!17 anchor: Exit with non-zero code, if any error occurs

From: @panxh_purple Reviewed-by: @overweight Signed-off-by: @overweight
2021-09-21 07:09:07 +00:00 · 2021-09-21 07:09:07 +00:00 · bfeea168ae
commit bfeea168ae
parent df0f0a022f fd389dc13b
2 changed files with 131 additions and 2 deletions
--- a/backport-anchor-Exit-with-non-zero-code-if-any-error-occurs.patch
+++ b/backport-anchor-Exit-with-non-zero-code-if-any-error-occurs.patch
@ -0,0 +1,125 @@
+From 7f5ef7c04a24ede94a31a7e7820d9d03b9522bd5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jun 2020 08:31:42 +0200
+Subject: [PATCH] anchor: Exit with non-zero code, if any error occurs
+
+Suggested by Nikos Mavrogiannopoulos in:
+https://github.com/p11-glue/p11-kit/issues/300
+---
+ trust/anchor.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/trust/anchor.c b/trust/anchor.c
+index a232ead..2f0aba6 100644
+--- a/trust/anchor.c
+++ b/trust/anchor.c
+@@ -458,8 +458,9 @@ find_anchor (CK_FUNCTION_LIST *module,
+ 
+ static int
+ anchor_store (int argc,
+-              char *argv[],
+-              bool *changed)
+	      char *argv[],
+	      bool *changed,
+	      unsigned int *errors)
+ {
+ 	CK_ATTRIBUTE *attrs;
+ 	CK_FUNCTION_LIST *module = NULL;
+@@ -509,6 +510,9 @@ anchor_store (int argc,
+ 		}
+ 	}
+ 
+	if (ret != 0)
+		*errors = 1;
+
+ 	p11_array_free (anchors);
+ 	p11_kit_module_finalize (module);
+ 	p11_kit_module_release (module);
+@@ -537,7 +541,8 @@ description_for_object_at_iter (p11_kit_iter *iter)
+ 
+ static bool
+ remove_all (p11_kit_iter *iter,
+-            bool *changed)
+	    bool *changed,
+	    unsigned int *errors)
+ {
+ 	const char *desc;
+ 	CK_RV rv;
+@@ -549,28 +554,28 @@ remove_all (p11_kit_iter *iter,
+ 		switch (rv) {
+ 		case CKR_OK:
+ 			*changed = true;
+-			/* fall through */
+-		case CKR_OBJECT_HANDLE_INVALID:
+ 			continue;
+ 		case CKR_TOKEN_WRITE_PROTECTED:
+ 		case CKR_SESSION_READ_ONLY:
+ 		case CKR_ATTRIBUTE_READ_ONLY:
+ 			p11_message ("couldn't remove read-only %s", desc);
+-			continue;
+			break;
+ 		default:
+ 			p11_message ("couldn't remove %s: %s", desc,
+ 			             p11_kit_strerror (rv));
+ 			break;
+ 		}
+		(*errors)++;
+ 	}
+ 
+-	return (rv == CKR_CANCEL);
+	return (rv == CKR_CANCEL) && *errors == 0;
+ }
+ 
+ static int
+ anchor_remove (int argc,
+                char *argv[],
+-               bool *changed)
+               bool *changed,
+	       unsigned int *errors)
+ {
+ 	CK_FUNCTION_LIST **modules;
+ 	p11_array *iters;
+@@ -595,7 +600,7 @@ anchor_remove (int argc,
+ 		iter = iters->elem[i];
+ 
+ 		p11_kit_iter_begin (iter, modules);
+-		if (!remove_all (iter, changed))
+		if (!remove_all (iter, changed, errors))
+ 			ret = 1;
+ 	}
+ 
+@@ -610,6 +615,7 @@ p11_trust_anchor (int argc,
+                   char **argv)
+ {
+ 	bool changed = false;
+	unsigned int errors = 0;
+ 	int action = 0;
+ 	int opt;
+ 	int ret = 0;
+@@ -674,14 +680,21 @@ p11_trust_anchor (int argc,
+ 
+ 	/* Store is different, and only accepts files */
+ 	if (action == opt_store)
+-		ret = anchor_store (argc, argv, &changed);
+		ret = anchor_store (argc, argv, &changed, &errors);
+ 
+ 	else if (action == opt_remove)
+-		ret = anchor_remove (argc, argv, &changed);
+		ret = anchor_remove (argc, argv, &changed, &errors);
+ 
+ 	else
+ 		assert_not_reached ();
+ 
+	if (errors > 0) {
+		if (errors == 1)
+			p11_message ("%u error while processing", errors);
+		else
+			p11_message ("%u errors while processing", errors);
+	}
+
+ 	/* Extract the compat bundles after modification */
+ 	if (ret == 0 && changed) {
+ 		char *args[] = { argv[0], NULL };
+-- 
+1.8.3.1
+
--- a/p11-kit.spec
+++ b/p11-kit.spec
@ -1,6 +1,6 @@
 Name:           p11-kit
 Version:	0.23.20
-Release:	2
+Release:	3
 Summary:        Provides a way to load and enumerate PKCS#11 modules.
 License:        BSD
 URL:            http://p11-glue.freedesktop.org/p11-kit.html
@ -12,7 +12,8 @@ Patch0:         backport-CVE-2020-29363-Check-attribute-length-against-buffer-si
 Patch1:         backport-CVE-2020-29362-Fix-bounds-check-in-p11_rpc_buffer_get_byte_array.patch
 Patch2:         backport-proxy-Fix-slot-ID-reuse-avoiding-duplicating-IDs.patch
 Patch3:         backport-0001-CVE-2020-29361-Check-for-arithmetic-overflows-before-allocating.patch
-Patch4:         backport-0002-CVE-2020-29361-Follow-up-to-arithmetic-overflow-fix.patch 
+Patch4:         backport-0002-CVE-2020-29361-Follow-up-to-arithmetic-overflow-fix.patch
+Patch5:         backport-anchor-Exit-with-non-zero-code-if-any-error-occurs.patch

 BuildRequires:  gcc libtasn1-devel >= 2.3 libffi-devel gtk-doc systemd-devel pkgconfig(glib-2.0) libxslt
 BuildRequires:  bash-completion
@ -128,6 +129,9 @@ fi
 %{_datadir}/bash-completion/completions/trust

 %changelog
+* Sat Sep 18 2021 panxiaohe <panxiaohe@huawei.com> - 0.23.20-3
+- anchor: Exit with non-zero code, if any error occurs 
+
 * Sat Jan 9 2021 zoulin <zoulin13@huawei.com> - 0.23.20-2
 - fix CVE-2020-29361 CVE-2020-29362 CVE-2020-29363