!92 [sync] PR-90: backport patches to fix bug

From: @openeuler-sync-bot Reviewed-by: @liqingqing_1229 Signed-off-by: @liqingqing_1229
2023-10-09 13:41:09 +00:00 · 2023-10-09 13:41:09 +00:00 · 69e24e33f0
commit 69e24e33f0
parent efa081e1c2 e3c89921d2
3 changed files with 99 additions and 6 deletions
--- a/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch
+++ b/backport-libkmod-fix-possible-out-of-bounds-memory-access.patch
@ -0,0 +1,41 @@
+From badacf76e46b3602bc0e99ffc677ccbe53691f62 Mon Sep 17 00:00:00 2001
+From: Dmitry Antipov <dmantipov@yandex.ru>
+Date: Fri, 19 May 2023 10:46:38 +0300
+Subject: [PATCH] libkmod: fix possible out-of-bounds memory access
+
+An attempt to pass too long module name to, say, rmmod, may
+cause an out-of-bounds memory access (as repoted by UBSan):
+
+$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done)
+libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]'
+
+This is because 'snprintf(path, sizeof(path), ...)' may return the
+value which exceeds 'sizeof(path)' (which happens when an output
+gets truncated). To play it safe, such a suspicious output is
+better to be rejected explicitly.
+
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru
+---
+ libkmod/libkmod-module.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
+index 1da64b3..7736b7e 100644
+--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
+@@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod)
+ 
+ 	pathlen = snprintf(path, sizeof(path),
+ 				"/sys/module/%s/initstate", mod->name);
+	if (pathlen >= (int)sizeof(path)) {
+		/* Too long path was truncated */
+		return -ENAMETOOLONG;
+	}
+ 	fd = open(path, O_RDONLY|O_CLOEXEC);
+ 	if (fd < 0) {
+ 		err = -errno;
+-- 
+2.27.0
+
--- a/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch
+++ b/backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch
@ -0,0 +1,46 @@
+From 9c262fdb1c798fd87d91e8c669acbec4d632024b Mon Sep 17 00:00:00 2001
+From: Dmitry Antipov <dmantipov@yandex.ru>
+Date: Fri, 19 May 2023 10:41:08 +0300
+Subject: [PATCH] shared: avoid passing {NULL, 0} array to bsearch()
+
+Fix the following warning reported by UBSan (as of gcc-13.1.1):
+
+shared/hash.c:244:35: runtime error: null pointer passed as
+argument 2, which is declared to never be null
+
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+[ reshuffle the code to use return-early style ]
+Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
+---
+ shared/hash.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/shared/hash.c b/shared/hash.c
+index 7fe3f80..a87bc50 100644
+--- a/shared/hash.c
+++ b/shared/hash.c
+@@ -241,12 +241,15 @@ void *hash_find(const struct hash *hash, const char *key)
+ 		.key = key,
+ 		.value = NULL
+ 	};
+-	const struct hash_entry *entry = bsearch(
+-		&se, bucket->entries, bucket->used,
+-		sizeof(struct hash_entry), hash_entry_cmp);
+-	if (entry == NULL)
+	const struct hash_entry *entry;
+
+	if (!bucket->entries)
+ 		return NULL;
+-	return (void *)entry->value;
+
+	entry = bsearch(&se, bucket->entries, bucket->used,
+			sizeof(struct hash_entry), hash_entry_cmp);
+
+	return entry ? (void *)entry->value : NULL;
+ }
+ 
+ int hash_del(struct hash *hash, const char *key)
+-- 
+2.27.0
+
--- a/kmod.spec
+++ b/kmod.spec
@ -1,6 +1,6 @@
 Name:           kmod
 Version:        29
-Release:        7
+Release:        8
 Summary:        Kernel module management
 # GPLv2+ is used by programs, LGPLv2+ is used for libraries.
 License:        GPLv2+ and LGPLv2+
@ -14,10 +14,12 @@ Patch2:		0002-Module-replace-the-module-with-new-module.patch
 Patch3:		0003-Module-suspend-the-module-by-rmmod-r-option.patch
 Patch4: 	0004-don-t-check-module-s-refcnt-when-rmmod-with-r.patch
 Patch5:		backport-libkmod-Support-SM3-hash-algorithm.patch
-Patch6:     backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch
-Patch7:     backport-libkmod-error-out-on-unknown-hash-algorithm.patch
-Patch8:     backport-libkmod-Set-builtin-to-no-when-module-is-created-fro.patch
-Patch9:     backport-modprobe-fix-the-NULL-termination-of-new_argv.patch
+Patch6:		backport-libkmod-do-not-crash-on-unknown-signature-algorithm.patch
+Patch7:		backport-libkmod-error-out-on-unknown-hash-algorithm.patch
+Patch8:		backport-libkmod-Set-builtin-to-no-when-module-is-created-fro.patch
+Patch9:		backport-modprobe-fix-the-NULL-termination-of-new_argv.patch
+Patch10:	backport-shared-avoid-passing-NULL-0-array-to-bsearch.patch
+Patch11:	backport-libkmod-fix-possible-out-of-bounds-memory-access.patch

 BuildRequires:  gcc chrpath zlib-devel xz-devel libxslt openssl-devel

@ -125,7 +127,11 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 %doc TODO NEWS README

 %changelog
-* Mon Apr 17 2023 Fang Chuangchuang <fangchuangchuang@huawei.com> - 29-7
+* Thu Jul 6 2023 shixin <shixin21@huawei.com> - 29-8
+- libkmod: fix possible out-of-bounds memory access
+  shared: avoid passing {NULL, 0} array to bsearch()
+
+* Thu Apr 20 2023 Fang Chuangchuang <fangchuangchuang@huawei.com> - 29-7
 - libkmod: Set builtin to no when module is created from path.
  modprobe: fix the NULL-termination of new_argv