From 938cc09f304ece3e4a93ac6ff6fc5180d786def6 Mon Sep 17 00:00:00 2001 From: zgzxx Date: Tue, 11 Apr 2023 11:42:56 +0800 Subject: [PATCH] backport patch (cherry picked from commit 9ad6d71a8c1f889e280ace61946eb7d35fa29889) --- ...rectly-hash-specfiles-larger-than-4G.patch | 66 +++++++++++++++++++ libselinux.spec | 6 +- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch diff --git a/backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch b/backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch new file mode 100644 index 0000000..2c090ef --- /dev/null +++ b/backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch @@ -0,0 +1,66 @@ +From e17619792fa1e342c7f0a819077129adff438cd1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 13 Apr 2022 17:56:33 +0200 +Subject: [PATCH] libselinux: correctly hash specfiles larger than 4G +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The internal Sha1Update() functions only handles buffers up to a size of +UINT32_MAX, due to its usage of the type uint32_t. This causes issues +when processing more than UINT32_MAX bytes, e.g. with a specfile larger +than 4G. 0aa974a4 ("libselinux: limit has buffer size") tried to +address this issue, but failed since the overflow check + + if (digest->hashbuf_size + buf_len < digest->hashbuf_size) { + +will be done in the widest common type, which is size_t, the type of +`buf_len`. + +Revert the type of `hashbuf_size` to size_t and instead process the data +in blocks of supported size. + +Acked-by: James Carter +Signed-off-by: Christian Göttsche +Reverts: 0aa974a4 ("libselinux: limit has buffer size") + +Reference:https://github.com/SELinuxProjrct/selinux/commit/e17619792fa1e342c7f0a819077129adff438cd1 +Confilict delete modified label_internal.h +--- + libselinux/src/label_support.c | 14 +++++++++++++- + 1 files changed, 13 insertions(+), 1 deletions(-) + +diff --git a/src/label_support.c b/src/label_support.c +index 94ed6e42..54fd49a5 100644 +--- a/src/label_support.c ++++ b/src/label_support.c +@@ -116,13 +116,25 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...) + void digest_gen_hash(struct selabel_digest *digest) + { + Sha1Context context; ++ size_t remaining_size; ++ const unsigned char *ptr; + + /* If SELABEL_OPT_DIGEST not set then just return */ + if (!digest) + return; + + Sha1Initialise(&context); +- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size); ++ ++ /* Process in blocks of UINT32_MAX bytes */ ++ remaining_size = digest->hashbuf_size; ++ ptr = digest->hashbuf; ++ while (remaining_size > UINT32_MAX) { ++ Sha1Update(&context, ptr, UINT32_MAX); ++ remaining_size -= UINT32_MAX; ++ ptr += UINT32_MAX; ++ } ++ Sha1Update(&context, ptr, remaining_size); ++ + Sha1Finalise(&context, (SHA1_HASH *)digest->digest); + free(digest->hashbuf); + digest->hashbuf = NULL; +-- +2.27.0 + diff --git a/libselinux.spec b/libselinux.spec index 8e462c7..2a0dc34 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,7 +3,7 @@ Name: libselinux Version: 3.1 -Release: 6 +Release: 7 License: Public Domain Summary: SELinux library and simple utilities Url: https://github.com/SELinuxProject/selinux/wiki @@ -13,6 +13,7 @@ Patch1: do-malloc-trim-after-load-policy.patch Patch6000: backport-libselinux-Fix-potential-undefined-shifts.patch Patch6001: backport-libselinux-fix-segfault-in-add_xattr_entry.patch +Patch6002: backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch BuildRequires: gcc python3-devel systemd swig pcre2-devel xz-devel BuildRequires: python2-devel ruby-devel libsepol-static >= %{libsepol_version} @@ -154,6 +155,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist %{_mandir}/ru/man8/* %changelog +* Tue Apr 11 2023 zhangguangzhi - 3.1-7 +- backport patch + * Thu Sep 1 2022 lujie - 3.1-6 - update requires libsepol version 3.1 -- Gitee