packages/mokutil
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2e845d6c176ba756d133612ea921a595232179e9
Branches Tags
packages:main
..
compare: packages:b051964f1a43e4b4df942beb75c1e4fe1f3350f2
Branches Tags
packages:main

No commits in common. "2e845d6c176ba756d133612ea921a595232179e9" and "b051964f1a43e4b4df942beb75c1e4fe1f3350f2" have entirely different histories.
2e845d6c17 ... b051964f1a

10 changed files with 122 additions and 214 deletions
Show Stats Expand all files Collapse all files

BIN
0.4.0.tar.gz Normal file
View File

Binary file not shown.

BIN
0.6.0.tar.gz
View File

Binary file not shown.

117
0001-Avoid-taking-pointer-to-packed-struct.patch Normal file
View File

@ -0,0 +1,117 @@
From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH] Avoid taking pointer to packed struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes:
error: taking address of packed member of struct <anonymous> may result in an unaligned pointer value [-Werror=address-of-packed-member]
---
src/mokutil.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e2d567d..8892613 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
+ efi_guid_t sigtype = CertList->SignatureType;
+
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
continue;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (CertList->SignatureSize != signature_size (&sigtype))) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
list[count].header = CertList;
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
/* X509 certificate */
list[count].mok_size = CertList->SignatureSize -
sizeof(efi_guid_t);
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
for (unsigned int i = 0; i < mok_num; i++) {
printf ("[key %d]\n", i+1);
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
print_x509 ((char *)list[i].mok, list[i].mok_size);
} else {
- print_hash_array (&list[i].header->SignatureType,
+ print_hash_array (&sigtype,
list[i].mok, list[i].mok_size);
}
if (i < mok_num - 1)
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
remain = total;
for (unsigned int i = 0; i < mok_num; i++) {
remain -= list[i].header->SignatureListSize;
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
sig_list_size = list[i].header->SignatureListSize;
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
}
for (unsigned int i = 0; i < node_num; i++) {
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
/* Check if there is a signature list with the same type */
for (unsigned int i = 0; i < mok_num; i++) {
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
- &hash_type) == 0) {
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
merge_ind = i;
list_size -= sizeof(EFI_SIGNATURE_LIST);
break;
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
for (unsigned i = 0; i < mok_num; i++) {
off_t offset = 0;
ssize_t write_size;
+ efi_guid_t sigtype = list[i].header->SignatureType;
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
continue;
/* Dump X509 certificate to files */
--
1.8.3.1

33
0001-Show-usage-instead-of-aborting-on-bad-flags.patch
View File

@ -1,33 +0,0 @@
From 82694cb1ce3b29c3705c25ae4cea3d07fe57b558 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 May 2022 11:23:28 -0400
Subject: [PATCH 1/5] Show usage instead of aborting on bad flags
Aborting here just confuses users and is sufficiently unexpected to
cause the filing of bugs.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5d725c9..e8228af 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
goto out;
case 'h':
case '?':
+ default:
command |= HELP;
break;
- default:
- abort ();
}
}
--
2.33.0

28
0002-mokutil-bugfix-del-unused-opt-s.patch
View File

@ -1,28 +0,0 @@
From 04791c29e198b18808bca519267e31c8d3786a08 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong2@huawei.com>
Date: Mon, 30 May 2022 17:54:47 +0800
Subject: [PATCH 2/5] mokutil bugfix: del unused opt "-s"
The -s option can cause unexcepted result.
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e8228af..6982ade 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
};
int option_index = 0;
- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
+ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
long_options, &option_index);
if (c == -1)
--
2.33.0

30
0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
View File

@ -1,30 +0,0 @@
From d978c18f61b877afaab45a82d260b525423b8248 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 12:56:31 -0400
Subject: [PATCH 3/5] Fix leak of list in delete_data_from_req_var()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util.c b/src/util.c
index 621869f..6cd0302 100644
--- a/src/util.c
+++ b/src/util.c
@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
}
/* the key or hash is not in this list */
- if (start == NULL)
- return 0;
+ if (start == NULL) {
+ ret = 0;
+ goto done;
+ }
/* all keys are removed */
if (total == 0) {
--
2.33.0

72
0004-Fix-leak-of-fd-in-mok_get_variable.patch
View File

@ -1,72 +0,0 @@
From e498f6460ff5aea6a7cd61a33087d03e88a2f52a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 13:00:22 -0400
Subject: [PATCH 4/5] Fix leak of fd in mok_get_variable()
On success, it was never closed. Refactor the code to use a single
egress path so its closure is clear.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/util.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/util.c b/src/util.c
index 6cd0302..f7fc033 100644
--- a/src/util.c
+++ b/src/util.c
@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
return fd;
rc = fstat(fd, &sb);
- if (rc < 0) {
-err_close:
- close(fd);
- return rc;
- }
+ if (rc < 0)
+ goto done;
if (sb.st_size == 0) {
errno = ENOENT;
rc = -1;
- goto err_close;
+ goto done;
}
bufsz = sb.st_size;
buf = calloc(1, bufsz);
- if (!buf)
- goto err_close;
+ if (!buf) {
+ rc = -1;
+ goto done;
+ }
while (pos < bufsz) {
ssz = read(fd, &buf[pos], bufsz - pos);
@@ -82,15 +81,18 @@ err_close:
errno == EINTR)
continue;
free(buf);
- goto err_close;
+ rc = -1;
+ goto done;
}
pos += ssz;
}
*datap = buf;
*data_sizep = pos;
-
- return 0;
+ rc = 0;
+done:
+ close(fd);
+ return rc;
}
MokListNode*
--
2.33.0

25
0005-mokutil-Fix-memory-leak-in-export_db_keys.patch
View File

@ -1,25 +0,0 @@
From 71140ef59ac8f7bbe445fca2ba90a6833d3cb8c6 Mon Sep 17 00:00:00 2001
From: gaoyusong <a869920004@163.com>
Date: Thu, 22 Sep 2022 16:43:39 +0800
Subject: [PATCH] mokutil: Fix memory leak in export_db_keys
Signed-off-by: gaoyusong <a869920004@163.com>
---
src/mokutil.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index d445311..9e947d5 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1233,6 +1233,7 @@ export_db_keys (const DBName db_name)
list = build_mok_list (data, data_size, &mok_num);
if (list == NULL) {
+ free(data);
return -1;
}
--
2.33.0

27
mokutil.spec
View File

@ -1,21 +1,17 @@
Name: mokutil
Version: 0.6.0
Release: 3
Version: 0.4.0
Release: 2
Epoch: 1
Summary: Tools for manipulating machine owner keys
License: GPLv3+
URL: https://github.com/lcp/mokutil
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
BuildRequires:gcc autoconf automake gnu-efi openssl-devel openssl keyutils-libs-devel efivar-devel >= 31-1 git
BuildRequires:gcc autoconf automake gnu-efi git openssl-devel openssl efivar-devel >= 31-1 git
Conflicts: shim < 0.8-1
Obsoletes: mokutil < 0.2.0
Patch0000: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
Patch0001: 0002-mokutil-bugfix-del-unused-opt-s.patch
Patch0002: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
Patch0003: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
Patch0004: 0005-mokutil-Fix-memory-leak-in-export_db_keys.patch
Patch0000: 0001-Avoid-taking-pointer-to-packed-struct.patch
%description
The utility to manipulate machines owner keys which managed in shim.
@ -29,7 +25,7 @@ Requires: man info
Man page and other related documents for %{name}.
%prep
%autosetup -n %{name}-%{version} -p1
%autosetup -n %{name}-%{version} -p1 -Sgit
%build
./autogen.sh
@ -63,19 +59,6 @@ make check
%{_mandir}/man1/*
%changelog
* Thu Jun 06 2024 fuanan <fuanan3@h-partners.com> - 1:0.6.0-3
- DESC: mokutil: Fix memory leak in export_db_keys
* Sat Feb 4 2023 gaoyusong <gaoyusong2@huawei.com> - 1:0.6.0-2
- DESC: Fix build error
* Tue Aug 2 2022 gaoyusong <gaoyusong2@huawei.com> - 1:0.6.0-1
- DESC: Update to 0.6.0 with latest bug fix
* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 0.4.0-3
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git
git
* Mon Jun 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:0.4.0-2
- fix build err of -Waddress-of-packed-member for gcc update to 9.3.1

4
mokutil.yaml
View File

@ -1,4 +0,0 @@
version_control: github
src_repo: lcp/mokutil
tag_prefix: ^
seperator: .