Compare commits
No commits in common. 'c9' and 'c8-beta' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/kmod-28.tar.xz
|
SOURCES/kmod-25.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
0acec2b6aea3e6eb71f0b549b0ff0abcac5da004 SOURCES/kmod-28.tar.xz
|
761ee76bc31f5db10d470dad607a5f9d68acef68 SOURCES/kmod-25.tar.xz
|
||||||
|
@ -0,0 +1,33 @@
|
|||||||
|
From c2996b5fa880e81f63c25e80a4157b2239e32c5d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
Date: Mon, 10 Dec 2018 22:29:32 +0100
|
||||||
|
Subject: [PATCH 1/2] depmod: prevent module dependency files missing during
|
||||||
|
depmod invocation
|
||||||
|
|
||||||
|
depmod deletes the module dependency files before moving the temporary
|
||||||
|
files in their place. This results in user seeing no dependency files
|
||||||
|
while they are updated. Remove the unlink call. The rename call should
|
||||||
|
suffice to move the new file in place and unlink the old one. It should
|
||||||
|
also do both atomically so there is no window when no dependency file
|
||||||
|
exists.
|
||||||
|
|
||||||
|
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
---
|
||||||
|
tools/depmod.c | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/depmod.c b/tools/depmod.c
|
||||||
|
index 989d9077926c..18c0d61b2db3 100644
|
||||||
|
--- a/tools/depmod.c
|
||||||
|
+++ b/tools/depmod.c
|
||||||
|
@@ -2451,7 +2451,6 @@ static int depmod_output(struct depmod *depmod, FILE *out)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- unlinkat(dfd, itr->name, 0);
|
||||||
|
if (renameat(dfd, tmp, dfd, itr->name) != 0) {
|
||||||
|
err = -errno;
|
||||||
|
CRIT("renameat(%s, %s, %s, %s): %m\n",
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 5c22362b6b97af9c6b7587f0c3450001e9893115 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eugene Syromiatnikov <esyr@redhat.com>
|
|
||||||
Date: Tue, 13 Aug 2024 16:17:27 +0200
|
|
||||||
Subject: [PATCH] libkmod: avoid undefined behaviour in
|
|
||||||
libkmod-builtin.c:get_string
|
|
||||||
|
|
||||||
Static analysis has reported a potential UB:
|
|
||||||
|
|
||||||
kmod-31/libkmod/libkmod-builtin.c:125: use_invalid: Using "nullp", which points to an out-of-scope variable "buf".
|
|
||||||
# 123| size_t linesz = 0;
|
|
||||||
# 124|
|
|
||||||
# 125|-> while (!nullp) {
|
|
||||||
# 126| char buf[BUFSIZ];
|
|
||||||
# 127| ssize_t sz;
|
|
||||||
|
|
||||||
It seems to be indeed an UB, as nullp is getting assined an address
|
|
||||||
inside object buf, which has a lifetime of the while loop body,
|
|
||||||
and is not available outside of it (specifically, in the while
|
|
||||||
condition, where nullp is checked for NULL). Fix it by putting
|
|
||||||
buf definition in the outer block.
|
|
||||||
---
|
|
||||||
libkmod/libkmod-builtin.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
|
|
||||||
index fd0f549..40a7d61 100644
|
|
||||||
--- a/libkmod/libkmod-builtin.c
|
|
||||||
+++ b/libkmod/libkmod-builtin.c
|
|
||||||
@@ -105,11 +105,11 @@ static off_t get_string(struct kmod_builtin_iter *iter, off_t offset,
|
|
||||||
char **line, size_t *size)
|
|
||||||
{
|
|
||||||
int sv_errno;
|
|
||||||
+ char buf[BUFSIZ];
|
|
||||||
char *nullp = NULL;
|
|
||||||
size_t linesz = 0;
|
|
||||||
|
|
||||||
while (!nullp) {
|
|
||||||
- char buf[BUFSIZ];
|
|
||||||
ssize_t sz;
|
|
||||||
size_t partsz;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From d5950b0b5e66a5ec1c21b638dec3974056aaabeb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
||||||
Date: Sun, 25 Sep 2022 17:46:08 +0300
|
|
||||||
Subject: [PATCH] libkmod: do not crash on unknown signature algorithm
|
|
||||||
|
|
||||||
Example kernel module:
|
|
||||||
https://file-store.rosalinux.ru/download/7281f97e0c04c0f818ad3f936706f4a407e8dc7e
|
|
||||||
(/lib/modules/5.15.67-generic-1rosa2021.1-x86_64/kernel/drivers/usb/host/xhci-pci.ko.zst)
|
|
||||||
It is signed with Streebog 512.
|
|
||||||
|
|
||||||
libkmod v30 crashed in libkmod-module.c:2413 in this code:
|
|
||||||
|
|
||||||
n = kmod_module_info_append(list,
|
|
||||||
"sig_hashalgo", strlen("sig_hashalgo"),
|
|
||||||
sig_info.hash_algo, strlen(sig_info.hash_algo));
|
|
||||||
|
|
||||||
because strlen() got null.
|
|
||||||
---
|
|
||||||
libkmod/libkmod-signature.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
|
|
||||||
index 4ae5af6..092f396 100644
|
|
||||||
--- a/libkmod/libkmod-signature.c
|
|
||||||
+++ b/libkmod/libkmod-signature.c
|
|
||||||
@@ -278,6 +278,9 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
|
||||||
X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
|
|
||||||
|
|
||||||
sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
|
|
||||||
+ // hash algo has not been recognized
|
|
||||||
+ if (sig_info->hash_algo == NULL)
|
|
||||||
+ goto err3;
|
|
||||||
sig_info->id_type = pkey_id_type[modsig->id_type];
|
|
||||||
|
|
||||||
pvt = malloc(sizeof(*pvt));
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From b9605c63b859adfffc0b4b9420d720aa323b90e9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Emil Velikov <emil.velikov@collabora.com>
|
|
||||||
Date: Mon, 6 Feb 2023 14:32:59 +0000
|
|
||||||
Subject: [PATCH] libkmod: error out on unknown hash algorithm
|
|
||||||
|
|
||||||
Currently if we see unknown algorithm, we'll do an OOB read in
|
|
||||||
pkey_hash_algo. This can happen for example if OPENSSL_NO_SM3 is set and
|
|
||||||
the kernel module uses a SM3 hash.
|
|
||||||
|
|
||||||
Cc: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
||||||
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
|
|
||||||
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
|
|
||||||
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
|
|
||||||
---
|
|
||||||
libkmod/libkmod-signature.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
|
|
||||||
index 092f396..b749a81 100644
|
|
||||||
--- a/libkmod/libkmod-signature.c
|
|
||||||
+++ b/libkmod/libkmod-signature.c
|
|
||||||
@@ -219,6 +219,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
|
||||||
unsigned char *key_id_str;
|
|
||||||
struct pkcs7_private *pvt;
|
|
||||||
const char *issuer_str;
|
|
||||||
+ int hash_algo;
|
|
||||||
|
|
||||||
size -= sig_len;
|
|
||||||
pkcs7_raw = mem + size;
|
|
||||||
@@ -277,7 +278,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
|
||||||
|
|
||||||
X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
|
|
||||||
|
|
||||||
- sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
|
|
||||||
+ hash_algo = obj_to_hash_algo(o);
|
|
||||||
+ if (hash_algo < 0)
|
|
||||||
+ goto err3;
|
|
||||||
+ sig_info->hash_algo = pkey_hash_algo[hash_algo];
|
|
||||||
// hash algo has not been recognized
|
|
||||||
if (sig_info->hash_algo == NULL)
|
|
||||||
goto err3;
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
From 1cab02ecf6ee2a0aa34f3615dfd99c59f7e04e90 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Seung-Woo Kim <sw0312.kim@samsung.com>
|
|
||||||
Date: Tue, 13 Apr 2021 20:23:14 +0900
|
|
||||||
Subject: [PATCH] libkmod: fix an overflow with wrong modules.builtin.modinfo
|
|
||||||
|
|
||||||
Fix a possbile overflow with exact PATH_MAX length modname
|
|
||||||
in wrong modules.builtin.modinfo.
|
|
||||||
|
|
||||||
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
|
|
||||||
---
|
|
||||||
libkmod/libkmod-builtin.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
|
|
||||||
index fc9a376..a75a542 100644
|
|
||||||
--- a/libkmod/libkmod-builtin.c
|
|
||||||
+++ b/libkmod/libkmod-builtin.c
|
|
||||||
@@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter,
|
|
||||||
|
|
||||||
len = dot - line;
|
|
||||||
|
|
||||||
- if (len > PATH_MAX) {
|
|
||||||
+ if (len >= PATH_MAX) {
|
|
||||||
sv_errno = ENAMETOOLONG;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -0,0 +1,62 @@
|
|||||||
|
From a06bacf500d56b72b5f9b121ebf7f6af9e3df185 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
Date: Mon, 17 Dec 2018 23:46:28 +0100
|
||||||
|
Subject: [PATCH 2/2] depmod: prevent module dependency files corruption due to
|
||||||
|
parallel invocation.
|
||||||
|
|
||||||
|
Depmod does not use unique filename for temporary files. There is no
|
||||||
|
guarantee the user does not attempt to run mutiple depmod processes in
|
||||||
|
parallel. If that happens a temporary file might be created by
|
||||||
|
depmod(1st), truncated by depmod(2nd), and renamed to final name by
|
||||||
|
depmod(1st) resulting in corrupted file seen by user.
|
||||||
|
|
||||||
|
Due to missing mkstempat() this is more complex than it should be.
|
||||||
|
Adding PID and timestamp to the filename should be reasonably reliable.
|
||||||
|
Adding O_EXCL as mkstemp does fails creating the file rather than
|
||||||
|
corrupting existing file.
|
||||||
|
|
||||||
|
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
---
|
||||||
|
tools/depmod.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/depmod.c b/tools/depmod.c
|
||||||
|
index 18c0d61b2db3..0f7e33ccfd59 100644
|
||||||
|
--- a/tools/depmod.c
|
||||||
|
+++ b/tools/depmod.c
|
||||||
|
@@ -29,6 +29,7 @@
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
+#include <sys/time.h>
|
||||||
|
#include <sys/utsname.h>
|
||||||
|
|
||||||
|
#include <shared/array.h>
|
||||||
|
@@ -2398,6 +2399,9 @@ static int depmod_output(struct depmod *depmod, FILE *out)
|
||||||
|
};
|
||||||
|
const char *dname = depmod->cfg->dirname;
|
||||||
|
int dfd, err = 0;
|
||||||
|
+ struct timeval tv;
|
||||||
|
+
|
||||||
|
+ gettimeofday(&tv, NULL);
|
||||||
|
|
||||||
|
if (out != NULL)
|
||||||
|
dfd = -1;
|
||||||
|
@@ -2416,11 +2420,12 @@ static int depmod_output(struct depmod *depmod, FILE *out)
|
||||||
|
int r, ferr;
|
||||||
|
|
||||||
|
if (fp == NULL) {
|
||||||
|
- int flags = O_CREAT | O_TRUNC | O_WRONLY;
|
||||||
|
+ int flags = O_CREAT | O_EXCL | O_WRONLY;
|
||||||
|
int mode = 0644;
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
- snprintf(tmp, sizeof(tmp), "%s.tmp", itr->name);
|
||||||
|
+ snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(),
|
||||||
|
+ tv.tv_usec, tv.tv_sec);
|
||||||
|
fd = openat(dfd, tmp, flags, mode);
|
||||||
|
if (fd < 0) {
|
||||||
|
ERR("openat(%s, %s, %o, %o): %m\n",
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -0,0 +1,328 @@
|
|||||||
|
From 391b4714b495183baefa9cb10ac8e1600c166a59 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
Date: Fri, 1 Feb 2019 22:20:02 +0200
|
||||||
|
Subject: [PATCH] libkmod-signature: implement pkcs7 parsing with openssl
|
||||||
|
|
||||||
|
The patch adds data fetching from the PKCS#7 certificate using
|
||||||
|
openssl library (which is used by scripts/sign-file.c in the linux
|
||||||
|
kernel to sign modules).
|
||||||
|
|
||||||
|
In general the certificate can contain many signatures, but since
|
||||||
|
kmod (modinfo) supports only one signature at the moment, only first
|
||||||
|
one is taken.
|
||||||
|
|
||||||
|
With the current sign-file.c certificate doesn't contain signer
|
||||||
|
key's fingerprint, so "serial number" is used for the key id.
|
||||||
|
|
||||||
|
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
---
|
||||||
|
Makefile.am | 4 +-
|
||||||
|
configure.ac | 11 ++
|
||||||
|
libkmod/libkmod-internal.h | 3 +
|
||||||
|
libkmod/libkmod-module.c | 3 +
|
||||||
|
libkmod/libkmod-signature.c | 197 +++++++++++++++++++++++++++++++++++-
|
||||||
|
5 files changed, 213 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 1ab1db585316..de1026f8bd46 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -35,6 +35,8 @@ SED_PROCESS = \
|
||||||
|
-e 's,@liblzma_LIBS\@,${liblzma_LIBS},g' \
|
||||||
|
-e 's,@zlib_CFLAGS\@,${zlib_CFLAGS},g' \
|
||||||
|
-e 's,@zlib_LIBS\@,${zlib_LIBS},g' \
|
||||||
|
+ -e 's,@openssl_CFLAGS\@,${openssl_CFLAGS},g' \
|
||||||
|
+ -e 's,@openssl_LIBS\@,${openssl_LIBS},g' \
|
||||||
|
< $< > $@ || rm $@
|
||||||
|
|
||||||
|
%.pc: %.pc.in Makefile
|
||||||
|
@@ -87,7 +89,7 @@ libkmod_libkmod_la_DEPENDENCIES = \
|
||||||
|
${top_srcdir}/libkmod/libkmod.sym
|
||||||
|
libkmod_libkmod_la_LIBADD = \
|
||||||
|
shared/libshared.la \
|
||||||
|
- ${liblzma_LIBS} ${zlib_LIBS}
|
||||||
|
+ ${liblzma_LIBS} ${zlib_LIBS} ${openssl_LIBS}
|
||||||
|
|
||||||
|
noinst_LTLIBRARIES += libkmod/libkmod-internal.la
|
||||||
|
libkmod_libkmod_internal_la_SOURCES = $(libkmod_libkmod_la_SOURCES)
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index fbc7391b2d1b..2e33380a0cc2 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -106,6 +106,17 @@ AS_IF([test "x$with_zlib" != "xno"], [
|
||||||
|
])
|
||||||
|
CC_FEATURE_APPEND([with_features], [with_zlib], [ZLIB])
|
||||||
|
|
||||||
|
+AC_ARG_WITH([openssl],
|
||||||
|
+ AS_HELP_STRING([--with-openssl], [handle PKCS7 signatures @<:@default=disabled@:>@]),
|
||||||
|
+ [], [with_openssl=no])
|
||||||
|
+AS_IF([test "x$with_openssl" != "xno"], [
|
||||||
|
+ PKG_CHECK_MODULES([openssl], [openssl])
|
||||||
|
+ AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.])
|
||||||
|
+], [
|
||||||
|
+ AC_MSG_NOTICE([openssl support not requested])
|
||||||
|
+])
|
||||||
|
+CC_FEATURE_APPEND([with_features], [with_openssl], [OPENSSL])
|
||||||
|
+
|
||||||
|
AC_ARG_WITH([bashcompletiondir],
|
||||||
|
AS_HELP_STRING([--with-bashcompletiondir=DIR], [Bash completions directory]),
|
||||||
|
[],
|
||||||
|
diff --git a/libkmod/libkmod-internal.h b/libkmod/libkmod-internal.h
|
||||||
|
index 346579c71aab..a65ddd156f18 100644
|
||||||
|
--- a/libkmod/libkmod-internal.h
|
||||||
|
+++ b/libkmod/libkmod-internal.h
|
||||||
|
@@ -188,5 +188,8 @@ struct kmod_signature_info {
|
||||||
|
const char *algo, *hash_algo, *id_type;
|
||||||
|
const char *sig;
|
||||||
|
size_t sig_len;
|
||||||
|
+ void (*free)(void *);
|
||||||
|
+ void *private;
|
||||||
|
};
|
||||||
|
bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signature_info *sig_info) _must_check_ __attribute__((nonnull(1, 2)));
|
||||||
|
+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) __attribute__((nonnull));
|
||||||
|
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
|
||||||
|
index 889f26479a98..bffe715cdef4 100644
|
||||||
|
--- a/libkmod/libkmod-module.c
|
||||||
|
+++ b/libkmod/libkmod-module.c
|
||||||
|
@@ -2357,6 +2357,9 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
|
||||||
|
ret = count;
|
||||||
|
|
||||||
|
list_error:
|
||||||
|
+ /* aux structures freed in normal case also */
|
||||||
|
+ kmod_module_signature_info_free(&sig_info);
|
||||||
|
+
|
||||||
|
if (ret < 0) {
|
||||||
|
kmod_module_info_free_list(*list);
|
||||||
|
*list = NULL;
|
||||||
|
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
|
||||||
|
index 429ffbd8a957..48d0145a7552 100644
|
||||||
|
--- a/libkmod/libkmod-signature.c
|
||||||
|
+++ b/libkmod/libkmod-signature.c
|
||||||
|
@@ -19,6 +19,10 @@
|
||||||
|
|
||||||
|
#include <endian.h>
|
||||||
|
#include <inttypes.h>
|
||||||
|
+#ifdef ENABLE_OPENSSL
|
||||||
|
+#include <openssl/cms.h>
|
||||||
|
+#include <openssl/ssl.h>
|
||||||
|
+#endif
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -115,15 +119,194 @@ static bool fill_default(const char *mem, off_t size,
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool fill_unknown(const char *mem, off_t size,
|
||||||
|
- const struct module_signature *modsig, size_t sig_len,
|
||||||
|
- struct kmod_signature_info *sig_info)
|
||||||
|
+#ifdef ENABLE_OPENSSL
|
||||||
|
+
|
||||||
|
+struct pkcs7_private {
|
||||||
|
+ CMS_ContentInfo *cms;
|
||||||
|
+ unsigned char *key_id;
|
||||||
|
+ BIGNUM *sno;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static void pkcs7_free(void *s)
|
||||||
|
+{
|
||||||
|
+ struct kmod_signature_info *si = s;
|
||||||
|
+ struct pkcs7_private *pvt = si->private;
|
||||||
|
+
|
||||||
|
+ CMS_ContentInfo_free(pvt->cms);
|
||||||
|
+ BN_free(pvt->sno);
|
||||||
|
+ free(pvt->key_id);
|
||||||
|
+ free(pvt);
|
||||||
|
+ si->private = NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int obj_to_hash_algo(const ASN1_OBJECT *o)
|
||||||
|
+{
|
||||||
|
+ int nid;
|
||||||
|
+
|
||||||
|
+ nid = OBJ_obj2nid(o);
|
||||||
|
+ switch (nid) {
|
||||||
|
+ case NID_md4:
|
||||||
|
+ return PKEY_HASH_MD4;
|
||||||
|
+ case NID_md5:
|
||||||
|
+ return PKEY_HASH_MD5;
|
||||||
|
+ case NID_sha1:
|
||||||
|
+ return PKEY_HASH_SHA1;
|
||||||
|
+ case NID_ripemd160:
|
||||||
|
+ return PKEY_HASH_RIPE_MD_160;
|
||||||
|
+ case NID_sha256:
|
||||||
|
+ return PKEY_HASH_SHA256;
|
||||||
|
+ case NID_sha384:
|
||||||
|
+ return PKEY_HASH_SHA384;
|
||||||
|
+ case NID_sha512:
|
||||||
|
+ return PKEY_HASH_SHA512;
|
||||||
|
+ case NID_sha224:
|
||||||
|
+ return PKEY_HASH_SHA224;
|
||||||
|
+ default:
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static const char *x509_name_to_str(X509_NAME *name)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ X509_NAME_ENTRY *e;
|
||||||
|
+ ASN1_STRING *d;
|
||||||
|
+ ASN1_OBJECT *o;
|
||||||
|
+ int nid = -1;
|
||||||
|
+ const char *str;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < X509_NAME_entry_count(name); i++) {
|
||||||
|
+ e = X509_NAME_get_entry(name, i);
|
||||||
|
+ o = X509_NAME_ENTRY_get_object(e);
|
||||||
|
+ nid = OBJ_obj2nid(o);
|
||||||
|
+ if (nid == NID_commonName)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (nid == -1)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ d = X509_NAME_ENTRY_get_data(e);
|
||||||
|
+ str = (const char *)ASN1_STRING_get0_data(d);
|
||||||
|
+
|
||||||
|
+ return str;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static bool fill_pkcs7(const char *mem, off_t size,
|
||||||
|
+ const struct module_signature *modsig, size_t sig_len,
|
||||||
|
+ struct kmod_signature_info *sig_info)
|
||||||
|
+{
|
||||||
|
+ const char *pkcs7_raw;
|
||||||
|
+ CMS_ContentInfo *cms;
|
||||||
|
+ STACK_OF(CMS_SignerInfo) *sis;
|
||||||
|
+ CMS_SignerInfo *si;
|
||||||
|
+ int rc;
|
||||||
|
+ ASN1_OCTET_STRING *key_id;
|
||||||
|
+ X509_NAME *issuer;
|
||||||
|
+ ASN1_INTEGER *sno;
|
||||||
|
+ ASN1_OCTET_STRING *sig;
|
||||||
|
+ BIGNUM *sno_bn;
|
||||||
|
+ X509_ALGOR *dig_alg;
|
||||||
|
+ X509_ALGOR *sig_alg;
|
||||||
|
+ const ASN1_OBJECT *o;
|
||||||
|
+ BIO *in;
|
||||||
|
+ int len;
|
||||||
|
+ unsigned char *key_id_str;
|
||||||
|
+ struct pkcs7_private *pvt;
|
||||||
|
+ const char *issuer_str;
|
||||||
|
+
|
||||||
|
+ size -= sig_len;
|
||||||
|
+ pkcs7_raw = mem + size;
|
||||||
|
+
|
||||||
|
+ in = BIO_new_mem_buf(pkcs7_raw, sig_len);
|
||||||
|
+
|
||||||
|
+ cms = d2i_CMS_bio(in, NULL);
|
||||||
|
+ if (cms == NULL) {
|
||||||
|
+ BIO_free(in);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ BIO_free(in);
|
||||||
|
+
|
||||||
|
+ sis = CMS_get0_SignerInfos(cms);
|
||||||
|
+ if (sis == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ si = sk_CMS_SignerInfo_value(sis, 0);
|
||||||
|
+ if (si == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
|
||||||
|
+ if (rc == 0)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ sig = CMS_SignerInfo_get0_signature(si);
|
||||||
|
+ if (sig == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
|
||||||
|
+
|
||||||
|
+ sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
|
||||||
|
+ sig_info->sig_len = ASN1_STRING_length(sig);
|
||||||
|
+
|
||||||
|
+ sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
|
||||||
|
+ if (sno_bn == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ len = BN_num_bytes(sno_bn);
|
||||||
|
+ key_id_str = malloc(len);
|
||||||
|
+ if (key_id_str == NULL)
|
||||||
|
+ goto err2;
|
||||||
|
+ BN_bn2bin(sno_bn, key_id_str);
|
||||||
|
+
|
||||||
|
+ sig_info->key_id = (const char *)key_id_str;
|
||||||
|
+ sig_info->key_id_len = len;
|
||||||
|
+
|
||||||
|
+ issuer_str = x509_name_to_str(issuer);
|
||||||
|
+ if (issuer_str != NULL) {
|
||||||
|
+ sig_info->signer = issuer_str;
|
||||||
|
+ sig_info->signer_len = strlen(issuer_str);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
|
||||||
|
+
|
||||||
|
+ sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
|
||||||
|
+ sig_info->id_type = pkey_id_type[modsig->id_type];
|
||||||
|
+
|
||||||
|
+ pvt = malloc(sizeof(*pvt));
|
||||||
|
+ if (pvt == NULL)
|
||||||
|
+ goto err3;
|
||||||
|
+
|
||||||
|
+ pvt->cms = cms;
|
||||||
|
+ pvt->key_id = key_id_str;
|
||||||
|
+ pvt->sno = sno_bn;
|
||||||
|
+ sig_info->private = pvt;
|
||||||
|
+
|
||||||
|
+ sig_info->free = pkcs7_free;
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+err3:
|
||||||
|
+ free(key_id_str);
|
||||||
|
+err2:
|
||||||
|
+ BN_free(sno_bn);
|
||||||
|
+err:
|
||||||
|
+ CMS_ContentInfo_free(cms);
|
||||||
|
+ return false;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#else /* ENABLE OPENSSL */
|
||||||
|
+
|
||||||
|
+static bool fill_pkcs7(const char *mem, off_t size,
|
||||||
|
+ const struct module_signature *modsig, size_t sig_len,
|
||||||
|
+ struct kmod_signature_info *sig_info)
|
||||||
|
{
|
||||||
|
sig_info->hash_algo = "unknown";
|
||||||
|
sig_info->id_type = pkey_id_type[modsig->id_type];
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#endif /* ENABLE OPENSSL */
|
||||||
|
+
|
||||||
|
#define SIG_MAGIC "~Module signature appended~\n"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -167,8 +350,14 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
|
||||||
|
|
||||||
|
switch (modsig->id_type) {
|
||||||
|
case PKEY_ID_PKCS7:
|
||||||
|
- return fill_unknown(mem, size, modsig, sig_len, sig_info);
|
||||||
|
+ return fill_pkcs7(mem, size, modsig, sig_len, sig_info);
|
||||||
|
default:
|
||||||
|
return fill_default(mem, size, modsig, sig_len, sig_info);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info)
|
||||||
|
+{
|
||||||
|
+ if (sig_info->free)
|
||||||
|
+ sig_info->free(sig_info);
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,83 @@
|
|||||||
|
From 52a0ba82e1ad180f9f91920db70a758fac49466a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
Date: Thu, 31 Oct 2019 20:12:53 +0200
|
||||||
|
Subject: [PATCH] modprobe: ignore builtin module on recursive removing
|
||||||
|
|
||||||
|
If there are built-in dependencies and any of them is built-in in
|
||||||
|
the kernel, modprobe -r fails with
|
||||||
|
|
||||||
|
modprobe: FATAL: Module module_name is builtin.
|
||||||
|
|
||||||
|
It makes sense to ignore such dependencies for the case when
|
||||||
|
removing is called for non-top level module.
|
||||||
|
|
||||||
|
Example: cifs module, it declares bunch of softdeps and the first
|
||||||
|
one fails on some kernel configs:
|
||||||
|
|
||||||
|
modprobe: FATAL: Module gcm is builtin.
|
||||||
|
|
||||||
|
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
---
|
||||||
|
tools/modprobe.c | 18 ++++++++++++------
|
||||||
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/modprobe.c b/tools/modprobe.c
|
||||||
|
index a9e2331567af..44cd15c2bf57 100644
|
||||||
|
--- a/tools/modprobe.c
|
||||||
|
+++ b/tools/modprobe.c
|
||||||
|
@@ -353,7 +353,8 @@ static int rmmod_do_remove_module(struct kmod_module *mod)
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies);
|
||||||
|
+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
|
||||||
|
+ bool ignore_builtin);
|
||||||
|
|
||||||
|
static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
|
||||||
|
{
|
||||||
|
@@ -361,7 +362,7 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
|
||||||
|
|
||||||
|
kmod_list_foreach_reverse(l, list) {
|
||||||
|
struct kmod_module *m = kmod_module_get_module(l);
|
||||||
|
- int r = rmmod_do_module(m, false);
|
||||||
|
+ int r = rmmod_do_module(m, false, true);
|
||||||
|
kmod_module_unref(m);
|
||||||
|
|
||||||
|
if (r < 0 && stop_on_errors)
|
||||||
|
@@ -371,7 +372,8 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
|
||||||
|
+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
|
||||||
|
+ bool ignore_builtin)
|
||||||
|
{
|
||||||
|
const char *modname = kmod_module_get_name(mod);
|
||||||
|
struct kmod_list *pre = NULL, *post = NULL;
|
||||||
|
@@ -401,8 +403,12 @@ static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
|
||||||
|
}
|
||||||
|
goto error;
|
||||||
|
} else if (state == KMOD_MODULE_BUILTIN) {
|
||||||
|
- LOG("Module %s is builtin.\n", modname);
|
||||||
|
- err = -ENOENT;
|
||||||
|
+ if (ignore_builtin) {
|
||||||
|
+ err = 0;
|
||||||
|
+ } else {
|
||||||
|
+ LOG("Module %s is builtin.\n", modname);
|
||||||
|
+ err = -ENOENT;
|
||||||
|
+ }
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -462,7 +468,7 @@ static int rmmod(struct kmod_ctx *ctx, const char *alias)
|
||||||
|
|
||||||
|
kmod_list_foreach(l, list) {
|
||||||
|
struct kmod_module *mod = kmod_module_get_module(l);
|
||||||
|
- err = rmmod_do_module(mod, true);
|
||||||
|
+ err = rmmod_do_module(mod, true, false);
|
||||||
|
kmod_module_unref(mod);
|
||||||
|
if (err < 0)
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.24.0
|
||||||
|
|
@ -0,0 +1,116 @@
|
|||||||
|
From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
Date: Fri, 16 Nov 2018 10:56:34 +0200
|
||||||
|
Subject: [PATCH] signature: do not report wrong data for pkc#7 signature
|
||||||
|
|
||||||
|
when PKC#7 signing method is used the old structure doesn't contain
|
||||||
|
any useful data, but the data are encoded in the certificate.
|
||||||
|
|
||||||
|
The info getting/showing code is not aware of that at the moment and
|
||||||
|
since 0 is a valid constant, shows, for example, wrong "md4" for the
|
||||||
|
hash algo.
|
||||||
|
|
||||||
|
The patch splits the 2 mothods of gethering the info and reports
|
||||||
|
"unknown" for the algo.
|
||||||
|
|
||||||
|
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
|
||||||
|
---
|
||||||
|
libkmod/libkmod-module.c | 2 +-
|
||||||
|
libkmod/libkmod-signature.c | 56 +++++++++++++++++++++++++------------
|
||||||
|
2 files changed, 39 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
|
||||||
|
index ee420f4ec2bf..889f26479a98 100644
|
||||||
|
--- a/libkmod/libkmod-module.c
|
||||||
|
+++ b/libkmod/libkmod-module.c
|
||||||
|
@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
|
||||||
|
struct kmod_elf *elf;
|
||||||
|
char **strings;
|
||||||
|
int i, count, ret = -ENOMEM;
|
||||||
|
- struct kmod_signature_info sig_info;
|
||||||
|
+ struct kmod_signature_info sig_info = {};
|
||||||
|
|
||||||
|
if (mod == NULL || list == NULL)
|
||||||
|
return -ENOENT;
|
||||||
|
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
|
||||||
|
index 1f3e26dea203..429ffbd8a957 100644
|
||||||
|
--- a/libkmod/libkmod-signature.c
|
||||||
|
+++ b/libkmod/libkmod-signature.c
|
||||||
|
@@ -92,6 +92,38 @@ struct module_signature {
|
||||||
|
uint32_t sig_len; /* Length of signature data (big endian) */
|
||||||
|
};
|
||||||
|
|
||||||
|
+static bool fill_default(const char *mem, off_t size,
|
||||||
|
+ const struct module_signature *modsig, size_t sig_len,
|
||||||
|
+ struct kmod_signature_info *sig_info)
|
||||||
|
+{
|
||||||
|
+ size -= sig_len;
|
||||||
|
+ sig_info->sig = mem + size;
|
||||||
|
+ sig_info->sig_len = sig_len;
|
||||||
|
+
|
||||||
|
+ size -= modsig->key_id_len;
|
||||||
|
+ sig_info->key_id = mem + size;
|
||||||
|
+ sig_info->key_id_len = modsig->key_id_len;
|
||||||
|
+
|
||||||
|
+ size -= modsig->signer_len;
|
||||||
|
+ sig_info->signer = mem + size;
|
||||||
|
+ sig_info->signer_len = modsig->signer_len;
|
||||||
|
+
|
||||||
|
+ sig_info->algo = pkey_algo[modsig->algo];
|
||||||
|
+ sig_info->hash_algo = pkey_hash_algo[modsig->hash];
|
||||||
|
+ sig_info->id_type = pkey_id_type[modsig->id_type];
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static bool fill_unknown(const char *mem, off_t size,
|
||||||
|
+ const struct module_signature *modsig, size_t sig_len,
|
||||||
|
+ struct kmod_signature_info *sig_info)
|
||||||
|
+{
|
||||||
|
+ sig_info->hash_algo = "unknown";
|
||||||
|
+ sig_info->id_type = pkey_id_type[modsig->id_type];
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#define SIG_MAGIC "~Module signature appended~\n"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
|
||||||
|
const struct module_signature *modsig;
|
||||||
|
size_t sig_len;
|
||||||
|
|
||||||
|
-
|
||||||
|
size = kmod_file_get_size(file);
|
||||||
|
mem = kmod_file_get_contents(file);
|
||||||
|
if (size < (off_t)strlen(SIG_MAGIC))
|
||||||
|
@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
|
||||||
|
size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
- size -= sig_len;
|
||||||
|
- sig_info->sig = mem + size;
|
||||||
|
- sig_info->sig_len = sig_len;
|
||||||
|
-
|
||||||
|
- size -= modsig->key_id_len;
|
||||||
|
- sig_info->key_id = mem + size;
|
||||||
|
- sig_info->key_id_len = modsig->key_id_len;
|
||||||
|
-
|
||||||
|
- size -= modsig->signer_len;
|
||||||
|
- sig_info->signer = mem + size;
|
||||||
|
- sig_info->signer_len = modsig->signer_len;
|
||||||
|
-
|
||||||
|
- sig_info->algo = pkey_algo[modsig->algo];
|
||||||
|
- sig_info->hash_algo = pkey_hash_algo[modsig->hash];
|
||||||
|
- sig_info->id_type = pkey_id_type[modsig->id_type];
|
||||||
|
-
|
||||||
|
- return true;
|
||||||
|
+ switch (modsig->id_type) {
|
||||||
|
+ case PKEY_ID_PKCS7:
|
||||||
|
+ return fill_unknown(mem, size, modsig, sig_len, sig_info);
|
||||||
|
+ default:
|
||||||
|
+ return fill_default(mem, size, modsig, sig_len, sig_info);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 06fadcc6b17c3b9a534540dd6d74b0c5fb1d948d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Yauheni Kaliuta <ykaliuta@redhat.com>
|
|
||||||
Date: Thu, 2 Feb 2023 15:47:36 +0200
|
|
||||||
Subject: [PATCH] man/rmmod: explain why modprobe -r is more useful
|
|
||||||
|
|
||||||
Improve user experience by explaining the option so the user may
|
|
||||||
not search explanations in other manpages (modprobe).
|
|
||||||
|
|
||||||
Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
|
|
||||||
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
|
|
||||||
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
|
|
||||||
---
|
|
||||||
man/rmmod.xml | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/man/rmmod.xml b/man/rmmod.xml
|
|
||||||
index e7c7e5f9e7dc..67bcbedd972b 100644
|
|
||||||
--- a/man/rmmod.xml
|
|
||||||
+++ b/man/rmmod.xml
|
|
||||||
@@ -52,7 +52,8 @@
|
|
||||||
want to use
|
|
||||||
<citerefentry>
|
|
||||||
<refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry> with the <option>-r</option> option instead.
|
|
||||||
+ </citerefentry> with the <option>-r</option> option instead
|
|
||||||
+ since it removes unused dependent modules as well.
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
--- a/man/rmmod.8 2020-12-28 02:58:30.085851136 +0200
|
|
||||||
+++ b/man/rmmod.8 2023-02-09 16:55:55.967128297 +0200
|
|
||||||
@@ -2,12 +2,12 @@
|
|
||||||
.\" Title: rmmod
|
|
||||||
.\" Author: Jon Masters <jcm@jonmasters.org>
|
|
||||||
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
|
|
||||||
-.\" Date: 12/27/2020
|
|
||||||
+.\" Date: 02/09/2023
|
|
||||||
.\" Manual: rmmod
|
|
||||||
.\" Source: kmod
|
|
||||||
.\" Language: English
|
|
||||||
.\"
|
|
||||||
-.TH "RMMOD" "8" "12/27/2020" "kmod" "rmmod"
|
|
||||||
+.TH "RMMOD" "8" "02/09/2023" "kmod" "rmmod"
|
|
||||||
.\" -----------------------------------------------------------------
|
|
||||||
.\" * Define some portability stuff
|
|
||||||
.\" -----------------------------------------------------------------
|
|
||||||
@@ -39,7 +39,7 @@
|
|
||||||
\fBmodprobe\fR(8)
|
|
||||||
with the
|
|
||||||
\fB\-r\fR
|
|
||||||
-option instead\&.
|
|
||||||
+option instead since it removes unused dependent modules as well\&.
|
|
||||||
.SH "OPTIONS"
|
|
||||||
.PP
|
|
||||||
\fB\-v\fR, \fB\-\-verbose\fR
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
Loading…
Reference in new issue