From d005486d571afd51e8f5ce3a00dbf04ab14670f5 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Wed, 22 Feb 2023 13:23:31 +0100
Subject: [PATCH] systemd-252-6

Resolves: #2122500,#2138081,#2140646
---
 ...-actually-run-the-static-destructors.patch | 68 +++++++++++++++++++
 ...-executable-stack-bit-from-.elf-file.patch | 51 ++++++++++++++
 ...-early-if-specifier-expansion-failed.patch | 40 +++++++++++
 0223-test-add-coverage-for-26467.patch        | 34 ++++++++++
 systemd.spec                                  | 12 +++-
 5 files changed, 204 insertions(+), 1 deletion(-)
 create mode 100644 0220-journalctl-actually-run-the-static-destructors.patch
 create mode 100644 0221-efi-drop-executable-stack-bit-from-.elf-file.patch
 create mode 100644 0222-install-fail-early-if-specifier-expansion-failed.patch
 create mode 100644 0223-test-add-coverage-for-26467.patch

diff --git a/0220-journalctl-actually-run-the-static-destructors.patch b/0220-journalctl-actually-run-the-static-destructors.patch
new file mode 100644
index 0000000..f41e481
--- /dev/null
+++ b/0220-journalctl-actually-run-the-static-destructors.patch
@@ -0,0 +1,68 @@
+From f0f59e43e9d1c5a6f9f7e03f07850ee40bac0ab3 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 15 Feb 2023 18:08:35 +0100
+Subject: [PATCH] journalctl: actually run the static destructors
+
+In journalctl we don't run the static destructors defined via
+the STATIC_DESTRUCTOR_REGISTER() macro, since it requires a corresponding
+static_destruct() call. In most cases this is handled by
+the DEFINE_(TEST_)?MAIN*() macros, but journalctl defines its own main
+function, so let's handle that as well.
+
+$ valgrind --suppressions=valgrind.supp --show-leak-kinds=all --leak-check=full build/journalctl --no-pager -u system.slice -n 10 >/dev/null
+==2778093== Memcheck, a memory error detector
+==2778093== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
+==2778093== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
+==2778093== Command: build/journalctl --no-pager -u system.slice -n 10
+==2778093==
+==2778093==
+==2778093== HEAP SUMMARY:
+==2778093==     in use at exit: 8,221 bytes in 4 blocks
+==2778093==   total heap usage: 458 allocs, 454 frees, 255,182 bytes allocated
+==2778093==
+==2778093== 13 bytes in 1 blocks are still reachable in loss record 1 of 4
+==2778093==    at 0x484586F: malloc (vg_replace_malloc.c:381)
+==2778093==    by 0x4DA256D: strdup (strdup.c:42)
+==2778093==    by 0x4ADB747: strv_extend_with_size (strv.c:544)
+==2778093==    by 0x405386: strv_extend (strv.h:45)
+==2778093==    by 0x40816F: parse_argv (journalctl.c:933)
+==2778093==    by 0x40EAB5: main (journalctl.c:2111)
+==2778093==
+==2778093== 16 bytes in 1 blocks are still reachable in loss record 2 of 4
+==2778093==    at 0x484578A: malloc (vg_replace_malloc.c:380)
+==2778093==    by 0x484A70B: realloc (vg_replace_malloc.c:1437)
+==2778093==    by 0x4ADB2A3: strv_push_with_size (strv.c:423)
+==2778093==    by 0x4ADB620: strv_consume_with_size (strv.c:496)
+==2778093==    by 0x4ADB770: strv_extend_with_size (strv.c:548)
+==2778093==    by 0x405386: strv_extend (strv.h:45)
+==2778093==    by 0x40816F: parse_argv (journalctl.c:933)
+==2778093==    by 0x40EAB5: main (journalctl.c:2111)
+==2778093==
+==2778093== LEAK SUMMARY:
+==2778093==    definitely lost: 0 bytes in 0 blocks
+==2778093==    indirectly lost: 0 bytes in 0 blocks
+==2778093==      possibly lost: 0 bytes in 0 blocks
+==2778093==    still reachable: 29 bytes in 2 blocks
+==2778093==         suppressed: 8,192 bytes in 2 blocks
+==2778093==
+==2778093== For lists of detected and suppressed errors, rerun with: -s
+==2778093== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+
+(cherry picked from commit 9259d71d505ba1771ba5e3caa522da50bdc58bed)
+
+Related: #2122500
+---
+ src/journal/journalctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
+index 11de07fcfa..e9faa24cae 100644
+--- a/src/journal/journalctl.c
++++ b/src/journal/journalctl.c
+@@ -2746,5 +2746,6 @@ finish:
+                  * in scripts and such */
+                 r = -ENOENT;
+ 
++        static_destruct();
+         return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+ }
diff --git a/0221-efi-drop-executable-stack-bit-from-.elf-file.patch b/0221-efi-drop-executable-stack-bit-from-.elf-file.patch
new file mode 100644
index 0000000..fa2fa7c
--- /dev/null
+++ b/0221-efi-drop-executable-stack-bit-from-.elf-file.patch
@@ -0,0 +1,51 @@
+From cc318cd6ccfe9833ab9c1cde4041ac5dd9f97a3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 21 Feb 2023 09:16:29 +0100
+Subject: [PATCH] efi: drop executable-stack bit from .elf file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An rpminspect test in Fedora/RHEL is flagging our stub files as having an
+executable stack. The check is correct:
+
+$ readelf --wide --program-headers build/src/boot/efi/linuxx64.elf.stub | rg -i stack
+  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10
+
+It seems to be just an omission in the linker script… None of the objects that
+are linked into the stub are marked as requiring an executable stack:
+
+$ readelf --wide --sections build/src/boot/efi/*.c.o \
+  /usr/lib/gnuefi/x64/libgnuefi.a \
+  /usr/lib/gnuefi/x64/libefi.a \
+  /usr/lib/gcc/x86_64-redhat-linux/12/libgcc.a \
+  | rg '.note.GNU-stack.*X'
+(nothing)
+
+On aarch64 we end up with a nonexecutable stack, but on ia32 and x64 we get one,
+so this might be just a matter of defaults in the linker. It doesn't matter
+greatly, but let's mark the stack as non-executable to avoid the warning.
+
+Note: '-Wl,-z' is not needed, things work with just '-z'.
+
+RHEL-only
+for now, as the patch is not yet in upstream
+https://github.com/systemd/systemd/pull/26511
+
+Related: #2140646
+---
+ src/boot/efi/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
+index 0de43993a4..00f3361d66 100644
+--- a/src/boot/efi/meson.build
++++ b/src/boot/efi/meson.build
+@@ -266,6 +266,7 @@ efi_ldflags = [
+         '-Wl,--warn-common',
+         '-Wl,-Bsymbolic',
+         '-z', 'nocombreloc',
++        '-z', 'noexecstack',
+         efi_crt0,
+ ]
+ 
diff --git a/0222-install-fail-early-if-specifier-expansion-failed.patch b/0222-install-fail-early-if-specifier-expansion-failed.patch
new file mode 100644
index 0000000..4ce214f
--- /dev/null
+++ b/0222-install-fail-early-if-specifier-expansion-failed.patch
@@ -0,0 +1,40 @@
+From b9fb1769f8b6de65abf1f57a85b0d0a22f84c754 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Tue, 21 Feb 2023 14:10:33 +0100
+Subject: [PATCH] install: fail early if specifier expansion failed
+
+Before:
+
+systemd[1]: Assertion 'path' failed at src/shared/install.c:288, function install_changes_add(). Aborting.
+systemd[1]: Caught <ABRT> from our own process.
+systemd[1]: Caught <ABRT>, dumped core as pid 2525.
+systemd[1]: Freezing execution
+
+After:
+
+Failed to enable unit: Invalid specifier in user-%J.service
+
+Fixes #26467.
+
+Follow-up for: f5a0162
+
+(cherry picked from commit f8979e869812988835f6951fb73a68e30a4c608c)
+
+Related: #2138081
+---
+ src/shared/install.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/shared/install.c b/src/shared/install.c
+index a760726628..8d4aa5ab2c 100644
+--- a/src/shared/install.c
++++ b/src/shared/install.c
+@@ -1982,6 +1982,8 @@ static int install_info_symlink_wants(
+                         install_changes_add(changes, n_changes, q, *s, NULL);
+                         if (r >= 0)
+                                 r = q;
++
++                        continue;
+                 }
+ 
+                 if (!unit_name_is_valid(dst, valid_dst_type)) {
diff --git a/0223-test-add-coverage-for-26467.patch b/0223-test-add-coverage-for-26467.patch
new file mode 100644
index 0000000..fad76ea
--- /dev/null
+++ b/0223-test-add-coverage-for-26467.patch
@@ -0,0 +1,34 @@
+From 4dbbdc956cb49804f9b451081eb7c442a689b1f1 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Tue, 21 Feb 2023 19:15:13 +0100
+Subject: [PATCH] test: add coverage for #26467
+
+(cherry picked from commit 4190124b3ca005830d893303bbc563baaf9984ed)
+
+Related: #2138081
+---
+ test/units/testsuite-26.sh | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh
+index 916a6704d7..debee91dde 100755
+--- a/test/units/testsuite-26.sh
++++ b/test/units/testsuite-26.sh
+@@ -400,5 +400,17 @@ EOF
+     systemctl stop issue-24990
+ fi
+ 
++# %J in WantedBy= causes ABRT (#26467)
++cat >/run/systemd/system/test-WantedBy.service <<EOF
++[Service]
++ExecStart=true
++
++[Install]
++WantedBy=user-%i@%J.service
++EOF
++systemctl daemon-reload
++systemctl enable --now test-WantedBy.service || :
++systemctl daemon-reload
++
+ touch /testok
+ rm /failed
diff --git a/systemd.spec b/systemd.spec
index a26bd33..83ef574 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -21,7 +21,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        252
-Release:        5%{?dist}
+Release:        6%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -297,6 +297,10 @@ Patch0216: 0216-sleep-fix-indentation.patch
 Patch0217: 0217-sleep-enumerate-only-existing-and-non-device-batteri.patch
 Patch0218: 0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch
 Patch0219: 0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch
+Patch0220: 0220-journalctl-actually-run-the-static-destructors.patch
+Patch0221: 0221-efi-drop-executable-stack-bit-from-.elf-file.patch
+Patch0222: 0222-install-fail-early-if-specifier-expansion-failed.patch
+Patch0223: 0223-test-add-coverage-for-26467.patch
 
 # Downstream-only patches (9000–9999)
 
@@ -1088,6 +1092,12 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s
 %files standalone-sysusers -f .file-list-standalone-sysusers
 
 %changelog
+* Wed Feb 22 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-6
+- journalctl: actually run the static destructors (#2122500)
+- efi: drop executable-stack bit from .elf file (#2140646)
+- install: fail early if specifier expansion failed (#2138081)
+- test: add coverage for #26467 (#2138081)
+
 * Fri Feb 17 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-5
 - nss-myhostname: fix inverted condition in (#2167468)
 - nss-myhostname: do not return empty result with NSS_STATUS_SUCCESS (#2167468)