sync community patches

(cherry picked from commit 5227de9e16e7a611abd47844045a753ad3b6b2e5)
2024-05-07 09:41:41 +08:00 · 2024-05-07 09:41:41 +08:00 · e5ed90d5c7
commit e5ed90d5c7
parent a6674deaaf
5 changed files with 233 additions and 1 deletions
--- a/backport-hexdump-check-blocksize-when-display-data.patch
+++ b/backport-hexdump-check-blocksize-when-display-data.patch
@ -0,0 +1,59 @@
 From dfa1ad272528a92384adac523cf2f2949b767d8d Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Tue, 27 Feb 2024 18:38:02 +0100
 Subject: [PATCH] hexdump: check blocksize when display data
 hexdump(1) stores input to buffer and apply format unit when prints
 the output. The unit can move pointer which points to the buffer, but
 code does not check for limits.
 Fixes: https://github.com/util-linux/util-linux/issues/2806
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 text-utils/hexdump-display.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c
 index bc92bd0ca..c865127c8 100644
 --- a/text-utils/hexdump-display.c
 +++ b/text-utils/hexdump-display.c
@@ -250,6 +250,8 @@ void display(struct hexdump *hex)
 	struct list_head *p, *q, *r;
 	while ((bp = get(hex)) != NULL) {
 +		ssize_t rem = hex->blocksize;
 +
 		fs = &hex->fshead; savebp = bp; saveaddress = address;
 		list_for_each(p, fs) {
@@ -263,7 +265,7 @@ void display(struct hexdump *hex)
 				cnt = fu->reps;
 -				while (cnt) {
 +				while (cnt && rem >= 0) {
 					list_for_each(r, &fu->prlist) {
 						pr = list_entry(r, struct hexdump_pr, prlist);
@@ -280,12 +282,18 @@ void display(struct hexdump *hex)
 							print(pr, bp);
 						address += pr->bcnt;
 +
 +						rem -= pr->bcnt;
 +						if (rem < 0)
 +							break;
 +
 						bp += pr->bcnt;
 					}
 					--cnt;
 				}
 			}
 			bp = savebp;
 +			rem = hex->blocksize;
 			address = saveaddress;
 		}
 	}
 -- 
 2.33.0
--- a/backport-last-avoid-out-of-bounds-array-access.patch
+++ b/backport-last-avoid-out-of-bounds-array-access.patch
@ -0,0 +1,28 @@
 From 75822efb8e948b538d9e9ccc329a5430fdabb7ea Mon Sep 17 00:00:00 2001
 From: biubiuzy <294772273@qq.com>
 Date: Fri, 23 Feb 2024 17:44:12 +0800
 Subject: [PATCH] last: avoid out of bounds array access
 ---
 login-utils/last.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/login-utils/last.c b/login-utils/last.c
 index bbbe817f8..f5a9fec08 100644
 --- a/login-utils/last.c
 +++ b/login-utils/last.c
@@ -351,7 +351,10 @@ static int time_formatter(int fmt, char *dst, size_t dlen, time_t *when)
 	{
 		char buf[CTIME_BUFSIZ];
 -		ctime_r(when, buf);
 +		if (!ctime_r(when, buf)) {
 +			ret = -1;
 +			break;
 +		}
 		snprintf(dst, dlen, "%s", buf);
 		ret = rtrim_whitespace((unsigned char *) dst);
 		break;
 -- 
 2.33.0
--- a/backport-lsipc-fix-semaphore-USED-counter.patch
+++ b/backport-lsipc-fix-semaphore-USED-counter.patch
@ -0,0 +1,64 @@
 From fa45a6e516065f489b1cfb924ec3fc06960e0839 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Tue, 26 Mar 2024 12:45:24 +0100
 Subject: [PATCH] lsipc: fix semaphore USED counter
 The code incorrectly counts only with the first item in the linked
 list (due to a typo). It seems rather fragile to use "semds" and
 "semdsp" as variable names in the same code ...
 # lsipc -gs
 Old:
 KEY ID PERMS OWNER NSEMS RESOURCE DESCRIPTION                                LIMIT USED  USE%
                          SEMMNI   Number of semaphore identifiers            32000    3 0.01%
                          SEMMNS   Total number of semaphores            1024000000  369 0.00%
                          SEMMSL   Max semaphores per semaphore set.          32000    -     -
                          SEMOPM   Max number of operations per semop(2)        500    -     -
                          SEMVMX   Semaphore max value                        32767    -     -
 Fixed:
 KEY ID PERMS OWNER NSEMS RESOURCE DESCRIPTION                                LIMIT USED  USE%
                          SEMMNI   Number of semaphore identifiers            32000    3 0.01%
                          SEMMNS   Total number of semaphores            1024000000  156 0.00%
                          SEMMSL   Max semaphores per semaphore set.          32000    -     -
                          SEMOPM   Max number of operations per semop(2)        500    -     -
                          SEMVMX   Semaphore max value                        32767    -     -
 Addresses: https://issues.redhat.com/browse/RHEL-30269
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 sys-utils/lsipc.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/sys-utils/lsipc.c b/sys-utils/lsipc.c
 index 2c5561112..515788c13 100644
 --- a/sys-utils/lsipc.c
 +++ b/sys-utils/lsipc.c
@@ -717,16 +717,18 @@ static void do_sem(int id, struct lsipc_control *ctl, struct libscols_table *tb)
 static void do_sem_global(struct lsipc_control *ctl, struct libscols_table *tb)
 {
 -	struct sem_data *semds, *semdsp;
 +	struct sem_data *semds;
 	struct ipc_limits lim;
 	int nsems = 0, nsets = 0;
 	ipc_sem_get_limits(&lim);
 	if (ipc_sem_get_info(-1, &semds) > 0) {
 -		for (semdsp = semds; semdsp->next != NULL; semdsp = semdsp->next) {
 +		struct sem_data *p;
 +
 +		for (p = semds; p->next != NULL; p = p->next) {
 			++nsets;
 -			nsems += semds->sem_nsems;
 +			nsems += p->sem_nsems;
 		}
 		ipc_sem_free_info(semds);
 	}
 -- 
 2.33.0
--- a/backport-lslocks-fix-buffer-overflow.patch
+++ b/backport-lslocks-fix-buffer-overflow.patch
@ -0,0 +1,67 @@
 From c7e20a87573202ed5288447b557cb7cff1b40a17 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Thu, 29 Feb 2024 20:43:35 +0100
 Subject: [PATCH] lslocks: fix buffer overflow
 * don't use memset() to init variables
 * use xreaddir() to reduce code
 * use ssize_t for readlinkat() return value to avoid buffer overflow
 Signed-off-by: Karel Zak <kzak@redhat.com>
 (cherry picked from commit f030775ffeaa8627c88434f7d0cba1a454aa0ffa)
 ---
 misc-utils/lslocks.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
 diff --git a/misc-utils/lslocks.c b/misc-utils/lslocks.c
 index b14d419..06c707a 100644
 --- a/misc-utils/lslocks.c
 +++ b/misc-utils/lslocks.c
@@ -45,6 +45,7 @@
 #include "closestream.h"
 #include "optutils.h"
 #include "procutils.h"
 +#include "fileutils.h"
 /* column IDs */
 enum {
@@ -164,13 +165,12 @@ static char *get_filename_sz(ino_t inode, pid_t lock_pid, size_t *size)
 	struct stat sb;
 	struct dirent *dp;
 	DIR *dirp;
 -	size_t len;
 +	size_t sz;
 	int fd;
 -	char path[PATH_MAX], sym[PATH_MAX], *ret = NULL;
 +	char path[PATH_MAX] = { 0 },
 +	     sym[PATH_MAX] = { 0 }, *ret = NULL;
 	*size = 0;
 -	memset(path, 0, sizeof(path));
 -	memset(sym, 0, sizeof(sym));
 	/*
 	 * We know the pid so we don't have to
@@ -181,16 +181,14 @@ static char *get_filename_sz(ino_t inode, pid_t lock_pid, size_t *size)
 	if (!(dirp = opendir(path)))
 		return NULL;
 -	if ((len = strlen(path)) >= (sizeof(path) - 2))
 +	if ((sz = strlen(path)) >= (sizeof(path) - 2))
 		goto out;
 	if ((fd = dirfd(dirp)) < 0 )
 		goto out;
 -	while ((dp = readdir(dirp))) {
 -		if (!strcmp(dp->d_name, ".") ||
 -		    !strcmp(dp->d_name, ".."))
 -			continue;
 +	while ((dp = xreaddir(dirp))) {
 +		ssize_t len;
 		errno = 0;
 -- 
 2.33.0
--- a/util-linux.spec
+++ b/util-linux.spec
@ -3,7 +3,7 @@
 Name:           util-linux
 Version:        2.37.2
-Release:        30
+Release:        31
 Summary:        A random collection of Linux utilities
 License:        GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 URL:            https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
@ -146,6 +146,10 @@ Patch6124:      backport-more-fix-poll-use.patch
 Patch6125:      backport-CVE-2024-28085.patch
 Patch6126:      backport-lscpu-don-t-use-NULL-sharedmap.patch
 Patch6127:      backport-lscpu-use-topology-maps-in-more-robust-way.patch
 Patch6128:      backport-hexdump-check-blocksize-when-display-data.patch
 Patch6129:      backport-lslocks-fix-buffer-overflow.patch
 Patch6130:      backport-last-avoid-out-of-bounds-array-access.patch
 Patch6131:      backport-lsipc-fix-semaphore-USED-counter.patch
 Patch9000:      Add-check-to-resolve-uname26-version-test-failed.patch
 Patch9001:      SKIPPED-no-root-permissions-test.patch
@ -519,6 +523,16 @@ fi
 %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*}
 %changelog
 * Tue May 7 2024 zhangyao <zhangyao108@huawei.com> - 2.37.2-31
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:sync community patches
       backport-hexdump-check-blocksize-when-display-data.patch
       backport-lslocks-fix-buffer-overflow.patch
       backport-last-avoid-out-of-bounds-array-access.patch
       backport-lsipc-fix-semaphore-USED-counter.patch
 * Sun Apr 28 2024 zhangyao <zhangyao108@huawei.com> - 2.37.2-30
 - Type:bugfix
 - CVE:NA