kinit: Increase environment size limit

start_kdeinit reads its environment over a pipe from start_kdeinit_wrapper. For security, each environment entry must be smaller than 4kb by default. Qt-based applications in Nixpkgs may have larger environments, and the recent upgrade to Plasma 5.17 pushed start_kdeinit_wrapper over the limit. The limit is now extended to 16kb. This problem was not detected during testing because the failure is silent: start_kdeinit will continue with an empty environment. In other circumstances, this strategy might work, but it does not work on NixOS. This failure is now treated as a fatal error. Fixes: #79707 (cherry picked from commit c758609)
NixOS · Feb 18, 2020 · 06c59c1 · 06c59c1
1 parent 81bddc6
commit 06c59c1
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 25 deletions.
diff --git a/.../kde-frameworks/kinit/kinit-libpath.patch → ...frameworks/kinit/0001-kinit-libpath.patch b/.../kde-frameworks/kinit/kinit-libpath.patch → ...frameworks/kinit/0001-kinit-libpath.patch
@@ -1,8 +1,17 @@
-Index: kinit-5.32.0/src/kdeinit/kinit.cpp
-===================================================================
---- kinit-5.32.0.orig/src/kdeinit/kinit.cpp
-+++ kinit-5.32.0/src/kdeinit/kinit.cpp
-@@ -623,19 +623,15 @@ static pid_t launch(int argc, const char
+From 715c5f461b4992dac066601202a673bc551a5e33 Mon Sep 17 00:00:00 2001
+From: Thomas Tuegel <ttuegel@mailbox.org>
+Date: Sun, 16 Feb 2020 14:23:31 -0600
+Subject: [PATCH 1/4] kinit-libpath
+
+---
+ src/kdeinit/kinit.cpp | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/src/kdeinit/kinit.cpp b/src/kdeinit/kinit.cpp
+index 8fff17a..0801b75 100644
+--- a/src/kdeinit/kinit.cpp
++++ b/src/kdeinit/kinit.cpp
+@@ -622,19 +622,15 @@ static pid_t launch(int argc, const char *_name, const char *args,
 
          if (!libpath.isEmpty()) {
              if (libpath_relative) {
@@ -31,3 +40,6 @@ Index: kinit-5.32.0/src/kdeinit/kinit.cpp
                  }
              } else {
                  l.load();
+-- 
+2.23.1
+
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/0002-start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/0002-start_kdeinit-path.patch
@@ -0,0 +1,25 @@
+From 129cd0ae1e983adc10dbe84e87bcc6f31cb13db8 Mon Sep 17 00:00:00 2001
+From: Thomas Tuegel <ttuegel@mailbox.org>
+Date: Sun, 16 Feb 2020 14:23:44 -0600
+Subject: [PATCH 2/4] start_kdeinit-path
+
+---
+ src/start_kdeinit/start_kdeinit_wrapper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/start_kdeinit/start_kdeinit_wrapper.c b/src/start_kdeinit/start_kdeinit_wrapper.c
+index 891f50c..ef664ad 100644
+--- a/src/start_kdeinit/start_kdeinit_wrapper.c
++++ b/src/start_kdeinit/start_kdeinit_wrapper.c
+@@ -23,7 +23,7 @@
+ #include <string.h>
+ #include <unistd.h>
+
+-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
++#define EXECUTE "/run/wrappers/bin/start_kdeinit"
+
+ #if KDEINIT_OOM_PROTECT
+
+-- 
+2.23.1
+
diff --git a/...frameworks/kinit/kdeinit-extra_libs.patch → ...works/kinit/0003-kdeinit-extra-libs.patch b/...frameworks/kinit/kdeinit-extra_libs.patch → ...works/kinit/0003-kdeinit-extra-libs.patch
@@ -1,7 +1,16 @@
-Index: kinit-5.32.0/src/kdeinit/kinit.cpp
-===================================================================
---- kinit-5.32.0.orig/src/kdeinit/kinit.cpp
-+++ kinit-5.32.0/src/kdeinit/kinit.cpp
+From 4f5d0de7e35744cdbfa9e280ee7e15a54cf21abb Mon Sep 17 00:00:00 2001
+From: Thomas Tuegel <ttuegel@mailbox.org>
+Date: Sun, 16 Feb 2020 14:24:07 -0600
+Subject: [PATCH 3/4] kdeinit-extra-libs
+
+---
+ src/kdeinit/kinit.cpp | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/src/kdeinit/kinit.cpp b/src/kdeinit/kinit.cpp
+index 0801b75..622dd5f 100644
+--- a/src/kdeinit/kinit.cpp
++++ b/src/kdeinit/kinit.cpp
 @@ -96,9 +96,9 @@ static const char *extra_libs[] = {
      "libKF5Parts.5.dylib",
      "libKF5Plasma.5.dylib"
@@ -15,7 +24,7 @@ Index: kinit-5.32.0/src/kdeinit/kinit.cpp
  #endif
  };
  #endif
-@@ -1533,20 +1531,6 @@ static int initXconnection()
+@@ -1524,20 +1524,6 @@ static int initXconnection()
  }
  #endif
 
@@ -36,7 +45,8 @@ Index: kinit-5.32.0/src/kdeinit/kinit.cpp
  extern "C" {
 
      static void secondary_child_handler(int)
-@@ -1692,7 +1676,7 @@ int main(int argc, char **argv)
+@@ -1679,7 +1665,7 @@ int main(int argc, char **argv)
+ #if defined(Q_OS_UNIX) && !defined(Q_OS_OSX)
      if (!d.suicide && qEnvironmentVariableIsEmpty("KDE_IS_PRELINKED")) {
          const int extrasCount = sizeof(extra_libs) / sizeof(extra_libs[0]);
          for (int i = 0; i < extrasCount; i++) {
@@ -45,3 +55,6 @@ Index: kinit-5.32.0/src/kdeinit/kinit.cpp
              if (!extra.isEmpty()) {
                  QLibrary l(extra);
                  l.setLoadHints(QLibrary::ExportExternalSymbolsHint);
+-- 
+2.23.1
+
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/0004-start_kdeinit-environ-hard-limit.patch b/pkgs/development/libraries/kde-frameworks/kinit/0004-start_kdeinit-environ-hard-limit.patch
@@ -0,0 +1,29 @@
+From 41e94983dcfbc1667f1b18c5b566aa5c5975edcb Mon Sep 17 00:00:00 2001
+From: Thomas Tuegel <ttuegel@mailbox.org>
+Date: Mon, 17 Feb 2020 04:45:03 -0600
+Subject: [PATCH 4/4] start_kdeinit-environ-hard-limit
+
+---
+ src/start_kdeinit/start_kdeinit.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c
+index f2db3e9..4ff2602 100644
+--- a/src/start_kdeinit/start_kdeinit.c
++++ b/src/start_kdeinit/start_kdeinit.c
+@@ -148,7 +148,11 @@ int main(int argc, char **argv)
+                         ++i) {
+                     unsigned len;
+                     if (read(0, &len, sizeof(unsigned)) == sizeof(unsigned)
+-                            && len && len < (1 << 12)) {
++                            && len) {
++                        if (len >= (1 << 14)) {
++                            fprintf(stderr, "%s: exceeded environment length limit", argv[0]);
++                            return 1;
++                        }
+                         env[ i ] = malloc(len + 1);
+                         if ((unsigned) read(0, env[ i ], len) == len) {
+                             env[ i ][ len ] = '\0';
+-- 
+2.23.1
+
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/default.nix b/pkgs/development/libraries/kde-frameworks/kinit/default.nix
@@ -14,7 +14,12 @@ mkDerivation {
   buildInputs = [
     kconfig kcrash ki18n kio kservice kwindowsystem
   ];
-  patches = copyPathsToStore (lib.readPathsFromFile ./. ./series);
+  patches = [
+    ./0001-kinit-libpath.patch
+    ./0002-start_kdeinit-path.patch
+    ./0003-kdeinit-extra-libs.patch
+    ./0004-start_kdeinit-environ-hard-limit.patch
+  ];
   CXXFLAGS = [
     ''-DNIXPKGS_KF5_KIOCORE=\"${getLib kio}/lib/libKF5KIOCore.so.5\"''
     ''-DNIXPKGS_KF5_PARTS=\"${getLib kparts}/lib/libKF5Parts.so.5\"''

diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch