-
-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
45 additions
and
0 deletions.
There are no files selected for viewing
44 changes: 44 additions & 0 deletions
44
pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| From 236e9281cb158be3191c500524fbc5f397a25e03 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Cao <nickcao@nichi.co> | ||
| Date: Sun, 15 Jan 2023 20:15:55 +0800 | ||
| Subject: [PATCH] tpm2_context_init: fix driver name checking | ||
|
|
||
| https://github.com/systemd/systemd/commit/542dbc623e introduced | ||
| additional checks for tpm2 driver names, namely ensuring the driver | ||
| name, when concated with "libtss2-tcti-" and ".so.0", generates a valid | ||
| filename (with no '/' inside). | ||
|
|
||
| For example, if the driver is name "device", the line | ||
| fn = strjoina("libtss2-tcti-", driver, ".so.0") | ||
| would yield "libtss2-tcti-device.so.0", passing the check. And the | ||
| filename is then passed to dlopen for loading the driver. | ||
|
|
||
| Our current approach for systemd to correctly locate these dynamically | ||
| loaded libraries is to patch the filenames to include their absolute | ||
| path. Thus the line mentioned above is patched into | ||
| fn = strjoina("/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-", driver, ".so.0") | ||
| yielding "/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-device.so.0", | ||
| tripping the check. | ||
|
|
||
| This patch relaxes the check to also accept absolute paths, by replacing | ||
| filename_is_valid with path_is_valid. | ||
| --- | ||
| src/shared/tpm2-util.c | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c | ||
| index ba8dfb041d..7de5d5fc77 100644 | ||
| --- a/src/shared/tpm2-util.c | ||
| +++ b/src/shared/tpm2-util.c | ||
| @@ -192,7 +192,7 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { | ||
| fn = strjoina("libtss2-tcti-", driver, ".so.0"); | ||
|
|
||
| /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */ | ||
| - if (!filename_is_valid(fn)) | ||
| + if (!path_is_valid(fn)) | ||
| return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); | ||
|
|
||
| dl = dlopen(fn, RTLD_NOW); | ||
| -- | ||
| 2.39.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters