linuxkm/linuxkm_memory.c: in wc_fips_generate_hash(), fix handling of failed hmac_update() in text segment loop;

douzzer · douzzer · commit 5dbf2e7382dc · 2026-04-29T17:35:11.000-05:00
linuxkm/module_hooks.c: in wolfssl_init() DEBUG_LINUXKM_PIE_SUPPORT section, render stabilized_rodata_hash;

in my_kallsyms_lookup_name(), gate kprobe failure messages behind WOLFSSL_LINUXKM_VERBOSE_DEBUG.
diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c
@@ -865,6 +865,11 @@ int wc_fips_generate_hash(
             text_p += progress;
         }
 
+        if (ret) {
+            XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            goto out;
+        }
+
         cur_reloc_index = -1;
         while (rodata_p < (const byte *)seg_map->fips_rodata_end) {
             size_t rodata_in_out_len = min(WOLFSSL_SEGMENT_CANONICALIZER_BUFSIZ,
@@ -905,6 +910,9 @@ int wc_fips_generate_hash(
         }
 
         XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+        if (ret)
+            goto out;
     }
 
 #else /* ! (WC_SYM_RELOC_TABLES || WC_SYM_RELOC_TABLES_SUPPORT) */
@@ -936,14 +944,14 @@ int wc_fips_generate_hash(
 
     WC_SANITIZE_ENABLE();
 
-#endif /* ! (WC_SYM_RELOC_TABLES || WC_SYM_RELOC_TABLES_SUPPORT) */
-
     if (ret) {
         RELOC_DEBUG_PRINTF("ERROR: hmac_update failed: err %d\n", ret);
         ret = BAD_STATE_E;
         goto out;
     }
 
+#endif /* ! (WC_SYM_RELOC_TABLES || WC_SYM_RELOC_TABLES_SUPPORT) */
+
     ret = hmac_final(hmac_ctx, hash, digest_size);
     if (ret) {
         RELOC_DEBUG_PRINTF("ERROR: hmac_final failed: err %d\n", ret);
diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c
@@ -778,12 +778,13 @@ static int wolfssl_init(void)
          * the true module start address, which is potentially useful to an
          * attacker.
          */
-        pr_info("wolfCrypt segment hashes (spans): text 0x%x (%llu), rodata 0x%x (%llu), offset %c0x%llx, canon text 0x%x\n",
+        pr_info("wolfCrypt segment hashes (spans): text 0x%x (%llu), rodata 0x%x (%llu), offset %c0x%llx, canon text 0x%x, canon rodata 0x%x\n",
                 text_hash, (unsigned long long)((uintptr_t)__wc_text_end - (uintptr_t)__wc_text_start),
                 rodata_hash, (unsigned long long)((uintptr_t)__wc_rodata_end - (uintptr_t)__wc_rodata_start),
                 (uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? '+' : '-',
                 (uintptr_t)__wc_text_start < (uintptr_t)&__wc_rodata_start[0] ? (unsigned long long)((uintptr_t)&__wc_rodata_start[0] - (uintptr_t)__wc_text_start) : (unsigned long long)((uintptr_t)__wc_text_start - (uintptr_t)&__wc_rodata_start[0]),
-                stabilized_text_hash);
+                stabilized_text_hash,
+                stabilized_rodata_hash);
 
         pr_info("wolfCrypt segments: text=%llx-%llx, rodata=%llx-%llx, "
                 "rwdata=%llx-%llx, bss=%llx-%llx\n",
@@ -1847,13 +1848,17 @@ static WC_MAYBE_UNUSED void *my_kallsyms_lookup_name(const char *name) {
         int ret;
         kallsyms_lookup_name_kp.addr = NULL;
         if ((ret = register_kprobe(&kallsyms_lookup_name_kp)) != 0) {
+#ifdef WOLFSSL_LINUXKM_VERBOSE_DEBUG
             pr_err_once("ERROR: register_kprobe(&kallsyms_lookup_name_kp) failed: %d\n", ret);
+#endif
             return 0;
         }
         kallsyms_lookup_name_ptr = (typeof(kallsyms_lookup_name_ptr))kallsyms_lookup_name_kp.addr;
         unregister_kprobe(&kallsyms_lookup_name_kp);
         if (! kallsyms_lookup_name_ptr) {
+#ifdef WOLFSSL_LINUXKM_VERBOSE_DEBUG
             pr_err_once("ERROR: kallsyms_lookup_name_kp.addr is null.\n");
+#endif
             return 0;
         }
     }
