From e5ed90d5c71690595b561c0ae55295fc52fe4cc1 Mon Sep 17 00:00:00 2001 From: zhangyao Date: Tue, 7 May 2024 09:41:41 +0800 Subject: [PATCH] sync community patches (cherry picked from commit 5227de9e16e7a611abd47844045a753ad3b6b2e5) --- ...mp-check-blocksize-when-display-data.patch | 59 ++++++++++++++++ ...ast-avoid-out-of-bounds-array-access.patch | 28 ++++++++ ...ort-lsipc-fix-semaphore-USED-counter.patch | 64 ++++++++++++++++++ backport-lslocks-fix-buffer-overflow.patch | 67 +++++++++++++++++++ util-linux.spec | 16 ++++- 5 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 backport-hexdump-check-blocksize-when-display-data.patch create mode 100644 backport-last-avoid-out-of-bounds-array-access.patch create mode 100644 backport-lsipc-fix-semaphore-USED-counter.patch create mode 100644 backport-lslocks-fix-buffer-overflow.patch diff --git a/backport-hexdump-check-blocksize-when-display-data.patch b/backport-hexdump-check-blocksize-when-display-data.patch new file mode 100644 index 0000000..6fe232d --- /dev/null +++ b/backport-hexdump-check-blocksize-when-display-data.patch @@ -0,0 +1,59 @@ +From dfa1ad272528a92384adac523cf2f2949b767d8d Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 27 Feb 2024 18:38:02 +0100 +Subject: [PATCH] hexdump: check blocksize when display data + +hexdump(1) stores input to buffer and apply format unit when prints +the output. The unit can move pointer which points to the buffer, but +code does not check for limits. + +Fixes: https://github.com/util-linux/util-linux/issues/2806 +Signed-off-by: Karel Zak +--- + text-utils/hexdump-display.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c +index bc92bd0ca..c865127c8 100644 +--- a/text-utils/hexdump-display.c ++++ b/text-utils/hexdump-display.c +@@ -250,6 +250,8 @@ void display(struct hexdump *hex) + struct list_head *p, *q, *r; + + while ((bp = get(hex)) != NULL) { ++ ssize_t rem = hex->blocksize; ++ + fs = &hex->fshead; savebp = bp; saveaddress = address; + + list_for_each(p, fs) { +@@ -263,7 +265,7 @@ void display(struct hexdump *hex) + + cnt = fu->reps; + +- while (cnt) { ++ while (cnt && rem >= 0) { + list_for_each(r, &fu->prlist) { + pr = list_entry(r, struct hexdump_pr, prlist); + +@@ -280,12 +282,18 @@ void display(struct hexdump *hex) + print(pr, bp); + + address += pr->bcnt; ++ ++ rem -= pr->bcnt; ++ if (rem < 0) ++ break; ++ + bp += pr->bcnt; + } + --cnt; + } + } + bp = savebp; ++ rem = hex->blocksize; + address = saveaddress; + } + } +-- +2.33.0 + diff --git a/backport-last-avoid-out-of-bounds-array-access.patch b/backport-last-avoid-out-of-bounds-array-access.patch new file mode 100644 index 0000000..792be62 --- /dev/null +++ b/backport-last-avoid-out-of-bounds-array-access.patch @@ -0,0 +1,28 @@ +From 75822efb8e948b538d9e9ccc329a5430fdabb7ea Mon Sep 17 00:00:00 2001 +From: biubiuzy <294772273@qq.com> +Date: Fri, 23 Feb 2024 17:44:12 +0800 +Subject: [PATCH] last: avoid out of bounds array access + +--- + login-utils/last.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/login-utils/last.c b/login-utils/last.c +index bbbe817f8..f5a9fec08 100644 +--- a/login-utils/last.c ++++ b/login-utils/last.c +@@ -351,7 +351,10 @@ static int time_formatter(int fmt, char *dst, size_t dlen, time_t *when) + { + char buf[CTIME_BUFSIZ]; + +- ctime_r(when, buf); ++ if (!ctime_r(when, buf)) { ++ ret = -1; ++ break; ++ } + snprintf(dst, dlen, "%s", buf); + ret = rtrim_whitespace((unsigned char *) dst); + break; +-- +2.33.0 + diff --git a/backport-lsipc-fix-semaphore-USED-counter.patch b/backport-lsipc-fix-semaphore-USED-counter.patch new file mode 100644 index 0000000..2b1ffd9 --- /dev/null +++ b/backport-lsipc-fix-semaphore-USED-counter.patch @@ -0,0 +1,64 @@ +From fa45a6e516065f489b1cfb924ec3fc06960e0839 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 26 Mar 2024 12:45:24 +0100 +Subject: [PATCH] lsipc: fix semaphore USED counter + +The code incorrectly counts only with the first item in the linked +list (due to a typo). It seems rather fragile to use "semds" and +"semdsp" as variable names in the same code ... + + # lsipc -gs + +Old: + + KEY ID PERMS OWNER NSEMS RESOURCE DESCRIPTION LIMIT USED USE% + SEMMNI Number of semaphore identifiers 32000 3 0.01% + SEMMNS Total number of semaphores 1024000000 369 0.00% + SEMMSL Max semaphores per semaphore set. 32000 - - + SEMOPM Max number of operations per semop(2) 500 - - + SEMVMX Semaphore max value 32767 - - + +Fixed: + + KEY ID PERMS OWNER NSEMS RESOURCE DESCRIPTION LIMIT USED USE% + SEMMNI Number of semaphore identifiers 32000 3 0.01% + SEMMNS Total number of semaphores 1024000000 156 0.00% + SEMMSL Max semaphores per semaphore set. 32000 - - + SEMOPM Max number of operations per semop(2) 500 - - + SEMVMX Semaphore max value 32767 - - + +Addresses: https://issues.redhat.com/browse/RHEL-30269 +Signed-off-by: Karel Zak +--- + sys-utils/lsipc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sys-utils/lsipc.c b/sys-utils/lsipc.c +index 2c5561112..515788c13 100644 +--- a/sys-utils/lsipc.c ++++ b/sys-utils/lsipc.c +@@ -717,16 +717,18 @@ static void do_sem(int id, struct lsipc_control *ctl, struct libscols_table *tb) + + static void do_sem_global(struct lsipc_control *ctl, struct libscols_table *tb) + { +- struct sem_data *semds, *semdsp; ++ struct sem_data *semds; + struct ipc_limits lim; + int nsems = 0, nsets = 0; + + ipc_sem_get_limits(&lim); + + if (ipc_sem_get_info(-1, &semds) > 0) { +- for (semdsp = semds; semdsp->next != NULL; semdsp = semdsp->next) { ++ struct sem_data *p; ++ ++ for (p = semds; p->next != NULL; p = p->next) { + ++nsets; +- nsems += semds->sem_nsems; ++ nsems += p->sem_nsems; + } + ipc_sem_free_info(semds); + } +-- +2.33.0 + diff --git a/backport-lslocks-fix-buffer-overflow.patch b/backport-lslocks-fix-buffer-overflow.patch new file mode 100644 index 0000000..c6114ba --- /dev/null +++ b/backport-lslocks-fix-buffer-overflow.patch @@ -0,0 +1,67 @@ +From c7e20a87573202ed5288447b557cb7cff1b40a17 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 29 Feb 2024 20:43:35 +0100 +Subject: [PATCH] lslocks: fix buffer overflow + +* don't use memset() to init variables +* use xreaddir() to reduce code +* use ssize_t for readlinkat() return value to avoid buffer overflow + +Signed-off-by: Karel Zak +(cherry picked from commit f030775ffeaa8627c88434f7d0cba1a454aa0ffa) +--- + misc-utils/lslocks.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/misc-utils/lslocks.c b/misc-utils/lslocks.c +index b14d419..06c707a 100644 +--- a/misc-utils/lslocks.c ++++ b/misc-utils/lslocks.c +@@ -45,6 +45,7 @@ + #include "closestream.h" + #include "optutils.h" + #include "procutils.h" ++#include "fileutils.h" + + /* column IDs */ + enum { +@@ -164,13 +165,12 @@ static char *get_filename_sz(ino_t inode, pid_t lock_pid, size_t *size) + struct stat sb; + struct dirent *dp; + DIR *dirp; +- size_t len; ++ size_t sz; + int fd; +- char path[PATH_MAX], sym[PATH_MAX], *ret = NULL; ++ char path[PATH_MAX] = { 0 }, ++ sym[PATH_MAX] = { 0 }, *ret = NULL; + + *size = 0; +- memset(path, 0, sizeof(path)); +- memset(sym, 0, sizeof(sym)); + + /* + * We know the pid so we don't have to +@@ -181,16 +181,14 @@ static char *get_filename_sz(ino_t inode, pid_t lock_pid, size_t *size) + if (!(dirp = opendir(path))) + return NULL; + +- if ((len = strlen(path)) >= (sizeof(path) - 2)) ++ if ((sz = strlen(path)) >= (sizeof(path) - 2)) + goto out; + + if ((fd = dirfd(dirp)) < 0 ) + goto out; + +- while ((dp = readdir(dirp))) { +- if (!strcmp(dp->d_name, ".") || +- !strcmp(dp->d_name, "..")) +- continue; ++ while ((dp = xreaddir(dirp))) { ++ ssize_t len; + + errno = 0; + +-- +2.33.0 + diff --git a/util-linux.spec b/util-linux.spec index 12e2c6f..94e9bda 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -3,7 +3,7 @@ Name: util-linux Version: 2.37.2 -Release: 30 +Release: 31 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -146,6 +146,10 @@ Patch6124: backport-more-fix-poll-use.patch Patch6125: backport-CVE-2024-28085.patch Patch6126: backport-lscpu-don-t-use-NULL-sharedmap.patch Patch6127: backport-lscpu-use-topology-maps-in-more-robust-way.patch +Patch6128: backport-hexdump-check-blocksize-when-display-data.patch +Patch6129: backport-lslocks-fix-buffer-overflow.patch +Patch6130: backport-last-avoid-out-of-bounds-array-access.patch +Patch6131: backport-lsipc-fix-semaphore-USED-counter.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9001: SKIPPED-no-root-permissions-test.patch @@ -519,6 +523,16 @@ fi %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Tue May 7 2024 zhangyao - 2.37.2-31 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync community patches + backport-hexdump-check-blocksize-when-display-data.patch + backport-lslocks-fix-buffer-overflow.patch + backport-last-avoid-out-of-bounds-array-access.patch + backport-lsipc-fix-semaphore-USED-counter.patch + * Sun Apr 28 2024 zhangyao - 2.37.2-30 - Type:bugfix - CVE:NA