From b33750e990b6a2f8ac5baba52e85ab5f7069f716 Mon Sep 17 00:00:00 2001 From: SuperSix173 Date: Thu, 3 Jul 2025 09:40:54 +0000 Subject: [PATCH] backport community bugfix patches and enable make check Signed-off-by: SuperSix173 (cherry picked from commit 658213d1160b869396aabbd6eafb60be0a04b951) --- ...bkmod-clear-file-memory-if-map-fails.patch | 8 ++-- ...crash-on-unknown-signature-algorithm.patch | 38 +++++++++++++++ ...-error-out-on-unknown-hash-algorithm.patch | 44 ++++++++++++++++++ ...possible-out-of-bounds-memory-access.patch | 41 +++++++++++++++++ ...void-passing-NULL-0-array-to-bsearch.patch | 46 +++++++++++++++++++ ...-repair-read-of-uninitialized-memory.patch | 31 +++++++++++++ kmod.changes | 3 ++ kmod.spec | 12 ++++- 8 files changed, 217 insertions(+), 6 deletions(-) rename 0001-clear-file-memory-if-map-fails.patch => backport-libkmod-clear-file-memory-if-map-fails.patch (88%) create mode 100644 backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch create mode 100644 backport-libkmod-error-out-on-unknown-hash-algorithm.patch create mode 100644 backport-libkmod-fix-possible-out-of-bounds-memory-access.patch create mode 100644 backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch create mode 100644 backport-testsuite-repair-read-of-uninitialized-memory.patch diff --git a/0001-clear-file-memory-if-map-fails.patch b/backport-libkmod-clear-file-memory-if-map-fails.patch similarity index 88% rename from 0001-clear-file-memory-if-map-fails.patch rename to backport-libkmod-clear-file-memory-if-map-fails.patch index fcf1b40..10b5570 100644 --- a/0001-clear-file-memory-if-map-fails.patch +++ b/backport-libkmod-clear-file-memory-if-map-fails.patch @@ -1,7 +1,7 @@ From 90b271fbd2b9708a8fa79b7e98d90c7919e7ed73 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Mon, 12 Feb 2024 17:23:05 +0000 -Subject: libkmod: clear file->memory if map fails +Subject: [PATCH] libkmod: clear file->memory if map fails On mmap failure file->memory is set to -1, which we'll happily pass down to munmap later on. @@ -20,10 +20,10 @@ Signed-off-by: Lucas De Marchi 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libkmod/libkmod-file.c b/libkmod/libkmod-file.c -index b6a8cc9..1e1dd35 100644 +index abd4723..b408aed 100644 --- a/libkmod/libkmod-file.c +++ b/libkmod/libkmod-file.c -@@ -401,8 +401,10 @@ static int load_reg(struct kmod_file *file) +@@ -392,8 +392,10 @@ static int load_reg(struct kmod_file *file) file->size = st.st_size; file->memory = mmap(NULL, file->size, PROT_READ, MAP_PRIVATE, file->fd, 0); @@ -36,5 +36,5 @@ index b6a8cc9..1e1dd35 100644 return 0; } -- -2.27.0 +2.33.0 diff --git a/backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch b/backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch new file mode 100644 index 0000000..b035a53 --- /dev/null +++ b/backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch @@ -0,0 +1,38 @@ +From d5950b0b5e66a5ec1c21b638dec3974056aaabeb Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Sun, 25 Sep 2022 17:46:08 +0300 +Subject: [PATCH] libkmod: do not crash on unknown signature algorithm + +Example kernel module: +https://file-store.rosalinux.ru/download/7281f97e0c04c0f818ad3f936706f4a407e8dc7e +(/lib/modules/5.15.67-generic-1rosa2021.1-x86_64/kernel/drivers/usb/host/xhci-pci.ko.zst) +It is signed with Streebog 512. + +libkmod v30 crashed in libkmod-module.c:2413 in this code: + +n = kmod_module_info_append(list, + "sig_hashalgo", strlen("sig_hashalgo"), + sig_info.hash_algo, strlen(sig_info.hash_algo)); + +because strlen() got null. +--- + libkmod/libkmod-signature.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index 4ae5af6..092f396 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -278,6 +278,9 @@ static bool fill_pkcs7(const char *mem, off_t size, + X509_ALGOR_get0(&o, NULL, NULL, dig_alg); + + sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)]; ++ // hash algo has not been recognized ++ if (sig_info->hash_algo == NULL) ++ goto err3; + sig_info->id_type = pkey_id_type[modsig->id_type]; + + pvt = malloc(sizeof(*pvt)); +-- +2.33.0 + diff --git a/backport-libkmod-error-out-on-unknown-hash-algorithm.patch b/backport-libkmod-error-out-on-unknown-hash-algorithm.patch new file mode 100644 index 0000000..5913a7b --- /dev/null +++ b/backport-libkmod-error-out-on-unknown-hash-algorithm.patch @@ -0,0 +1,44 @@ +From b9605c63b859adfffc0b4b9420d720aa323b90e9 Mon Sep 17 00:00:00 2001 +From: Emil Velikov +Date: Mon, 6 Feb 2023 14:32:59 +0000 +Subject: [PATCH] libkmod: error out on unknown hash algorithm + +Currently if we see unknown algorithm, we'll do an OOB read in +pkey_hash_algo. This can happen for example if OPENSSL_NO_SM3 is set and +the kernel module uses a SM3 hash. + +Cc: Mikhail Novosyolov +Cc: Lucas De Marchi +Signed-off-by: Emil Velikov +Signed-off-by: Lucas De Marchi +--- + libkmod/libkmod-signature.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index 092f396..b749a81 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -219,6 +219,7 @@ static bool fill_pkcs7(const char *mem, off_t size, + unsigned char *key_id_str; + struct pkcs7_private *pvt; + const char *issuer_str; ++ int hash_algo; + + size -= sig_len; + pkcs7_raw = mem + size; +@@ -277,7 +278,10 @@ static bool fill_pkcs7(const char *mem, off_t size, + + X509_ALGOR_get0(&o, NULL, NULL, dig_alg); + +- sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)]; ++ hash_algo = obj_to_hash_algo(o); ++ if (hash_algo < 0) ++ goto err3; ++ sig_info->hash_algo = pkey_hash_algo[hash_algo]; + // hash algo has not been recognized + if (sig_info->hash_algo == NULL) + goto err3; +-- +2.33.0 + diff --git a/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch b/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch new file mode 100644 index 0000000..ff174a8 --- /dev/null +++ b/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch @@ -0,0 +1,41 @@ +From badacf76e46b3602bc0e99ffc677ccbe53691f62 Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Fri, 19 May 2023 10:46:38 +0300 +Subject: [PATCH] libkmod: fix possible out-of-bounds memory access + +An attempt to pass too long module name to, say, rmmod, may +cause an out-of-bounds memory access (as repoted by UBSan): + +$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done) +libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]' + +This is because 'snprintf(path, sizeof(path), ...)' may return the +value which exceeds 'sizeof(path)' (which happens when an output +gets truncated). To play it safe, such a suspicious output is +better to be rejected explicitly. + +Reviewed-by: Christophe Leroy +Signed-off-by: Dmitry Antipov +Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru +--- + libkmod/libkmod-module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c +index 1da64b3..7736b7e 100644 +--- a/libkmod/libkmod-module.c ++++ b/libkmod/libkmod-module.c +@@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod) + + pathlen = snprintf(path, sizeof(path), + "/sys/module/%s/initstate", mod->name); ++ if (pathlen >= (int)sizeof(path)) { ++ /* Too long path was truncated */ ++ return -ENAMETOOLONG; ++ } + fd = open(path, O_RDONLY|O_CLOEXEC); + if (fd < 0) { + err = -errno; +-- +2.33.0 + diff --git a/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch b/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch new file mode 100644 index 0000000..891bb23 --- /dev/null +++ b/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch @@ -0,0 +1,46 @@ +From 9c262fdb1c798fd87d91e8c669acbec4d632024b Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Fri, 19 May 2023 10:41:08 +0300 +Subject: [PATCH] shared: avoid passing {NULL, 0} array to bsearch() + +Fix the following warning reported by UBSan (as of gcc-13.1.1): + +shared/hash.c:244:35: runtime error: null pointer passed as +argument 2, which is declared to never be null + +Reviewed-by: Christophe Leroy +Signed-off-by: Dmitry Antipov +[ reshuffle the code to use return-early style ] +Signed-off-by: Lucas De Marchi +--- + shared/hash.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/shared/hash.c b/shared/hash.c +index 7fe3f80..a87bc50 100644 +--- a/shared/hash.c ++++ b/shared/hash.c +@@ -241,12 +241,15 @@ void *hash_find(const struct hash *hash, const char *key) + .key = key, + .value = NULL + }; +- const struct hash_entry *entry = bsearch( +- &se, bucket->entries, bucket->used, +- sizeof(struct hash_entry), hash_entry_cmp); +- if (entry == NULL) ++ const struct hash_entry *entry; ++ ++ if (!bucket->entries) + return NULL; +- return (void *)entry->value; ++ ++ entry = bsearch(&se, bucket->entries, bucket->used, ++ sizeof(struct hash_entry), hash_entry_cmp); ++ ++ return entry ? (void *)entry->value : NULL; + } + + int hash_del(struct hash *hash, const char *key) +-- +2.33.0 + diff --git a/backport-testsuite-repair-read-of-uninitialized-memory.patch b/backport-testsuite-repair-read-of-uninitialized-memory.patch new file mode 100644 index 0000000..7a34668 --- /dev/null +++ b/backport-testsuite-repair-read-of-uninitialized-memory.patch @@ -0,0 +1,31 @@ +From 16c086f48c2270ad6412ad7226df53079f825270 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Thu, 30 Jun 2022 18:47:25 +0200 +Subject: [PATCH] testsuite: repair read of uninitialized memory + +Function ``test_backoff_time`` does not initialize ``delta``, and +``get_backoff_delta_msec`` then performs a read from uninitialized +memory with the ``!*delta`` expression. + +Signed-off-by: Jan Engelhardt +Signed-off-by: Lucas De Marchi +--- + testsuite/test-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testsuite/test-util.c b/testsuite/test-util.c +index fb8c9ef..5766584 100644 +--- a/testsuite/test-util.c ++++ b/testsuite/test-util.c +@@ -231,7 +231,7 @@ DEFINE_TEST(test_addu64_overflow, + + static int test_backoff_time(const struct test *t) + { +- unsigned long long delta; ++ unsigned long long delta = 0; + + /* Check exponential increments */ + get_backoff_delta_msec(now_msec(), now_msec() + 10, &delta); +-- +2.33.0 + diff --git a/kmod.changes b/kmod.changes index 6a5d466..93a0d8f 100644 --- a/kmod.changes +++ b/kmod.changes @@ -1,4 +1,7 @@ %changelog +* Thu Jul 07 2025 Liu Chao - 30-6 +- backport community bugfix patches and enable make check + * Thu Jul 07 2025 Liu Chao - 30-5 - remove the obsolete kernel module replace feature diff --git a/kmod.spec b/kmod.spec index 8a1a648..f7dfdee 100644 --- a/kmod.spec +++ b/kmod.spec @@ -1,6 +1,6 @@ Name: kmod Version: 30 -Release: 5 +Release: 6 Summary: Kernel module management # GPLv2+ is used by programs, LGPLv2+ is used for libraries. License: GPLv2+ and LGPLv2+ @@ -15,7 +15,12 @@ BuildRequires: gcc chrpath zlib-devel xz-devel libxslt openssl-devel libtool gt Provides: module-init-tools = 4.0-1 Provides: /sbin/modprobe -Patch0001: 0001-clear-file-memory-if-map-fails.patch +Patch0001: backport-testsuite-repair-read-of-uninitialized-memory.patch +Patch0002: backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch +Patch0003: backport-libkmod-error-out-on-unknown-hash-algorithm.patch +Patch0004: backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch +Patch0005: backport-libkmod-fix-possible-out-of-bounds-memory-access.patch +Patch0006: backport-libkmod-clear-file-memory-if-map-fails.patch %description The kmod package provides several commands to manage the kernel modules, @@ -85,6 +90,9 @@ mkdir -p $RPM_BUILD_ROOT/sbin install -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf +%check +make check + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig -- Gitee