packages/mokutil
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 0.6.0 with latest bug fix

Browse Source 
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
This commit is contained in:
gaoyusong 2022-08-02 15:19:32 +08:00
parent f13310be73
commit 43a4557ed8
8 changed files with 172 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
0.4.0.tar.gz
View File

Binary file not shown.

BIN
0.6.0.tar.gz Normal file
View File

Binary file not shown.

117
0001-Avoid-taking-pointer-to-packed-struct.patch
View File

@ -1,117 +0,0 @@
From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH] Avoid taking pointer to packed struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes:
error: taking address of packed member of struct <anonymous> may result in an unaligned pointer value [-Werror=address-of-packed-member]
---
src/mokutil.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e2d567d..8892613 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
+ efi_guid_t sigtype = CertList->SignatureType;
+
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
continue;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (CertList->SignatureSize != signature_size (&sigtype))) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
list[count].header = CertList;
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
/* X509 certificate */
list[count].mok_size = CertList->SignatureSize -
sizeof(efi_guid_t);
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
for (unsigned int i = 0; i < mok_num; i++) {
printf ("[key %d]\n", i+1);
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
print_x509 ((char *)list[i].mok, list[i].mok_size);
} else {
- print_hash_array (&list[i].header->SignatureType,
+ print_hash_array (&sigtype,
list[i].mok, list[i].mok_size);
}
if (i < mok_num - 1)
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
remain = total;
for (unsigned int i = 0; i < mok_num; i++) {
remain -= list[i].header->SignatureListSize;
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
sig_list_size = list[i].header->SignatureListSize;
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
}
for (unsigned int i = 0; i < node_num; i++) {
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
/* Check if there is a signature list with the same type */
for (unsigned int i = 0; i < mok_num; i++) {
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
- &hash_type) == 0) {
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
merge_ind = i;
list_size -= sizeof(EFI_SIGNATURE_LIST);
break;
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
for (unsigned i = 0; i < mok_num; i++) {
off_t offset = 0;
ssize_t write_size;
+ efi_guid_t sigtype = list[i].header->SignatureType;
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
continue;
/* Dump X509 certificate to files */
--
1.8.3.1

33
0001-Show-usage-instead-of-aborting-on-bad-flags.patch Normal file
View File

@ -0,0 +1,33 @@
From 82694cb1ce3b29c3705c25ae4cea3d07fe57b558 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 May 2022 11:23:28 -0400
Subject: [PATCH 1/5] Show usage instead of aborting on bad flags
Aborting here just confuses users and is sufficiently unexpected to
cause the filing of bugs.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5d725c9..e8228af 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
goto out;
case 'h':
case '?':
+ default:
command |= HELP;
break;
- default:
- abort ();
}
}
--
2.33.0

28
0002-mokutil-bugfix-del-unused-opt-s.patch Normal file
View File

@ -0,0 +1,28 @@
From 04791c29e198b18808bca519267e31c8d3786a08 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong2@huawei.com>
Date: Mon, 30 May 2022 17:54:47 +0800
Subject: [PATCH 2/5] mokutil bugfix: del unused opt "-s"
The -s option can cause unexcepted result.
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e8228af..6982ade 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
};
int option_index = 0;
- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
+ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
long_options, &option_index);
if (c == -1)
--
2.33.0

30
0003-Fix-leak-of-list-in-delete_data_from_req_var.patch Normal file
View File

@ -0,0 +1,30 @@
From d978c18f61b877afaab45a82d260b525423b8248 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 12:56:31 -0400
Subject: [PATCH 3/5] Fix leak of list in delete_data_from_req_var()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util.c b/src/util.c
index 621869f..6cd0302 100644
--- a/src/util.c
+++ b/src/util.c
@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
}
/* the key or hash is not in this list */
- if (start == NULL)
- return 0;
+ if (start == NULL) {
+ ret = 0;
+ goto done;
+ }
/* all keys are removed */
if (total == 0) {
--
2.33.0

72
0004-Fix-leak-of-fd-in-mok_get_variable.patch Normal file
View File

@ -0,0 +1,72 @@
From e498f6460ff5aea6a7cd61a33087d03e88a2f52a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 13:00:22 -0400
Subject: [PATCH 4/5] Fix leak of fd in mok_get_variable()
On success, it was never closed. Refactor the code to use a single
egress path so its closure is clear.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/util.c b/src/util.c
index 6cd0302..f7fc033 100644
--- a/src/util.c
+++ b/src/util.c
@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
return fd;
rc = fstat(fd, &sb);
- if (rc < 0) {
-err_close:
- close(fd);
- return rc;
- }
+ if (rc < 0)
+ goto done;
if (sb.st_size == 0) {
errno = ENOENT;
rc = -1;
- goto err_close;
+ goto done;
}
bufsz = sb.st_size;
buf = calloc(1, bufsz);
- if (!buf)
- goto err_close;
+ if (!buf) {
+ rc = -1;
+ goto done;
+ }
while (pos < bufsz) {
ssz = read(fd, &buf[pos], bufsz - pos);
@@ -82,15 +81,18 @@ err_close:
errno == EINTR)
continue;
free(buf);
- goto err_close;
+ rc = -1;
+ goto done;
}
pos += ssz;
}
*datap = buf;
*data_sizep = pos;
-
- return 0;
+ rc = 0;
+done:
+ close(fd);
+ return rc;
}
MokListNode*
--
2.33.0

12
mokutil.spec
View File

@ -1,6 +1,6 @@
Name: mokutil
Version: 0.4.0
Release: 3
Version: 0.6.0
Release: 1
Epoch: 1
Summary: Tools for manipulating machine owner keys
License: GPLv3+
@ -11,7 +11,10 @@ BuildRequires:gcc autoconf automake gnu-efi openssl-devel openssl efivar-devel >
Conflicts: shim < 0.8-1
Obsoletes: mokutil < 0.2.0
Patch0000: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0000: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
Patch0001: 0002-mokutil-bugfix-del-unused-opt-s.patch
Patch0002: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
Patch0003: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
%description
The utility to manipulate machines owner keys which managed in shim.
@ -59,6 +62,9 @@ make check
%{_mandir}/man1/*
%changelog
* Tue Aug 2 2022 gaoyusong <gaoyusong2@huawei.com> - 1:0.6.0-1
- DESC: Update to 0.6.0 with latest bug fix
* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 0.4.0-3
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git
git