From bba27db986eed6a4fdd07bc54fd33934be5338cd Mon Sep 17 00:00:00 2001 From: zhangyao Date: Thu, 14 Dec 2023 10:02:08 +0800 Subject: [PATCH] sync community patches (cherry picked from commit bbd2ccebcb5308ef52195c62293c7ed0d1cd0f43) --- ...id-fix-call-to-err_exclusive_options.patch | 32 ++++++ ...-don-t-call-exit-from-signal-handler.patch | 31 ++++++ ...-fix-possible-out-of-boundary-access.patch | 45 ++++++++ ...-avoid-memory-leak-of-cachefile-path.patch | 28 +++++ ...lidate-that-sector_size-is-a-power-o.patch | 40 +++++++ ...eset-errno-before-calling-probefuncs.patch | 58 ++++++++++ ...sible-NULL-dereference-coverity-scan.patch | 34 ++++++ ...ount-improve-mnt_table_next_child_fs.patch | 76 +++++++++++++ ...-undefined-ioctl-and-tcsetattr-calls.patch | 96 ++++++++++++++++ ...use-correct-terminal-fd-during-setup.patch | 104 ++++++++++++++++++ ...ins-fix-realloc-loop-allocation-size.patch | 32 ++++++ backport-more-avoid-out-of-bound-access.patch | 36 ++++++ ...riptreplay-support-ctrl-s-and-ctrl-g.patch | 31 ++++++ util-linux.spec | 34 +++++- 14 files changed, 676 insertions(+), 1 deletion(-) create mode 100644 backport-blkid-fix-call-to-err_exclusive_options.patch create mode 100644 backport-ldattach-don-t-call-exit-from-signal-handler.patch create mode 100644 backport-lib-path-fix-possible-out-of-boundary-access.patch create mode 100644 backport-libblkid-avoid-memory-leak-of-cachefile-path.patch create mode 100644 backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch create mode 100644 backport-libblkid-reset-errno-before-calling-probefuncs.patch create mode 100644 backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch create mode 100644 backport-libmount-improve-mnt_table_next_child_fs.patch create mode 100644 backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch create mode 100644 backport-login-use-correct-terminal-fd-during-setup.patch create mode 100644 backport-lslogins-fix-realloc-loop-allocation-size.patch create mode 100644 backport-more-avoid-out-of-bound-access.patch create mode 100644 backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch diff --git a/backport-blkid-fix-call-to-err_exclusive_options.patch b/backport-blkid-fix-call-to-err_exclusive_options.patch new file mode 100644 index 0000000..9a4f27e --- /dev/null +++ b/backport-blkid-fix-call-to-err_exclusive_options.patch @@ -0,0 +1,32 @@ +From ee84a3bfaf1706269c3a54a546bb057189556e67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 2 Oct 2023 11:39:53 +0200 +Subject: [PATCH] blkid: fix call to err_exclusive_options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +err_exclusive_options needs to be passed the long options array, +otherwise it will crash. + +Signed-off-by: Thomas Weißschuh +--- + misc-utils/blkid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c +index 32bc6feea..6df4e074e 100644 +--- a/misc-utils/blkid.c ++++ b/misc-utils/blkid.c +@@ -717,7 +717,7 @@ int main(int argc, char **argv) + while ((c = getopt_long (argc, argv, + "c:DdgH:hilL:n:ko:O:ps:S:t:u:U:w:Vv", longopts, NULL)) != -1) { + +- err_exclusive_options(c, NULL, excl, excl_st); ++ err_exclusive_options(c, longopts, excl, excl_st); + + switch (c) { + case 'c': +-- +2.33.0 + diff --git a/backport-ldattach-don-t-call-exit-from-signal-handler.patch b/backport-ldattach-don-t-call-exit-from-signal-handler.patch new file mode 100644 index 0000000..7d9d48e --- /dev/null +++ b/backport-ldattach-don-t-call-exit-from-signal-handler.patch @@ -0,0 +1,31 @@ +From de13900d71a968e859ab7aece4537dfd87c7185c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Fri, 22 Sep 2023 20:21:38 +0200 +Subject: [PATCH] ldattach: don't call exit() from signal handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead use _exit(). + +Signed-off-by: Thomas Weißschuh +--- + sys-utils/ldattach.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/ldattach.c b/sys-utils/ldattach.c +index 0a6b6f2d2..9c67eeec8 100644 +--- a/sys-utils/ldattach.c ++++ b/sys-utils/ldattach.c +@@ -257,7 +257,7 @@ static int my_cfsetspeed(struct termios *ts, int speed) + static void handler(int s) + { + dbg("got SIG %i -> exiting", s); +- exit(EXIT_SUCCESS); ++ _exit(EXIT_SUCCESS); + } + + static void gsm0710_set_conf(int tty_fd) +-- +2.33.0 + diff --git a/backport-lib-path-fix-possible-out-of-boundary-access.patch b/backport-lib-path-fix-possible-out-of-boundary-access.patch new file mode 100644 index 0000000..f6b2912 --- /dev/null +++ b/backport-lib-path-fix-possible-out-of-boundary-access.patch @@ -0,0 +1,45 @@ +From 0129c883459894f3e7101cbfb987f08a2242474b Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 8 Oct 2023 20:41:29 +0200 +Subject: [PATCH] lib/path: fix possible out of boundary access + +If fgets reads from a file starting with a NUL byte in ul_path_cpuparse, +then the check for newline leads to an out of boundary access. + +Proof of Concept (compile with --enable-asan): + +1. Prepare /tmp/poc with required files +``` +$ install -d /tmp/poc/sys/devices/system/cpu +$ dd if=/dev/zero of=/tmp/poc/sys/devices/system/cpu/possible bs=1 count=1 +$ install -D /dev/null /tmp/poc/proc/cpuinfo +``` + +2. Run lscpu with sysroot option +``` +$ lscpu --sysroot /tmp/poc +================================================================= +==78238==ERROR: AddressSanitizer: heap-buffer-overflow +``` + +Signed-off-by: Tobias Stoeckmann +--- + lib/path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/path.c b/lib/path.c +index bf15ab9..5114e44 100644 +--- a/lib/path.c ++++ b/lib/path.c +@@ -1013,7 +1013,7 @@ static int ul_path_cpuparse(struct path_cxt *pc, cpu_set_t **set, int maxcpus, i + return rc; + + len = strlen(buf); +- if (buf[len - 1] == '\n') ++ if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = '\0'; + + *set = cpuset_alloc(maxcpus, &setsize, NULL); +-- +2.33.0 + diff --git a/backport-libblkid-avoid-memory-leak-of-cachefile-path.patch b/backport-libblkid-avoid-memory-leak-of-cachefile-path.patch new file mode 100644 index 0000000..0219df1 --- /dev/null +++ b/backport-libblkid-avoid-memory-leak-of-cachefile-path.patch @@ -0,0 +1,28 @@ +From beead87f3b65b1e9149d27779f5aac215a1f8b24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Fri, 22 Sep 2023 11:20:04 +0200 +Subject: [PATCH] libblkid: avoid memory leak of cachefile path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Thomas Weißschuh +--- + libblkid/src/config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libblkid/src/config.c b/libblkid/src/config.c +index f229b3e63..d3f5eea3d 100644 +--- a/libblkid/src/config.c ++++ b/libblkid/src/config.c +@@ -155,6 +155,7 @@ dflt: + fclose(f); + return conf; + err: ++ free(conf->cachefile); + free(conf); + fclose(f); + return NULL; +-- +2.33.0 + diff --git a/backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch b/backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch new file mode 100644 index 0000000..2ab4bd3 --- /dev/null +++ b/backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch @@ -0,0 +1,40 @@ +From 0cf52fc4a03db3c59ad31bde4e9a28b5642086dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 26 Sep 2023 00:27:22 +0200 +Subject: [PATCH] libblkid: (ntfs) validate that sector_size is a power of two +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The NTFS prober reads data based off an offset of the sector size. +If the sector size is unaligned and the read data is cached then other +probers can read unaligned values. + +Sector sizes for NTFS actually only make sense as power-of-two so +validate that and as a sideeffect avoid the unaligned reads. + +Also add the reproducer from OSS-Fuzz that found this issue. + +Fixes #2509 + +Signed-off-by: Thomas Weißschuh +--- + libblkid/src/superblocks/ntfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libblkid/src/superblocks/ntfs.c b/libblkid/src/superblocks/ntfs.c +index dced699..0c4f297 100644 +--- a/libblkid/src/superblocks/ntfs.c ++++ b/libblkid/src/superblocks/ntfs.c +@@ -97,7 +97,7 @@ static int __probe_ntfs(blkid_probe pr, const struct blkid_idmag *mag, int save_ + */ + sector_size = le16_to_cpu(ns->bpb.sector_size); + +- if (sector_size < 256 || sector_size > 4096) ++ if (sector_size < 256 || sector_size > 4096 || !is_power_of_2(sector_size)) + return 1; + + switch (ns->bpb.sectors_per_cluster) { +-- +2.33.0 + diff --git a/backport-libblkid-reset-errno-before-calling-probefuncs.patch b/backport-libblkid-reset-errno-before-calling-probefuncs.patch new file mode 100644 index 0000000..de202e2 --- /dev/null +++ b/backport-libblkid-reset-errno-before-calling-probefuncs.patch @@ -0,0 +1,58 @@ +From 4bc69757312cad09f0cd9dc0c04f483a76176203 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 2 Oct 2023 22:24:21 +0200 +Subject: [PATCH] libblkid: reset errno before calling probefuncs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The probers optionally use errno to communicate error details. +When a leftover errno is set from libblkid internally this can confuse +the probers. + +Signed-off-by: Thomas Weißschuh +--- + libblkid/src/partitions/partitions.c | 1 + + libblkid/src/superblocks/superblocks.c | 1 + + libblkid/src/topology/topology.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/libblkid/src/partitions/partitions.c b/libblkid/src/partitions/partitions.c +index 0e38cf4..38ec8df 100644 +--- a/libblkid/src/partitions/partitions.c ++++ b/libblkid/src/partitions/partitions.c +@@ -555,6 +555,7 @@ static int idinfo_probe(blkid_probe pr, const struct blkid_idinfo *id, + if (id->probefunc) { + DBG(LOWPROBE, ul_debug( + "%s: ---> call probefunc()", id->name)); ++ errno = 0; + rc = id->probefunc(pr, mag); + if (rc < 0) { + /* reset after error */ +diff --git a/libblkid/src/superblocks/superblocks.c b/libblkid/src/superblocks/superblocks.c +index f213655..09ac45e 100644 +--- a/libblkid/src/superblocks/superblocks.c ++++ b/libblkid/src/superblocks/superblocks.c +@@ -410,6 +410,7 @@ static int superblocks_probe(blkid_probe pr, struct blkid_chain *chn) + /* final check by probing function */ + if (id->probefunc) { + DBG(LOWPROBE, ul_debug("\tcall probefunc()")); ++ errno = 0; + rc = id->probefunc(pr, mag); + if (rc != BLKID_PROBE_OK) { + blkid_probe_chain_reset_values(pr, chn); +diff --git a/libblkid/src/topology/topology.c b/libblkid/src/topology/topology.c +index 53007d1..e8b9ba8 100644 +--- a/libblkid/src/topology/topology.c ++++ b/libblkid/src/topology/topology.c +@@ -180,6 +180,7 @@ static int topology_probe(blkid_probe pr, struct blkid_chain *chn) + + if (id->probefunc) { + DBG(LOWPROBE, ul_debug("%s: call probefunc()", id->name)); ++ errno = 0; + if (id->probefunc(pr, NULL) != 0) + continue; + } +-- +2.33.0 + diff --git a/backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch b/backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch new file mode 100644 index 0000000..2103bed --- /dev/null +++ b/backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch @@ -0,0 +1,34 @@ +From 5379f5838df01fa22298a2b4f28270fd6b4cb871 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 6 Nov 2023 11:40:27 +0100 +Subject: [PATCH] libmount: fix possible NULL dereference [coverity scan] + +Signed-off-by: Karel Zak +--- + libmount/src/tab.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libmount/src/tab.c b/libmount/src/tab.c +index be0c13a..a19a5ae 100644 +--- a/libmount/src/tab.c ++++ b/libmount/src/tab.c +@@ -659,7 +659,7 @@ int mnt_table_next_child_fs(struct libmnt_table *tb, struct libmnt_iter *itr, + { + struct libmnt_fs *fs; + int parent_id, lastchld_id = 0, chld_id = 0; +- int direction = mnt_iter_get_direction(itr); ++ int direction; + + if (!tb || !itr || !parent || !is_mountinfo(tb)) + return -EINVAL; +@@ -668,6 +668,7 @@ int mnt_table_next_child_fs(struct libmnt_table *tb, struct libmnt_iter *itr, + mnt_fs_get_target(parent))); + + parent_id = mnt_fs_get_id(parent); ++ direction = mnt_iter_get_direction(itr); + + /* get ID of the previously returned child */ + if (itr->head && itr->p != itr->head) { +-- +2.33.0 + diff --git a/backport-libmount-improve-mnt_table_next_child_fs.patch b/backport-libmount-improve-mnt_table_next_child_fs.patch new file mode 100644 index 0000000..b957328 --- /dev/null +++ b/backport-libmount-improve-mnt_table_next_child_fs.patch @@ -0,0 +1,76 @@ +From f64ea9979a5eaddaed98bde17832f855f2f0daee Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 2 Nov 2023 10:41:03 +0100 +Subject: [PATCH] libmount: improve mnt_table_next_child_fs() + +The function utilizes the struct libmnt_itr to iterate through the mountinfo file +but neglects the direction specified by the iterator. This a bug. The application +must manage the direction, as, for instance, umount(8) requires the children of +the mountpoint in reverse order. + +Fixes: https://github.com/util-linux/util-linux/issues/2552 +Signed-off-by: Karel Zak +--- + libmount/src/tab.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/libmount/src/tab.c b/libmount/src/tab.c +index 0d5c115..be0c13a 100644 +--- a/libmount/src/tab.c ++++ b/libmount/src/tab.c +@@ -649,8 +649,8 @@ int mnt_table_get_root_fs(struct libmnt_table *tb, struct libmnt_fs **root) + * @parent: parental FS + * @chld: returns the next child filesystem + * +- * Note that filesystems are returned in the order of mounting (according to +- * IDs in /proc/self/mountinfo). ++ * Since version 2.40, the filesystems are returned in the order specified by ++ * @itr. In the old versions the derection is always MNT_ITER_FORWARD. + * + * Returns: 0 on success, negative number in case of error or 1 at the end of list. + */ +@@ -659,6 +659,7 @@ int mnt_table_next_child_fs(struct libmnt_table *tb, struct libmnt_iter *itr, + { + struct libmnt_fs *fs; + int parent_id, lastchld_id = 0, chld_id = 0; ++ int direction = mnt_iter_get_direction(itr); + + if (!tb || !itr || !parent || !is_mountinfo(tb)) + return -EINVAL; +@@ -676,7 +677,7 @@ int mnt_table_next_child_fs(struct libmnt_table *tb, struct libmnt_iter *itr, + + *chld = NULL; + +- mnt_reset_iter(itr, MNT_ITER_FORWARD); ++ mnt_reset_iter(itr, direction); + while(mnt_table_next_fs(tb, itr, &fs) == 0) { + int id; + +@@ -690,10 +691,20 @@ int mnt_table_next_child_fs(struct libmnt_table *tb, struct libmnt_iter *itr, + if (id == parent_id) + continue; + +- if ((!lastchld_id || id > lastchld_id) && +- (!*chld || id < chld_id)) { +- *chld = fs; +- chld_id = id; ++ if (direction == MNT_ITER_FORWARD) { ++ /* return in the order of mounting */ ++ if ((!lastchld_id || id > lastchld_id) && ++ (!*chld || id < chld_id)) { ++ *chld = fs; ++ chld_id = id; ++ } ++ } else { ++ /* return last child first */ ++ if ((!lastchld_id || id < lastchld_id) && ++ (!*chld || id > chld_id)) { ++ *chld = fs; ++ chld_id = id; ++ } + } + } + +-- +2.33.0 + diff --git a/backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch b/backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch new file mode 100644 index 0000000..73169ad --- /dev/null +++ b/backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch @@ -0,0 +1,96 @@ +From 23884bba3854ed35ebe19adbb2ad1ea2972dab79 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 21 Sep 2023 20:25:55 +0200 +Subject: [PATCH] login: prevent undefined ioctl and tcsetattr calls + +Do not call tcsetattr if tcgetattr fails, because the content of +tt and ttt is undefined in that case. + +Also do not just warn if ioctl fails, but also avoid calling it again +after tty has been re-opened. + +I've solved this by setting struct variables to values which cannot be +valid at this point. If they do have these exact values, then the +calls will be prevented. + +Signed-off-by: Tobias Stoeckmann +--- + login-utils/login.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/login-utils/login.c b/login-utils/login.c +index d6c6af7..8364497 100644 +--- a/login-utils/login.c ++++ b/login-utils/login.c +@@ -176,9 +176,10 @@ static void __attribute__((__noreturn__)) + struct termios ti; + + /* reset echo */ +- tcgetattr(0, &ti); +- ti.c_lflag |= ECHO; +- tcsetattr(0, TCSANOW, &ti); ++ if (tcgetattr(0, &ti) >= 0) { ++ ti.c_lflag |= ECHO; ++ tcsetattr(0, TCSANOW, &ti); ++ } + _exit(EXIT_SUCCESS); /* %% */ + } + +@@ -512,8 +513,8 @@ static void chown_tty(struct login_context *cxt) + static void init_tty(struct login_context *cxt) + { + struct stat st; +- struct termios tt, ttt; +- struct winsize ws; ++ struct termios tt, ttt = { 0 }; ++ struct winsize ws = { 0 }; + int fd; + + cxt->tty_mode = (mode_t) getlogindefs_num("TTYPERM", TTY_MODE); +@@ -548,13 +549,18 @@ static void init_tty(struct login_context *cxt) + + /* The TTY size might be reset to 0x0 by the kernel when we close the stdin/stdout/stderr file + * descriptors so let's save the size now so we can reapply it later */ +- memset(&ws, 0, sizeof(struct winsize)); +- if (ioctl(fd, TIOCGWINSZ, &ws) < 0) ++ if (ioctl(fd, TIOCGWINSZ, &ws) < 0) { + syslog(LOG_WARNING, _("TIOCGWINSZ ioctl failed: %m")); ++ ws.ws_row = 0; ++ ws.ws_col = 0; ++ } + +- tcgetattr(fd, &tt); +- ttt = tt; +- ttt.c_cflag &= ~HUPCL; ++ if (tcgetattr(fd, &tt) >= 0) { ++ ttt = tt; ++ ttt.c_cflag &= ~HUPCL; ++ } else { ++ ttt.c_cflag = HUPCL; ++ } + + if ((fchown(fd, 0, 0) || fchmod(fd, cxt->tty_mode)) && errno != EROFS) { + +@@ -564,7 +570,8 @@ static void init_tty(struct login_context *cxt) + } + + /* Kill processes left on this tty */ +- tcsetattr(fd, TCSANOW, &ttt); ++ if ((ttt.c_cflag & HUPCL) == 0) ++ tcsetattr(fd, TCSANOW, &ttt); + + /* + * Let's close file descriptors before vhangup +@@ -582,7 +589,8 @@ static void init_tty(struct login_context *cxt) + open_tty(cxt->tty_path); + + /* restore tty modes */ +- tcsetattr(STDIN_FILENO, TCSAFLUSH, &tt); ++ if ((ttt.c_cflag & HUPCL) == 0) ++ tcsetattr(STDIN_FILENO, TCSAFLUSH, &tt); + + /* Restore tty size */ + if (ws.ws_row > 0 || ws.ws_col > 0) +-- +2.33.0 + diff --git a/backport-login-use-correct-terminal-fd-during-setup.patch b/backport-login-use-correct-terminal-fd-during-setup.patch new file mode 100644 index 0000000..224e707 --- /dev/null +++ b/backport-login-use-correct-terminal-fd-during-setup.patch @@ -0,0 +1,104 @@ +From f7feb6530b5e350c9aa635d7f39110177e34fb83 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 21 Sep 2023 20:15:46 +0200 +Subject: [PATCH] login: use correct terminal fd during setup + +The function get_terminal_name iterates through standard file +descriptors until it finds a terminal. This means that it's not +guaranteed that STDIN_FILENO (i.e. 0) is actually a terminal. + +Do not modify permissions on possible files. Instead, retrieve +the file descriptor which was used by get_terminal_name as well. + +Proof of Concept (as root): + +1. Create a temporary file with a mode different than TTYPERM. +``` +install -m 700 /dev/null /tmp/test +ls -l /tmp/test +-rwx------ 1 root root 0 Sep 21 20:15 /tmp/test +``` + +2. Run login within a terminal with adjusted stdin. +``` +login < /tmp/test +host login: + Hangup +``` + +3. Check permissions of input file. +``` +ls -l /tmp/test +-rw------- 1 root root 0 Sep 21 20:15 /tmp/test +``` + +Signed-off-by: Tobias Stoeckmann +--- + login-utils/login.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/login-utils/login.c b/login-utils/login.c +index 2a4e8cb..d6c6af7 100644 +--- a/login-utils/login.c ++++ b/login-utils/login.c +@@ -514,10 +514,12 @@ static void init_tty(struct login_context *cxt) + struct stat st; + struct termios tt, ttt; + struct winsize ws; ++ int fd; + + cxt->tty_mode = (mode_t) getlogindefs_num("TTYPERM", TTY_MODE); + + get_terminal_name(&cxt->tty_path, &cxt->tty_name, &cxt->tty_number); ++ fd = get_terminal_stdfd(); + + /* + * In case login is suid it was possible to use a hardlink as stdin +@@ -530,7 +532,7 @@ static void init_tty(struct login_context *cxt) + if (!cxt->tty_path || !*cxt->tty_path || + lstat(cxt->tty_path, &st) != 0 || !S_ISCHR(st.st_mode) || + (st.st_nlink > 1 && strncmp(cxt->tty_path, "/dev/", 5) != 0) || +- access(cxt->tty_path, R_OK | W_OK) != 0) { ++ access(cxt->tty_path, R_OK | W_OK) != 0 || fd == -EINVAL) { + + syslog(LOG_ERR, _("FATAL: bad tty")); + sleepexit(EXIT_FAILURE); +@@ -547,14 +549,14 @@ static void init_tty(struct login_context *cxt) + /* The TTY size might be reset to 0x0 by the kernel when we close the stdin/stdout/stderr file + * descriptors so let's save the size now so we can reapply it later */ + memset(&ws, 0, sizeof(struct winsize)); +- if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) < 0) ++ if (ioctl(fd, TIOCGWINSZ, &ws) < 0) + syslog(LOG_WARNING, _("TIOCGWINSZ ioctl failed: %m")); + +- tcgetattr(0, &tt); ++ tcgetattr(fd, &tt); + ttt = tt; + ttt.c_cflag &= ~HUPCL; + +- if ((fchown(0, 0, 0) || fchmod(0, cxt->tty_mode)) && errno != EROFS) { ++ if ((fchown(fd, 0, 0) || fchmod(fd, cxt->tty_mode)) && errno != EROFS) { + + syslog(LOG_ERR, _("FATAL: %s: change permissions failed: %m"), + cxt->tty_path); +@@ -562,7 +564,7 @@ static void init_tty(struct login_context *cxt) + } + + /* Kill processes left on this tty */ +- tcsetattr(0, TCSANOW, &ttt); ++ tcsetattr(fd, TCSANOW, &ttt); + + /* + * Let's close file descriptors before vhangup +@@ -580,7 +582,7 @@ static void init_tty(struct login_context *cxt) + open_tty(cxt->tty_path); + + /* restore tty modes */ +- tcsetattr(0, TCSAFLUSH, &tt); ++ tcsetattr(STDIN_FILENO, TCSAFLUSH, &tt); + + /* Restore tty size */ + if (ws.ws_row > 0 || ws.ws_col > 0) +-- +2.33.0 + diff --git a/backport-lslogins-fix-realloc-loop-allocation-size.patch b/backport-lslogins-fix-realloc-loop-allocation-size.patch new file mode 100644 index 0000000..a7d01e5 --- /dev/null +++ b/backport-lslogins-fix-realloc-loop-allocation-size.patch @@ -0,0 +1,32 @@ +From 62104e69455c3add88adc360381176f3e83bda28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Fri, 22 Sep 2023 20:08:22 +0200 +Subject: [PATCH] lslogins: fix realloc() loop allocation size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If stat() fails the realloc loop would always try to allocate zero +bytes. + +Signed-off-by: Thomas Weißschuh +--- + login-utils/lslogins.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c +index ea5afb5ba..c624302bd 100644 +--- a/login-utils/lslogins.c ++++ b/login-utils/lslogins.c +@@ -478,7 +478,7 @@ static struct utmpx *get_last_btmp(struct lslogins_control *ctl, const char *use + + static int parse_utmpx(const char *path, size_t *nrecords, struct utmpx **records) + { +- size_t i, imax = 0; ++ size_t i, imax = 1; + struct utmpx *ary = NULL; + struct stat st; + +-- +2.33.0 + diff --git a/backport-more-avoid-out-of-bound-access.patch b/backport-more-avoid-out-of-bound-access.patch new file mode 100644 index 0000000..df9609e --- /dev/null +++ b/backport-more-avoid-out-of-bound-access.patch @@ -0,0 +1,36 @@ +From ecdfc9aa701b4f406c239b6e163a45a5cc5b4a8c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Fri, 22 Sep 2023 19:53:24 +0200 +Subject: [PATCH] more: avoid out-of-bound access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The realloc() needs to happen before that memory is used. + +Signed-off-by: Thomas Weißschuh +--- + text-utils/more.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/text-utils/more.c b/text-utils/more.c +index bdb34e076..e25b0e24c 100644 +--- a/text-utils/more.c ++++ b/text-utils/more.c +@@ -356,11 +356,11 @@ static void env_argscan(struct more_control *ctl, const char *s) + env_argv = xmalloc(sizeof(char *) * size); + env_argv[0] = _("MORE environment variable"); /* program name */ + for (tok = strtok_r(str, delim, &key); tok; tok = strtok_r(NULL, delim, &key)) { +- env_argv[env_argc++] = tok; +- if (size < env_argc) { ++ if (size == env_argc) { + size *= 2; + env_argv = xrealloc(env_argv, sizeof(char *) * size); + } ++ env_argv[env_argc++] = tok; + } + + argscan(ctl, env_argc, env_argv); +-- +2.33.0 + diff --git a/backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch b/backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch new file mode 100644 index 0000000..2d4dbae --- /dev/null +++ b/backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch @@ -0,0 +1,31 @@ +From 584e505186c1aa511ea96761a8d108f4fe734f0e Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 11 Sep 2023 15:17:01 +0200 +Subject: [PATCH] scriptreplay: support ctrl+s and ctrl+g + +The old scriptreplay supported XON/XOFF flow control. The new +implementation uses cfmakeraw() and it disables it by default. Let's +enable it by IXON iflag. + +Fixes: https://github.com/util-linux/util-linux/issues/2480 +References: https://github.com/util-linux/util-linux/pull/1101 +Signed-off-by: Karel Zak +--- + term-utils/scriptreplay.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/term-utils/scriptreplay.c b/term-utils/scriptreplay.c +index fb68499c8..38fa4251c 100644 +--- a/term-utils/scriptreplay.c ++++ b/term-utils/scriptreplay.c +@@ -134,6 +134,7 @@ setterm(struct termios *backup) + tattr = *backup; + cfmakeraw(&tattr); + tattr.c_lflag |= ISIG; ++ tattr.c_iflag |= IXON; + tcsetattr(STDOUT_FILENO, TCSANOW, &tattr); + return 1; + } +-- +2.33.0 + diff --git a/util-linux.spec b/util-linux.spec index 0f997f3..de4af58 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -3,7 +3,7 @@ Name: util-linux Version: 2.37.2 -Release: 22 +Release: 23 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -113,6 +113,19 @@ Patch6091: backport-column-fix-buffer-overflow-when-l-specified.patch Patch6092: backport-column-fix-greedy-mode-on-l.patch Patch6093: backport-column-fix-memory-leak.patch Patch6094: backport-column-fix-l.patch +Patch6095: backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch +Patch6096: backport-login-use-correct-terminal-fd-during-setup.patch +Patch6097: backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch +Patch6098: backport-libblkid-avoid-memory-leak-of-cachefile-path.patch +Patch6099: backport-more-avoid-out-of-bound-access.patch +Patch6100: backport-lslogins-fix-realloc-loop-allocation-size.patch +Patch6101: backport-ldattach-don-t-call-exit-from-signal-handler.patch +Patch6102: backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch +Patch6103: backport-blkid-fix-call-to-err_exclusive_options.patch +Patch6104: backport-libblkid-reset-errno-before-calling-probefuncs.patch +Patch6105: backport-lib-path-fix-possible-out-of-boundary-access.patch +Patch6106: backport-libmount-improve-mnt_table_next_child_fs.patch +Patch6107: backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9001: SKIPPED-no-root-permissions-test.patch @@ -484,6 +497,25 @@ fi %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Thu Dec 14 2023 zhangyao - 2.37.2-23 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync community patches + [add]backport-scriptreplay-support-ctrl-s-and-ctrl-g.patch + backport-login-use-correct-terminal-fd-during-setup.patch + backport-login-prevent-undefined-ioctl-and-tcsetattr-calls.patch + backport-libblkid-avoid-memory-leak-of-cachefile-path.patch + backport-more-avoid-out-of-bound-access.patch + backport-lslogins-fix-realloc-loop-allocation-size.patch + backport-ldattach-don-t-call-exit-from-signal-handler.patch + backport-libblkid-ntfs-validate-that-sector_size-is-a-power-o.patch + backport-blkid-fix-call-to-err_exclusive_options.patch + backport-libblkid-reset-errno-before-calling-probefuncs.patch + backport-lib-path-fix-possible-out-of-boundary-access.patch + backport-libmount-improve-mnt_table_next_child_fs.patch + backport-libmount-fix-possible-NULL-dereference-coverity-scan.patch + * Mon Sep 4 2023 zhangyao - 2.37.2-22 - Type:bugfix - CVE:NA