From: Arnaud Patard <arnaud.patard@collabora.com>
Date: Mon, 8 Jul 2024 13:39:14 +0000 (+0200)
Subject: src/pcrlock/pcrlock.c: Handle empty pcrlock.d directories
X-Git-Tag: v257-rc1~731
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7a93e75219b22424bab95fe45982f5eef21d581;p=thirdparty%2Fsystemd.git

src/pcrlock/pcrlock.c: Handle empty pcrlock.d directories

Running the following commands:

  # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
  # /usr/lib/systemd/systemd-pcrlock predict --pcr=1+2+3+4+5+16

Will result in:

...
Floating point exception

Running the following commands:
  # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
  # /usr/lib/systemd/systemd-pcrlock make-policy --pcr=1+2+3+4+5+16

Will result to this (partial) log:
...
Predicted future PCRs in 133us.
[]
...
Written policy digest 0000000000000000000000000000000000000000000000000000000000000000 to NV index 0x1921da6
...

So, add missing checks to handle gracefully cases where there's no variant
inside the component.

Signed-off-by: Arnaud Patard <arnaud.patard@collabora.com>
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 113736b3274..8acddf8a06c 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -1927,6 +1927,9 @@ static int event_log_map_components(EventLog *el) {
                         continue;
                 }
 
+                if (c->n_variants == 0)
+                        log_notice("Component '%s' has no defined variants.", c->id);
+
                 FOREACH_ARRAY(ii, c->variants, c->n_variants) {
                         EventLogComponentVariant *i = *ii;
 
@@ -4053,6 +4056,15 @@ static int event_log_predict_pcrs(
 
         component = ASSERT_PTR(el->components[component_index]);
 
+        if (component->n_variants == 0)
+                return event_log_predict_pcrs(
+                        el,
+                        context,
+                        parent_result,
+                        component_index + 1, /* Next component */
+                        pcr,
+                        path);
+
         FOREACH_ARRAY(ii, component->variants, component->n_variants) {
                 _cleanup_free_ Tpm2PCRPredictionResult *result = NULL;
                 EventLogComponentVariant *variant = *ii;
@@ -4111,7 +4123,9 @@ static ssize_t event_log_calculate_component_combinations(EventLog *el) {
                 /* Overflow check */
                 if (c->n_variants > (size_t) (SSIZE_MAX/count))
                         return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many component combinations.");
-
+                /* If no variant, this will lead to count being 0 and sigfpe */
+                if (c->n_variants == 0)
+                        continue;
                 count *= c->n_variants;
         }
 
diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh
index fd51161a702..10fa7a92c27 100755
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@@ -89,6 +89,11 @@ systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-
 systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless
 systemd-cryptsetup detach pcrlock
 
+# Ensure systemd-pcrlock not crashing on empty variant directory
+mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
+"$SD_PCRLOCK" predict --pcr="$PCRS"
+rm -rf /var/lib/pcrlock.d/123-empty.pcrlock.d
+
 # Measure something into PCR 16 (the "debug" PCR), which should make the activation fail
 "$SD_PCREXTEND" --pcr=16 test70