Initialize crypto API only once

Resolves: rhbz#2020044
This commit is contained in:
Jan Černý 2021-11-04 08:35:15 +01:00
parent 2e3c457351
commit 522d98f271
3 changed files with 239 additions and 1 deletions

View File

@ -0,0 +1,136 @@
From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 8 Jul 2021 14:28:16 +0200
Subject: [PATCH 1/3] Initialize crypto API only once
The function `crapi_init` calls `gcry_check_version` which must be
called before any other function from the Libgcrypt library. That might
be violated when multiple threads executing multiple probes are running.
The mitigation proposed in this PR is to call `crapi_init` only once
when the session is initialized which means before any threads are
spawned.
See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
Resolves: RHBZ#1959570
---
src/OVAL/oval_probe_session.c | 5 +++++
src/OVAL/probes/independent/filehash58_probe.c | 6 ------
src/OVAL/probes/independent/filehash_probe.c | 6 ------
src/OVAL/probes/independent/filemd5_probe.c | 6 ------
4 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 435ca148fd..6f6d7ad426 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
SEXP_free((SEXP_t *)exp);
ncache_libinit();
+ /*
+ * Initialize crypto API
+ */
+ if (crapi_init (NULL) != 0)
+ return (NULL);
}
/**
diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
index ff1e065746..32a38562bd 100644
--- a/src/OVAL/probes/independent/filehash58_probe.c
+++ b/src/OVAL/probes/independent/filehash58_probe.c
@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
void *filehash58_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
index 522d976512..6d8780dc95 100644
--- a/src/OVAL/probes/independent/filehash_probe.c
+++ b/src/OVAL/probes/independent/filehash_probe.c
@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
void *filehash_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
index d0de402d8b..99913581f0 100644
--- a/src/OVAL/probes/independent/filemd5_probe.c
+++ b/src/OVAL/probes/independent/filemd5_probe.c
@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
void *probe_init (void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 13 Jul 2021 13:03:21 +0200
Subject: [PATCH 2/3] Add a missing include
---
src/OVAL/oval_probe_session.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 6f6d7ad426..295782b536 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -48,6 +48,7 @@
#include "oval_probe_ext.h"
#include "probe-table.h"
#include "oval_types.h"
+#include "crapi/crapi.h"
#if defined(OSCAP_THREAD_SAFE)
#include <pthread.h>
From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 15 Jul 2021 14:21:00 +0200
Subject: [PATCH 3/3] Don't initialize crypto on Windows
---
src/OVAL/oval_probe_session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 295782b536..b443cbcc80 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
/*
* Initialize crypto API
*/
+#ifndef OS_WINDOWS
if (crapi_init (NULL) != 0)
return (NULL);
+#endif
}
/**

View File

@ -0,0 +1,97 @@
From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 28 Jul 2021 13:06:25 +0200
Subject: [PATCH] Add a regression test for rhbz#1959570
The bug was a segmentation fault in filehash58 probe which happened
in openscap-1.3.3-6.el8_3.
The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
and this patch adds a very small test.
---
tests/probes/filehash58/CMakeLists.txt | 1 +
.../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
.../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
index b26d8171fb..cdec0792eb 100644
--- a/tests/probes/filehash58/CMakeLists.txt
+++ b/tests/probes/filehash58/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_INDEPENDENT)
add_oscap_test("test_probes_filehash58.sh")
+ add_oscap_test("rhbz1959570_segfault.sh")
endif()
diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
new file mode 100755
index 0000000000..0c32cc79f1
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# OpenSCAP Probes Test Suite.
+#
+# Authors:
+# Jan Černý, <jcerny@redhat.com>
+
+set -e -o pipefail
+. $builddir/tests/test_common.sh
+
+# Test Cases
+
+stderr="$(mktemp)"
+$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
+[ ! -s "$stderr" ]
+rm "$stderr"
diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
new file mode 100644
index 0000000000..4b3fc4863a
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+ <oval-def:generator>
+ <oval:product_name>jcerny</oval:product_name>
+ <oval:product_version>1</oval:product_version>
+ <oval:schema_version>5.11</oval:schema_version>
+ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
+ </oval-def:generator>
+ <oval-def:definitions>
+ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
+ <oval-def:metadata>
+ <oval-def:title>title</oval-def:title>
+ <oval-def:description>description</oval-def:description>
+ </oval-def:metadata>
+ <oval-def:criteria>
+ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
+ </oval-def:criteria>
+ </oval-def:definition>
+ </oval-def:definitions>
+ <oval-def:tests>
+ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
+ <ind:object object_ref="oval:x:obj:1"/>
+ <ind:state state_ref="oval:x:ste:1"/>
+ </ind:filehash58_test>
+ </oval-def:tests>
+ <oval-def:objects>
+ <ind:filehash58_object id="oval:x:obj:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+ </oval-def:objects>
+ <oval-def:states>
+ <ind:filehash58_state id="oval:x:ste:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+ </oval-def:states>
+</oval-def:oval_definitions>

View File

@ -1,6 +1,6 @@
Name: openscap
Version: 1.3.5
Release: 10%{?dist}
Release: 11%{?dist}
Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+
@ -18,6 +18,8 @@ Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
Patch12: openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
Patch13: openscap-1.3.6-initialize-crapi-once-pr-1779.patch
Patch14: openscap-1.3.6-test-rhbz1959570-pr-1788.patch
BuildRequires: make
BuildRequires: cmake >= 2.6
BuildRequires: gcc
@ -208,6 +210,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script
%changelog
* Thu Nov 04 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-11
- Initialize crypto API only once (rhbz#2020044)
* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)