On Wed, Sep 15, 2021 at 5:43 AM Ranjitsinh Rathod <
ranjitsinh.rat...@kpit.com> wrote:

> Hi Steve,
>
> If you wanted to take changes only for the 
> 0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> then you can cherry-pick it from master as I have submitted it for master
> and it is available on master branch now. Below is the link.
> poky - Poky Build Tool and Metadata (yoctoproject.org)
> <https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=9886ef691aa117d67e4342c6a5e3f79f6a05f8d5>
>
> Do you still want me to send v2 patch here?
>

No need, I'll cherry-pick the patch from master.

Thanks!

Steve


>
> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader |  | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
>  Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Alexander Kanavin
> via lists.openembedded.org <alex.kanavin=gmail....@lists.openembedded.org>
> *Sent:* Wednesday, September 15, 2021 8:36 PM
> *To:* Steve Sakoman <st...@sakoman.com>
> *Cc:* Ranjitsinh Rathod <ranjitsinhrathod1...@gmail.com>; Patches and
> discussions about the oe-core layer <
> openembedded-core@lists.openembedded.org>; Ranjitsinh Rathod <
> ranjitsinh.rat...@kpit.com>
> *Subject:* Re: [OE-core] [meta][dunfell][PATCH] rpm: Handle proper return
> value to avoid major issues and removing unnecessary code
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
> At this point I have to note that I am removing the patch altogether with
> the upcoming upgrade of rpm to 4.17, as I'm also switching the compression
> format to zstd, and the patch is generally difficult to maintain and
> rebase. If you care about xz compression, please do work with upstream to
> get it merged there.
>
> Alex
>
> On Wed, 15 Sept 2021 at 16:59, Steve Sakoman <st...@sakoman.com> wrote:
>
> On Wed, Sep 8, 2021 at 4:02 AM Ranjitsinh Rathod
> <ranjitsinhrathod1...@gmail.com> wrote:
> >
> > From: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> >
> > Change in 2 patch as below to avoid critical issues
> > 1) 0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> > Handled return values of getrlimit() and lzma_cputhreads() functions
> > to avoid unexpected behaviours like devide by zero and potential read
> > of uninitialized variable 'virtual_memory'
> > Upstream-Status: Pending [merge of multithreading patches to upstream]
>
> This does look like a good fix.  Are these changes to the patch from
> upstream?
>
> Once upstream has accepted the change we should change the status from
> "pending", but for now this is ok.
>
> > 2) CVE-2021-3421.patch
> > Removed RPMSIGTAG_FILESIGNATURES and RPMSIGTAG_FILESIGNATURELENGTH as
> > it is not needed during backporting of original patch.
> > Upstream-Status: Backport [
> https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Frpm%2Fcommit%2Fd6a86b5e69e46cc283b1e06c92343319beb42e21&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7Cdfd54731b1a240ea64ed08d9785a7618%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637673152237746428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BFoFI3j9RjhqXQi1tSqfoVoS2strOChMcswosTH59Fs%3D&reserved=0>
> ]
>
> Removing these unused definitions doesn't really seem like a critical
> issue. I'd prefer to leave the CVE patch in its original form.
>
> Could you submit a V2 with this change?
>
> Thanks!
>
> Steve
>
> > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> > ---
> >  ...rict-virtual-memory-usage-if-limit-s.patch | 25 ++++++++-------
> >  .../rpm/files/CVE-2021-3421.patch             | 32 +++----------------
> >  2 files changed, 19 insertions(+), 38 deletions(-)
> >
> > diff --git
> a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> > index 6454785254..dc3f74fecd 100644
> > ---
> a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> > +++
> b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
> > @@ -11,36 +11,39 @@ CPU thread.
> >  Upstream-Status: Pending [merge of multithreading patches to upstream]
> >
> >  Signed-off-by: Peter Bergin <pe...@berginkonsult.se>
> > +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> >  ---
> > - rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++
> > - 1 file changed, 34 insertions(+)
> > + rpmio/rpmio.c | 36 ++++++++++++++++++++++++++++++++++++
> > + 1 file changed, 36 insertions(+)
> >
> >  diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
> >  index e051c98..b3c56b6 100644
> >  --- a/rpmio/rpmio.c
> >  +++ b/rpmio/rpmio.c
> > -@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode,
> int fd, int xz)
> > +@@ -845,6 +845,42 @@ static LZFILE *lzopen_internal(const char *mode,
> int fd, int xz)
> >                 }
> >   #endif
> >
> > -+              struct rlimit virtual_memory;
> > -+              getrlimit(RLIMIT_AS, &virtual_memory);
> > -+              if (virtual_memory.rlim_cur != RLIM_INFINITY) {
> > ++              struct rlimit virtual_memory = {RLIM_INFINITY ,
> RLIM_INFINITY};
> > ++              int status = getrlimit(RLIMIT_AS, &virtual_memory);
> > ++              if ((status != -1) && (virtual_memory.rlim_cur !=
> RLIM_INFINITY)) {
> >  +                      const uint64_t virtual_memlimit =
> virtual_memory.rlim_cur;
> > ++                      uint32_t threads_max = lzma_cputhreads();
> >  +                      const uint64_t virtual_memlimit_per_cpu_thread =
> > -+                              virtual_memlimit / lzma_cputhreads();
> > -+                      uint64_t memory_usage_virt;
> > ++                              virtual_memlimit / ((threads_max == 0) ?
> 1 : threads_max);
> >  +                      rpmlog(RPMLOG_NOTICE, "XZ: virtual memory
> restricted to %lu and "
> >  +                             "per CPU thread %lu\n", virtual_memlimit,
> virtual_memlimit_per_cpu_thread);
> > ++                      uint64_t memory_usage_virt;
> >  +                      /* keep reducing the number of compression
> threads until memory
> >  +                         usage falls below the limit per CPU thread*/
> >  +                      while ((memory_usage_virt =
> lzma_stream_encoder_mt_memusage(&mt_options)) >
> >  +                             virtual_memlimit_per_cpu_thread) {
> > -+                              /* If number of threads goes down to
> zero lzma_stream_encoder will
> > -+                               * will return UINT64_MAX. We must check
> here to avoid an infinite loop.
> > ++                              /* If number of threads goes down to
> zero or in case of any other error
> > ++                               * lzma_stream_encoder_mt_memusage will
> return UINT64_MAX. We must check
> > ++                               * for both the cases here to avoid an
> infinite loop.
> >  +                               * If we get into situation that one
> thread requires more virtual memory
> >  +                               * than available we set one thread,
> print error message and try anyway. */
> > -+                              if (--mt_options.threads == 0) {
> > ++                              if ((--mt_options.threads == 0) ||
> (memory_usage_virt == UINT64_MAX)) {
> >  +                                      mt_options.threads = 1;
> >  +                                      rpmlog(RPMLOG_WARNING,
> >  +                                             "XZ: Could not adjust
> number of threads to get below "
> > diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
> b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
> > index b1a05b6863..d2ad5eabac 100644
> > --- a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
> > +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
> > @@ -22,16 +22,16 @@ Fixes: CVE-2021-3421, CVE-2021-20271
> >  Upstream-Status: Backport [
> https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Frpm%2Fcommit%2Fd6a86b5e69e46cc283b1e06c92343319beb42e21&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7Cdfd54731b1a240ea64ed08d9785a7618%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637673152237746428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BFoFI3j9RjhqXQi1tSqfoVoS2strOChMcswosTH59Fs%3D&reserved=0>
> ]
> >  CVE: CVE-2021-3421
> >  Signed-off-by: Minjae Kim <flower...@gmail.com>
> > +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> >  ---
> > - lib/package.c | 115 ++++++++++++++++++++++++--------------------------
> > - lib/rpmtag.h  |   4 ++
> > - 2 files changed, 58 insertions(+), 61 deletions(-)
> > + lib/package.c | 113 ++++++++++++++++++++++++--------------------------
> > + 1 file changed, 52 insertions(+), 61 deletions(-)
> >
> >  diff --git a/lib/package.c b/lib/package.c
> >  index 081123d84e..7c26ea323f 100644
> >  --- a/lib/package.c
> >  +++ b/lib/package.c
> > -@@ -20,76 +20,68 @@
> > +@@ -20,76 +20,67 @@
> >
> >   #include "debug.h"
> >
> > @@ -46,8 +46,6 @@ index 081123d84e..7c26ea323f 100644
> >  +    { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
> >  +    /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete,
> dont use */
> >  +    { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
> > -+    { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
> > -+    { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
> >  +    { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
> >  +    { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
> >  +    { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
> > @@ -61,6 +59,7 @@ index 081123d84e..7c26ea323f 100644
> >    * Translate and merge legacy signature tags into header.
> >    * @param h           header (dest)
> >    * @param sigh                signature header (src)
> > ++ * @return            failing tag number, 0 on success
> >    */
> >   static
> >  -void headerMergeLegacySigs(Header h, Header sigh)
> > @@ -170,27 +169,6 @@ index 081123d84e..7c26ea323f 100644
> >             applyRetrofits(h);
> >
> >             /* Bump reference count for return. */
> > -diff --git a/lib/rpmtag.h b/lib/rpmtag.h
> > -index 8c718b31b5..d562572c6f 100644
> > ---- a/lib/rpmtag.h
> > -+++ b/lib/rpmtag.h
> > -@@ -65,6 +65,8 @@ typedef enum rpmTag_e {
> > -     RPMTAG_LONGARCHIVESIZE    = RPMTAG_SIG_BASE+15,   /* l */
> > -     /* RPMTAG_SIG_BASE+16 reserved */
> > -     RPMTAG_SHA256HEADER               = RPMTAG_SIG_BASE+17,   /* s */
> > -+    /* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */
> > -+    /* RPMTAG_SIG_BASE+19 reserved for RPMSIGTAG_FILESIGNATURELENGTH */
> > -
> > -     RPMTAG_NAME               = 1000, /* s */
> > - #define       RPMTAG_N        RPMTAG_NAME     /* s */
> > -@@ -422,6 +424,8 @@ typedef enum rpmSigTag_e {
> > -     RPMSIGTAG_LONGSIZE        = RPMTAG_LONGSIGSIZE,   /*!< internal
> Header+Payload size (64bit) in bytes. */
> > -     RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< internal
> uncompressed payload size (64bit) in bytes. */
> > -     RPMSIGTAG_SHA256  = RPMTAG_SHA256HEADER,
> > -+    RPMSIGTAG_FILESIGNATURES            = RPMTAG_SIG_BASE + 18,
> > -+    RPMSIGTAG_FILESIGNATURELENGTH       = RPMTAG_SIG_BASE + 19,
> > - } rpmSigTag;
> > -
> >
> >  --
> >  2.17.1
> > --
> > 2.17.1
> >
> >
> >
> >
>
>
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156069): 
https://lists.openembedded.org/g/openembedded-core/message/156069
Mute This Topic: https://lists.openembedded.org/mt/85459532/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to