if (len >= PATH_MAX) { + sv_errno = ENAMETOOLONG; + goto fail; + } +-- +2.13.6 + diff --git a/SPECS/kmod.spec b/SPECS/kmod.spec index 65ea6cd..6550ee3 100644 --- a/SPECS/kmod.spec +++ b/SPECS/kmod.spec @@ -1,6 +1,6 @@ Name: kmod Version: 28 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Linux kernel module management utilities License: GPLv2+ @@ -11,6 +11,14 @@ Source2: depmod.conf.dist Exclusiveos: Linux Patch01: man-rmmod-explain-why-modprobe-r-is-more-useful.patch +# v29~5 "libkmod: fix an overflow with wrong modules.builtin.modinfo" +Patch02: 0001-libkmod-fix-an-overflow-with-wrong-modules.builtin.m.patch +# v31~29 "libkmod: do not crash on unknown signature algorithm" +Patch03: 0001-libkmod-do-not-crash-on-unknown-signature-algorithm.patch +# v31~18 "libkmod: error out on unknown hash algorithm" +Patch04: 0001-libkmod-error-out-on-unknown-hash-algorithm.patch +# v33~1 "libkmod: avoid undefined behaviour in libkmod-builtin.c:get_string" +Patch05: 0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch BuildRequires: gcc BuildRequires: chrpath @@ -111,6 +119,10 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf %{_libdir}/libkmod.so %changelog +* Thu Aug 15 2024 Eugene Syromiatnikov - 28-10 +- Fix issues discovered by static analysis +- Resolves: RHEL-34073 + * Thu May 11 2023 Eugene Syromiatnikov - 28-9 - Add symvers.xz support to weak-modules - Resolves: rhbz#2192895