diff --git a/.gitignore b/.gitignore index 00b0e0c..7f7e139 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/libkcapi-1.1.5.tar.xz +SOURCES/libkcapi-1.2.0.tar.xz +SOURCES/libkcapi-1.2.0.tar.xz.asc diff --git a/.libkcapi.metadata b/.libkcapi.metadata index 3264a72..254f701 100644 --- a/.libkcapi.metadata +++ b/.libkcapi.metadata @@ -1 +1,2 @@ -fb247c6f8c2d83e7e341ac56dd6eedc7f6fe5380 SOURCES/libkcapi-1.1.5.tar.xz +c5bc2fdb8da1c567c1435096fed8937d4d3ce4f1 SOURCES/libkcapi-1.2.0.tar.xz +c5bc2fdb8da1c567c1435096fed8937d4d3ce4f1 SOURCES/libkcapi-1.2.0.tar.xz.asc diff --git a/SOURCES/100-fix-double-free-hasher.patch b/SOURCES/100-fix-double-free-hasher.patch new file mode 100644 index 0000000..a64cabb --- /dev/null +++ b/SOURCES/100-fix-double-free-hasher.patch @@ -0,0 +1,54 @@ +--- libkcapi-1.2.0/apps/kcapi-hasher.c.fix-double-free-hasher 2020-05-26 16:31:28.296332614 +0200 ++++ libkcapi-1.2.0/apps/kcapi-hasher.c 2020-05-26 16:37:07.681011437 +0200 +@@ -301,7 +301,7 @@ static int hasher(struct kcapi_handle *h + fprintf(stderr, + "Use of mmap failed mapping %zu bytes at offset %" PRId64 " of file %s (%d)\n", + mapped, (int64_t)offset, filename, ret); +- goto out; ++ return ret; + } + /* Compute hash */ + memblock_p = memblock; +@@ -311,8 +311,10 @@ static int hasher(struct kcapi_handle *h + INT_MAX : (uint32_t)left; + + ret = kcapi_md_update(handle, memblock_p, todo); +- if (ret < 0) +- goto out; ++ if (ret < 0) { ++ munmap(memblock, mapped); ++ return ret; ++ } + left -= todo; + memblock_p += todo; + } while (left); +@@ -329,7 +331,7 @@ static int hasher(struct kcapi_handle *h + + ret = kcapi_md_update(handle, tmpbuf, bufsize); + if (ret < 0) +- goto out; ++ return ret; + } + kcapi_memset_secure(tmpbuf, 0, sizeof(tmpbuf)); + } +@@ -340,7 +342,7 @@ static int hasher(struct kcapi_handle *h + if (hashlen > (uint32_t)ret) { + fprintf(stderr, "Invalid truncated hash size: %lu > %i\n", + (unsigned long)hashlen, ret); +- goto out; ++ return ret; + } + + if (!hashlen) +@@ -376,11 +378,6 @@ static int hasher(struct kcapi_handle *h + fprintf(stderr, "Generation of hash for file %s failed (%d)\n", + filename ? filename : "stdin", ret); + } +- +-out: +- if (memblock) +- munmap(memblock, mapped); +- + return ret; + } + diff --git a/SOURCES/100-workaround-cppcheck-bug.patch b/SOURCES/100-workaround-cppcheck-bug.patch deleted file mode 100644 index 1819e83..0000000 --- a/SOURCES/100-workaround-cppcheck-bug.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/kcapi-main.c b/test/kcapi-main.c -index 2ae0edb..6818e67 100644 ---- a/test/kcapi-main.c -+++ b/test/kcapi-main.c -@@ -237,7 +237,7 @@ static inline uint64_t _time_delta(struct timespec *start, struct timespec *end) - - static int get_random(uint8_t *buf, uint32_t buflen, unsigned int flags) - { -- int ret; -+ int ret = 0; - - if (buflen > INT_MAX) - return 1; diff --git a/SOURCES/110-fipshmac-compat.patch b/SOURCES/110-fipshmac-compat.patch deleted file mode 100644 index 42502f6..0000000 --- a/SOURCES/110-fipshmac-compat.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up libkcapi-1.1.5/apps/kcapi-hasher.c.fipshmac-compat libkcapi-1.1.5/apps/kcapi-hasher.c ---- libkcapi-1.1.5/apps/kcapi-hasher.c.fipshmac-compat 2019-01-23 07:14:51.000000000 +0100 -+++ libkcapi-1.1.5/apps/kcapi-hasher.c 2020-04-23 14:37:59.518173594 +0200 -@@ -386,10 +386,16 @@ static char *paste(char *dst, const char - static char *get_hmac_file(const char *filename, const char *checkdir) - { - size_t i, filelen, pathlen, namelen, basenamestart = 0; -- size_t prefixlen = strlen(CHECK_PREFIX); -+ const char *check_prefix = CHECK_PREFIX; -+ size_t prefixlen = strlen(check_prefix); - size_t suffixlen = strlen(CHECK_SUFFIX); - char *cursor, *checkfile = NULL; - -+ if (prefixlen == 0 && checkdir == NULL) { -+ check_prefix = "."; -+ prefixlen = 1; -+ } -+ - filelen = strlen(filename); - if (filelen > 4096) { - fprintf(stderr, "File too long\n"); -@@ -415,7 +421,7 @@ static char *get_hmac_file(const char *f - } else if (pathlen > 0) - cursor = paste(cursor, filename, pathlen); - -- cursor = paste(cursor, CHECK_PREFIX, prefixlen); -+ cursor = paste(cursor, check_prefix, prefixlen); - cursor = paste(cursor, filename + basenamestart, namelen); - cursor = paste(cursor, "."CHECK_SUFFIX, 1 + suffixlen); - strncpy(cursor, "\0", 1); diff --git a/SOURCES/libkcapi-1.1.5.tar.xz.asc b/SOURCES/libkcapi-1.1.5.tar.xz.asc deleted file mode 100644 index 62e5d39..0000000 --- a/SOURCES/libkcapi-1.1.5.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAl1BSvEACgkQQh7pNjJq -wVtOogf/UzYn7DUB4x0QQxODtaVbXrZ5FfFWDpKJxCVXWI64VK1kF6SSm+qD305h -Dj0lA7+TpIKhwKlc4kofaLjW/yeUPEoZCBjFSTeLc+A/7XP5m1Xqnz6fuH2lZwRK -o1p8ICPj9bOW9rj2K59pdHVTdXW1fj5sJOi25n9fLf5PcaPMxoawHG4l18tp7qNd -XXrqcfeSe+IF3Z4MJQee4lnsQE37wOJC8lanNDMXs7XZJ4RGUrJWfMWzVhVbh+D4 -n6Ow6H0ZaJDUksSh6faKBwAlo+c9J2CRe80+EIiAcYCKzQOH6ylnhdU1qKVD/kNK -7XMwTY3intV9FP3mhM/RPSLSOw7NLA== -=UN86 ------END PGP SIGNATURE----- diff --git a/SPECS/libkcapi.spec b/SPECS/libkcapi.spec index 8c6efa4..3ee0ab4 100644 --- a/SPECS/libkcapi.spec +++ b/SPECS/libkcapi.spec @@ -1,7 +1,7 @@ # Shared object version of libkcapi. %global vmajor 1 -%global vminor 1 -%global vpatch 5 +%global vminor 2 +%global vpatch 0 # Do we build the replacements packages? %bcond_with replace_coreutils @@ -109,7 +109,7 @@ done \ Name: libkcapi Version: %{vmajor}.%{vminor}.%{vpatch} -Release: 3%{?dist} +Release: 2%{?dist} Summary: User space interface to the Linux Kernel Crypto API License: BSD or GPLv2 @@ -119,8 +119,7 @@ Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source2: sha512hmac-openssl.sh Source3: fipshmac-openssl.sh -Patch100: 100-workaround-cppcheck-bug.patch -Patch110: 110-fipshmac-compat.patch +Patch100: 100-fix-double-free-hasher.patch BuildRequires: bash BuildRequires: clang @@ -461,6 +460,12 @@ popd %changelog +* Tue May 26 2020 Sahana Prasad - 1.2.0-2 +- Fix double free issue in hasher() + +* Mon May 25 2020 Sahana Prasad - 1.2.0-1 +- [RHEL] Update to upstream version 1.2.0 + * Thu Apr 30 2020 Sahana Prasad - 1.1.5-3 - Enables building on old kernels [sync fix in Fedora from omosnance]. - This is required for covscans as they run on RHEL7 machines.