Skip to content

Commit

Permalink
Fix possible package corruption on --delsign/resign/addsign
Browse files Browse the repository at this point in the history 
Make sure we don't overrun the original signature header when
adjusting reserved size. Fixes a brainfart introduced in commit
be950ea: the count reservation
size is relative to the size of the new header, obviously.

Another crucial difference is that when considering whether we can
transplant the new signature header in the originals place we need
to consider the real on-disk signature, not the size of its
immutable region. The immutable region can be much much smaller than
the physical header if eg the IMA signatures are misplaced outside it,
making our calculations way off.

Fixes: #3469
  • Loading branch information
@pmatilai
pmatilai committed Nov 29, 2024
1 parent 16278c3 commit 6cc04a7
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
7 changes: 4 additions & 3 deletions sign/rpmgensig.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -698,8 +698,8 @@ static int rpmSign(const char *rpm, int deleting, int flags)
flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3);
}

unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);

if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
Expand Down Expand Up @@ -745,12 +745,13 @@ static int rpmSign(const char *rpm, int deleting, int flags)

/* Adjust reserved size for added/removed signatures */
if (headerGet(sigh, reserveTag, &utd, HEADERGET_MINMEM)) {
int diff = headerSizeof(sigh, HEADER_MAGIC_YES) - origSigSize;
unsigned newSize = headerSizeof(sigh, HEADER_MAGIC_YES);
int diff = newSize - origSigSize;

/* diff can be zero if nothing was added or removed */
if (diff) {
utd.count -= diff;
if (utd.count > 0 && utd.count < origSigSize) {
if (utd.count > 0 && newSize + utd.count <= origSigSize) {
uint8_t *zeros = (uint8_t *)xcalloc(utd.count, sizeof(*zeros));
utd.data = zeros;
headerMod(sigh, &utd);
Expand Down
1 change: 0 additions & 1 deletion tests/rpmsigdig.at
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1847,7 +1847,6 @@ RPMTEST_CLEANUP

AT_SETUP([--delsign with misplaced ima signature])
AT_KEYWORDS([rpmsign file signature])
AT_XFAIL_IF([test $RPM_XFAIL -ne 0])
RPMTEST_CHECK([
cp /data/RPMS/hello-2.0-1.x86_64-badima.rpm .
rpmsign --delsign hello-2.0-1.x86_64-badima.rpm
Expand Down

0 comments on commit 6cc04a7

Please sign in to comment.