diff --git a/flake.lock b/flake.lock index a0a6619..301b105 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1694710969, - "narHash": "sha256-5nMY+3JF/ktW8D8URataP6MCbbnID13P4CixARNoq6w=", + "lastModified": 1698422527, + "narHash": "sha256-SDu3Xg263t3oXIyTaH0buOvFnKIDeZsvKDBtOz+jRbs=", "owner": "nix-community", "repo": "disko", - "rev": "91af5b4a53ee8e57f4178ef58036dce49fbda91a", + "rev": "944d338d24a9d043a3f7461c30ee6cfe4f9cca30", "type": "github" }, "original": { @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1693611461, - "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "lastModified": 1698882062, + "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", "type": "github" }, "original": { @@ -43,11 +43,11 @@ }, "nixos-2305": { "locked": { - "lastModified": 1694724971, - "narHash": "sha256-NazxO2WuzV1pVnVoFpo7vJbgTTDhywhDxEDwFw6tyWY=", + "lastModified": 1698911509, + "narHash": "sha256-FFwqTbF+1laraWTL/t7LI+gN+DYfoj+iFYLof5wCea8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "16a63df66bfefec64daab3da10d414055d782d66", + "rev": "ecd985f22e007e6ac3152d68590c06cbbaea8c0e", "type": "github" }, "original": { @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1694429687, - "narHash": "sha256-fopTSMmOjk7/ro8+P2wZxAC8OPUKtuwHLNp2xSPXVjc=", + "lastModified": 1697515196, + "narHash": "sha256-EZivLoJHCqJdi23Mn/p+lPNHBBctGSWzEnAhYfC0VD0=", "owner": "nix-community", "repo": "nixos-images", - "rev": "c4c73bce65306a1e747684dd0d4bcf0ab2779585", + "rev": "87bccdbdfbeb07e0c4fb4c2ec3d71986e8fa24d9", "type": "github" }, "original": { @@ -82,11 +82,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694669921, - "narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=", + "lastModified": 1698800439, + "narHash": "sha256-SrAwRi266j7U9XqCl0qPwsvcFiQ55iPXEK36ZX6QPjE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c", + "rev": "0ac7840a74c53b62f124e86fcde8cdd45f2bc131", "type": "github" }, "original": { @@ -113,11 +113,11 @@ ] }, "locked": { - "lastModified": 1694528738, - "narHash": "sha256-aWMEjib5oTqEzF9f3WXffC1cwICo6v/4dYKjwNktV8k=", + "lastModified": 1698438538, + "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "7a49c388d7a6b63bb551b1ddedfa4efab8f400d8", + "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1", "type": "github" }, "original": { diff --git a/src/default.nix b/src/default.nix index c752070..5a0d476 100644 --- a/src/default.nix +++ b/src/default.nix @@ -16,6 +16,11 @@ , mkShellNoCC }: let + # TODO: add this to nixpkgs + rsync' = rsync.overrideAttrs (old: { + # https://github.com/WayneD/rsync/issues/511#issuecomment-1774612577 + patches = [ ./rsync-fortified-strlcpy-fix.patch ]; + }); runtimeDeps = [ gitMinimal # for git flakes # pinned because nix-copy-closure hangs if ControlPath provided for SSH: https://github.com/NixOS/nix/issues/8480 @@ -26,6 +31,7 @@ let gawk findutils gnused # needed by ssh-copy-id + rsync' # used to upload extra-files ]; in stdenv.mkDerivation { @@ -41,12 +47,12 @@ stdenv.mkDerivation { # # We also prefer system rsync to prevent crashes between rsync and ssh. wrapProgram $out/bin/nixos-anywhere \ - --prefix PATH : ${lib.makeBinPath runtimeDeps} --suffix PATH : ${lib.makeBinPath [ openssh rsync ]} + --prefix PATH : ${lib.makeBinPath runtimeDeps} --suffix PATH : ${lib.makeBinPath [ openssh ]} ''; # Dependencies for our devshell passthru.devShell = mkShellNoCC { - packages = runtimeDeps ++ [ openssh rsync terraform-docs ]; + packages = runtimeDeps ++ [ openssh terraform-docs ]; }; meta = with lib; { diff --git a/src/rsync-fortified-strlcpy-fix.patch b/src/rsync-fortified-strlcpy-fix.patch new file mode 100644 index 0000000..296445b --- /dev/null +++ b/src/rsync-fortified-strlcpy-fix.patch @@ -0,0 +1,49 @@ +From 1f83963f59960150e8c46112daa8411324c1f209 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 18 Aug 2023 08:26:20 +0200 +Subject: [PATCH] exclude: fix crashes with fortified strlcpy() + +Fortified (-D_FORTIFY_SOURCE=2 for gcc) builds make strlcpy() crash when +its third parameter (size) is larger than the buffer: + $ rsync -FFXHav '--filter=merge global-rsync-filter' Align-37-43/ xxx + sending incremental file list + *** buffer overflow detected ***: terminated + +It's in the exclude code in setup_merge_file(): + strlcpy(y, save, MAXPATHLEN); + +Note the 'y' pointer was incremented, so it no longer points to memory +with MAXPATHLEN "owned" bytes. + +Fix it by remembering the number of copied bytes into the 'save' buffer +and use that instead of MAXPATHLEN which is clearly incorrect. + +Fixes #511. +--- + exclude.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/exclude.c b/exclude.c +index ffe55b167..1a5de3b9e 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -720,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex, + parent_dirscan = True; + while (*y) { + char save[MAXPATHLEN]; +- strlcpy(save, y, MAXPATHLEN); ++ /* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */ ++ size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1; + *y = '\0'; + dirbuf_len = y - dirbuf; + strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf)); +@@ -734,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex, + lp->head = NULL; + } + lp->tail = NULL; +- strlcpy(y, save, MAXPATHLEN); ++ strlcpy(y, save, copylen); + while ((*x++ = *y++) != '/') {} + } + parent_dirscan = False; +