Fix explicit NULL deref when daemonizing

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

0001-Revert-Move-license-to-GPLv3.patch

@@ -1,7 +1,7 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From fc20530a0ef666b49e6276c983d2d16517d3839b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 1 Feb 2022 15:04:30 -0500
-Subject: [PATCH 1/3] Revert "Move license to GPLv3+"
+Subject: [PATCH 1/5] Revert "Move license to GPLv3+"
 
 This was done too soon.  It's missing some pieces and we need buy-in on
 a couple of source files.

0002-Fix-format-strings-for-32-bit-arches.patch

@@ -1,7 +1,7 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From df8783ed4ed87fef850268098690985049916ee9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 1 Feb 2022 17:37:14 -0500
-Subject: [PATCH 2/3] Fix format strings for 32-bit arches
+Subject: [PATCH 2/5] Fix format strings for 32-bit arches
 
 Sadly, in 2022, this remains a thing.
 

0003-macros-drop-_pesign_args.patch

@@ -1,7 +1,7 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 389decab7b9bcba307e52709b00741a19405f02b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 2 Feb 2022 16:07:46 -0500
-Subject: [PATCH 3/3] macros: drop %{_pesign_args}
+Subject: [PATCH 3/5] macros: drop %{_pesign_args}
 
 Effectively reverts 30b488682a92c524bb9c0d450c34e9abc0b56de9
 

0004-Handle-NULL-pwdata-in-cms_set_pw_data.patch

@@ -0,0 +1,55 @@
+From 4d1ead068248b56ecaeb437f0c0b59f9d89b9748 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 14 Feb 2022 15:46:25 -0500
+Subject: [PATCH 4/5] Handle NULL pwdata in cms_set_pw_data()
+
+When 12f16710ee44ef64ddb044a3523c3c4c4d90039a rewrote this function, it
+didn't handle the NULL pwdata invocation from daemon.c.  This leads to a
+explicit NULL dereference and crash on all attempts to daemonize pesign.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit b879dda52f8122de697d145977c285fb0a022d76)
+---
+ src/cms_common.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 332999e..ca37e6a 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -313,7 +313,7 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
+ 
+ 	case PW_FROMFD:
+ 		if (cms->pwdata.intdata >= 0 &&
+-		    !(pwdata->source == PW_FROMFD &&
++		    !(pwdata && pwdata->source == PW_FROMFD &&
+ 		      cms->pwdata.intdata == pwdata->intdata))
+ 			close(cms->pwdata.intdata);
+ 		break;
+@@ -330,12 +330,18 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
+ 		xfree(cms->pwdata.data);
+ 		break;
+ 	}
+-	memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
+ 
+-	dprintf("pwdata:%p", pwdata);
+-	dprintf("pwdata->source:%d", pwdata->source);
+-	dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+-		pwdata->data ? pwdata->data : "(null)");
++	if (!pwdata) {
++		cms->pwdata.source = PW_SOURCE_INVALID;
++		dprintf("pwdata:NULL");
++	} else {
++		memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
++		dprintf("pwdata:%p", pwdata);
++		dprintf("pwdata->source:%d", pwdata->source);
++		dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
++			pwdata->data ? pwdata->data : "(null)");
++	}
++
+ 	egress();
+ }
+ 
+-- 
+2.34.1
+

0005-fcf-protection-is-arch-specific.patch

@@ -0,0 +1,46 @@
+From f03c5fbe6b4327b9ecd781bfdf64147e1b68e6c1 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 9 Feb 2022 15:23:27 -0500
+Subject: [PATCH 5/5] -fcf-protection is arch-specific
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit c48df510144de3b1187001bc3b5491509da1c58f)
+---
+ Make.defaults | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index fdb961a..130c1ee 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -22,11 +22,16 @@ EFI_ARCHES ?= aa64 ia32 x64
+ 
+ enabled = $(if $(filter undefined,$(origin $(1))),$(3),$(2))
+ 
++HOSTARCH   = $(shell uname -m | sed s,i[3456789]86,ia32,)
++ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
++
++
+ PKG_CONFIG ?= $(CROSS_COMPILE)pkg-config
+ CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
+ CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
+ CFLAGS	?= -O2 -g3 -pipe -fPIE -fstack-protector-all \
+-	-fstack-clash-protection -fcf-protection=full
++	-fstack-clash-protection \
++	$(if $(filter x86_64 ia32,$(ARCH)),-fcf-protection=full,)
+ DIAGFLAGS ?= -fmessage-length=0 \
+ 	     -fdiagnostics-color=always \
+ 	     -fdiagnostics-format=text \
+@@ -42,9 +47,6 @@ INSTALL	?= $(CROSS_COMPILE)install
+ 
+ PKGS	= efivar nspr nss nss-util uuid
+ 
+-HOSTARCH   = $(shell uname -m | sed s,i[3456789]86,ia32,)
+-ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+-
+ SOFLAGS	?= -shared
+ clang_cflags =
+ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches \
+-- 
+2.34.1
+

pesign.spec

@@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 114
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL-2.0-only
 URL:     https://github.com/rhboot/pesign
 
@@ -47,6 +47,8 @@ Source2: pesign.py
 Patch0001: 0001-Revert-Move-license-to-GPLv3.patch
 Patch0002: 0002-Fix-format-strings-for-32-bit-arches.patch
 Patch0003: 0003-macros-drop-_pesign_args.patch
+Patch0004: 0004-Handle-NULL-pwdata-in-cms_set_pw_data.patch
+Patch0005: 0005-fcf-protection-is-arch-specific.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -158,6 +160,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 
 %changelog
+* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-3
+- Fix explicit NULL deref when daemonizing
+
 * Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 114-2
 - Attempt to fix signing parsing by dropping pesign_args