Initialize crypto API only once
Resolves: rhbz#2020044
This commit is contained in:
parent
2e3c457351
commit
522d98f271
136
openscap-1.3.6-initialize-crapi-once-pr-1779.patch
Normal file
136
openscap-1.3.6-initialize-crapi-once-pr-1779.patch
Normal file
@ -0,0 +1,136 @@
|
||||
From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Thu, 8 Jul 2021 14:28:16 +0200
|
||||
Subject: [PATCH 1/3] Initialize crypto API only once
|
||||
|
||||
The function `crapi_init` calls `gcry_check_version` which must be
|
||||
called before any other function from the Libgcrypt library. That might
|
||||
be violated when multiple threads executing multiple probes are running.
|
||||
The mitigation proposed in this PR is to call `crapi_init` only once
|
||||
when the session is initialized which means before any threads are
|
||||
spawned.
|
||||
|
||||
See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
|
||||
|
||||
Resolves: RHBZ#1959570
|
||||
---
|
||||
src/OVAL/oval_probe_session.c | 5 +++++
|
||||
src/OVAL/probes/independent/filehash58_probe.c | 6 ------
|
||||
src/OVAL/probes/independent/filehash_probe.c | 6 ------
|
||||
src/OVAL/probes/independent/filemd5_probe.c | 6 ------
|
||||
4 files changed, 5 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
|
||||
index 435ca148fd..6f6d7ad426 100644
|
||||
--- a/src/OVAL/oval_probe_session.c
|
||||
+++ b/src/OVAL/oval_probe_session.c
|
||||
@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
|
||||
SEXP_free((SEXP_t *)exp);
|
||||
|
||||
ncache_libinit();
|
||||
+ /*
|
||||
+ * Initialize crypto API
|
||||
+ */
|
||||
+ if (crapi_init (NULL) != 0)
|
||||
+ return (NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
|
||||
index ff1e065746..32a38562bd 100644
|
||||
--- a/src/OVAL/probes/independent/filehash58_probe.c
|
||||
+++ b/src/OVAL/probes/independent/filehash58_probe.c
|
||||
@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
|
||||
|
||||
void *filehash58_probe_init(void)
|
||||
{
|
||||
- /*
|
||||
- * Initialize crypto API
|
||||
- */
|
||||
- if (crapi_init (NULL) != 0)
|
||||
- return (NULL);
|
||||
-
|
||||
/*
|
||||
* Initialize mutex.
|
||||
*/
|
||||
diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
|
||||
index 522d976512..6d8780dc95 100644
|
||||
--- a/src/OVAL/probes/independent/filehash_probe.c
|
||||
+++ b/src/OVAL/probes/independent/filehash_probe.c
|
||||
@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
|
||||
|
||||
void *filehash_probe_init(void)
|
||||
{
|
||||
- /*
|
||||
- * Initialize crypto API
|
||||
- */
|
||||
- if (crapi_init (NULL) != 0)
|
||||
- return (NULL);
|
||||
-
|
||||
/*
|
||||
* Initialize mutex.
|
||||
*/
|
||||
diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
|
||||
index d0de402d8b..99913581f0 100644
|
||||
--- a/src/OVAL/probes/independent/filemd5_probe.c
|
||||
+++ b/src/OVAL/probes/independent/filemd5_probe.c
|
||||
@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
|
||||
|
||||
void *probe_init (void)
|
||||
{
|
||||
- /*
|
||||
- * Initialize crypto API
|
||||
- */
|
||||
- if (crapi_init (NULL) != 0)
|
||||
- return (NULL);
|
||||
-
|
||||
/*
|
||||
* Initialize mutex.
|
||||
*/
|
||||
|
||||
From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 13 Jul 2021 13:03:21 +0200
|
||||
Subject: [PATCH 2/3] Add a missing include
|
||||
|
||||
---
|
||||
src/OVAL/oval_probe_session.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
|
||||
index 6f6d7ad426..295782b536 100644
|
||||
--- a/src/OVAL/oval_probe_session.c
|
||||
+++ b/src/OVAL/oval_probe_session.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include "oval_probe_ext.h"
|
||||
#include "probe-table.h"
|
||||
#include "oval_types.h"
|
||||
+#include "crapi/crapi.h"
|
||||
|
||||
#if defined(OSCAP_THREAD_SAFE)
|
||||
#include <pthread.h>
|
||||
|
||||
From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 14:21:00 +0200
|
||||
Subject: [PATCH 3/3] Don't initialize crypto on Windows
|
||||
|
||||
---
|
||||
src/OVAL/oval_probe_session.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
|
||||
index 295782b536..b443cbcc80 100644
|
||||
--- a/src/OVAL/oval_probe_session.c
|
||||
+++ b/src/OVAL/oval_probe_session.c
|
||||
@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
|
||||
/*
|
||||
* Initialize crypto API
|
||||
*/
|
||||
+#ifndef OS_WINDOWS
|
||||
if (crapi_init (NULL) != 0)
|
||||
return (NULL);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/**
|
97
openscap-1.3.6-test-rhbz1959570-pr-1788.patch
Normal file
97
openscap-1.3.6-test-rhbz1959570-pr-1788.patch
Normal file
@ -0,0 +1,97 @@
|
||||
From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Wed, 28 Jul 2021 13:06:25 +0200
|
||||
Subject: [PATCH] Add a regression test for rhbz#1959570
|
||||
|
||||
The bug was a segmentation fault in filehash58 probe which happened
|
||||
in openscap-1.3.3-6.el8_3.
|
||||
|
||||
The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
|
||||
and this patch adds a very small test.
|
||||
---
|
||||
tests/probes/filehash58/CMakeLists.txt | 1 +
|
||||
.../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
|
||||
.../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
|
||||
3 files changed, 59 insertions(+)
|
||||
create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
|
||||
create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
|
||||
|
||||
diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
|
||||
index b26d8171fb..cdec0792eb 100644
|
||||
--- a/tests/probes/filehash58/CMakeLists.txt
|
||||
+++ b/tests/probes/filehash58/CMakeLists.txt
|
||||
@@ -1,3 +1,4 @@
|
||||
if(ENABLE_PROBES_INDEPENDENT)
|
||||
add_oscap_test("test_probes_filehash58.sh")
|
||||
+ add_oscap_test("rhbz1959570_segfault.sh")
|
||||
endif()
|
||||
diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
|
||||
new file mode 100755
|
||||
index 0000000000..0c32cc79f1
|
||||
--- /dev/null
|
||||
+++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/usr/bin/env bash
|
||||
+
|
||||
+# Copyright 2021 Red Hat Inc., Durham, North Carolina.
|
||||
+# All Rights Reserved.
|
||||
+#
|
||||
+# OpenSCAP Probes Test Suite.
|
||||
+#
|
||||
+# Authors:
|
||||
+# Jan Černý, <jcerny@redhat.com>
|
||||
+
|
||||
+set -e -o pipefail
|
||||
+. $builddir/tests/test_common.sh
|
||||
+
|
||||
+# Test Cases
|
||||
+
|
||||
+stderr="$(mktemp)"
|
||||
+$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
|
||||
+[ ! -s "$stderr" ]
|
||||
+rm "$stderr"
|
||||
diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
|
||||
new file mode 100644
|
||||
index 0000000000..4b3fc4863a
|
||||
--- /dev/null
|
||||
+++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
|
||||
@@ -0,0 +1,39 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
|
||||
+ <oval-def:generator>
|
||||
+ <oval:product_name>jcerny</oval:product_name>
|
||||
+ <oval:product_version>1</oval:product_version>
|
||||
+ <oval:schema_version>5.11</oval:schema_version>
|
||||
+ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
|
||||
+ </oval-def:generator>
|
||||
+ <oval-def:definitions>
|
||||
+ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
|
||||
+ <oval-def:metadata>
|
||||
+ <oval-def:title>title</oval-def:title>
|
||||
+ <oval-def:description>description</oval-def:description>
|
||||
+ </oval-def:metadata>
|
||||
+ <oval-def:criteria>
|
||||
+ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
|
||||
+ </oval-def:criteria>
|
||||
+ </oval-def:definition>
|
||||
+ </oval-def:definitions>
|
||||
+ <oval-def:tests>
|
||||
+ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
|
||||
+ <ind:object object_ref="oval:x:obj:1"/>
|
||||
+ <ind:state state_ref="oval:x:ste:1"/>
|
||||
+ </ind:filehash58_test>
|
||||
+ </oval-def:tests>
|
||||
+ <oval-def:objects>
|
||||
+ <ind:filehash58_object id="oval:x:obj:1" version="1">
|
||||
+ <ind:filepath>/etc/os-release</ind:filepath>
|
||||
+ <ind:hash_type>SHA-256</ind:hash_type>
|
||||
+ </ind:filehash58_object>
|
||||
+ </oval-def:objects>
|
||||
+ <oval-def:states>
|
||||
+ <ind:filehash58_state id="oval:x:ste:1" version="1">
|
||||
+ <ind:filepath>/etc/os-release</ind:filepath>
|
||||
+ <ind:hash_type>SHA-256</ind:hash_type>
|
||||
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
|
||||
+ </ind:filehash58_state>
|
||||
+ </oval-def:states>
|
||||
+</oval-def:oval_definitions>
|
@ -1,6 +1,6 @@
|
||||
Name: openscap
|
||||
Version: 1.3.5
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Epoch: 1
|
||||
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
||||
License: LGPLv2+
|
||||
@ -18,6 +18,8 @@ Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
|
||||
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
|
||||
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
|
||||
Patch12: openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
|
||||
Patch13: openscap-1.3.6-initialize-crapi-once-pr-1779.patch
|
||||
Patch14: openscap-1.3.6-test-rhbz1959570-pr-1788.patch
|
||||
BuildRequires: make
|
||||
BuildRequires: cmake >= 2.6
|
||||
BuildRequires: gcc
|
||||
@ -208,6 +210,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
|
||||
%{_bindir}/oscap-run-sce-script
|
||||
|
||||
%changelog
|
||||
* Thu Nov 04 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-11
|
||||
- Initialize crypto API only once (rhbz#2020044)
|
||||
|
||||
* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
|
||||
- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user