From 43aa24d4b5b8eb09d9ff6bddf927de618910e6fe Mon Sep 17 00:00:00 2001 From: Xin Shi Date: Thu, 6 Jul 2023 16:09:01 +0800 Subject: [PATCH] backport patches to fix bug Signed-off-by: Xin Shi --- ...possible-out-of-bounds-memory-access.patch | 41 +++++++++++++++++ ...void-passing-NULL-0-array-to-bsearch.patch | 46 +++++++++++++++++++ kmod.spec | 18 +++++--- 3 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 backport-libkmod-fix-possible-out-of-bounds-memory-access.patch create mode 100644 backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch diff --git a/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch b/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch new file mode 100644 index 0000000..6a69606 --- /dev/null +++ b/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch @@ -0,0 +1,41 @@ +From badacf76e46b3602bc0e99ffc677ccbe53691f62 Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Fri, 19 May 2023 10:46:38 +0300 +Subject: [PATCH] libkmod: fix possible out-of-bounds memory access + +An attempt to pass too long module name to, say, rmmod, may +cause an out-of-bounds memory access (as repoted by UBSan): + +$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done) +libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]' + +This is because 'snprintf(path, sizeof(path), ...)' may return the +value which exceeds 'sizeof(path)' (which happens when an output +gets truncated). To play it safe, such a suspicious output is +better to be rejected explicitly. + +Reviewed-by: Christophe Leroy +Signed-off-by: Dmitry Antipov +Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru +--- + libkmod/libkmod-module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c +index 1da64b3..7736b7e 100644 +--- a/libkmod/libkmod-module.c ++++ b/libkmod/libkmod-module.c +@@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod) + + pathlen = snprintf(path, sizeof(path), + "/sys/module/%s/initstate", mod->name); ++ if (pathlen >= (int)sizeof(path)) { ++ /* Too long path was truncated */ ++ return -ENAMETOOLONG; ++ } + fd = open(path, O_RDONLY|O_CLOEXEC); + if (fd < 0) { + err = -errno; +-- +2.27.0 + diff --git a/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch b/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch new file mode 100644 index 0000000..5a81d2a --- /dev/null +++ b/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch @@ -0,0 +1,46 @@ +From 9c262fdb1c798fd87d91e8c669acbec4d632024b Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Fri, 19 May 2023 10:41:08 +0300 +Subject: [PATCH] shared: avoid passing {NULL, 0} array to bsearch() + +Fix the following warning reported by UBSan (as of gcc-13.1.1): + +shared/hash.c:244:35: runtime error: null pointer passed as +argument 2, which is declared to never be null + +Reviewed-by: Christophe Leroy +Signed-off-by: Dmitry Antipov +[ reshuffle the code to use return-early style ] +Signed-off-by: Lucas De Marchi +--- + shared/hash.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/shared/hash.c b/shared/hash.c +index 7fe3f80..a87bc50 100644 +--- a/shared/hash.c ++++ b/shared/hash.c +@@ -241,12 +241,15 @@ void *hash_find(const struct hash *hash, const char *key) + .key = key, + .value = NULL + }; +- const struct hash_entry *entry = bsearch( +- &se, bucket->entries, bucket->used, +- sizeof(struct hash_entry), hash_entry_cmp); +- if (entry == NULL) ++ const struct hash_entry *entry; ++ ++ if (!bucket->entries) + return NULL; +- return (void *)entry->value; ++ ++ entry = bsearch(&se, bucket->entries, bucket->used, ++ sizeof(struct hash_entry), hash_entry_cmp); ++ ++ return entry ? (void *)entry->value : NULL; + } + + int hash_del(struct hash *hash, const char *key) +-- +2.27.0 + diff --git a/kmod.spec b/kmod.spec index 5333ede..ad5b978 100644 --- a/kmod.spec +++ b/kmod.spec @@ -1,6 +1,6 @@ Name: kmod Version: 29 -Release: 7 +Release: 8 Summary: Kernel module management # GPLv2+ is used by programs, LGPLv2+ is used for libraries. License: GPLv2+ and LGPLv2+ @@ -14,10 +14,12 @@ Patch2: 0002-Module-replace-the-module-with-new-module.patch Patch3: 0003-Module-suspend-the-module-by-rmmod-r-option.patch Patch4: 0004-don-t-check-module-s-refcnt-when-rmmod-with-r.patch Patch5: backport-libkmod-Support-SM3-hash-algorithm.patch -Patch6: backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch -Patch7: backport-libkmod-error-out-on-unknown-hash-algorithm.patch -Patch8: backport-libkmod-Set-builtin-to-no-when-module-is-created-fro.patch -Patch9: backport-modprobe-fix-the-NULL-termination-of-new_argv.patch +Patch6: backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch +Patch7: backport-libkmod-error-out-on-unknown-hash-algorithm.patch +Patch8: backport-libkmod-Set-builtin-to-no-when-module-is-created-fro.patch +Patch9: backport-modprobe-fix-the-NULL-termination-of-new_argv.patch +Patch10: backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch +Patch11: backport-libkmod-fix-possible-out-of-bounds-memory-access.patch BuildRequires: gcc chrpath zlib-devel xz-devel libxslt openssl-devel @@ -125,7 +127,11 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf %doc TODO NEWS README %changelog -* Mon Apr 17 2023 Fang Chuangchuang - 29-7 +* Thu Jul 6 2023 shixin - 29-8 +- libkmod: fix possible out-of-bounds memory access + shared: avoid passing {NULL, 0} array to bsearch() + +* Thu Apr 20 2023 Fang Chuangchuang - 29-7 - libkmod: Set builtin to no when module is created from path. modprobe: fix the NULL-termination of new_argv -- Gitee