Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'jb46829' into 'master'
[systemd] Fix for CVE-2018-16865 in systemd-journal. Fixes JB#46829 See merge request mer-core/systemd!25
- Loading branch information
Showing
6 changed files
with
271 additions
and
0 deletions.
There are no files selected for viewing
29 changes: 29 additions & 0 deletions
29
rpm/systemd-backport-If-the-notification-message-length-is-0-ignore-the-m.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
Backported upstream commit | ||
https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020 | ||
|
||
It fixes CVE-2016-7795. | ||
|
||
From 531ac2b2349da02acc9c382849758e07eb92b020 Mon Sep 17 00:00:00 2001 | ||
From: Jorge Niedbalski <jorge.niedbalski@canonical.com> | ||
Date: Wed, 28 Sep 2016 18:25:50 -0300 | ||
Subject: [PATCH] If the notification message length is 0, ignore the message | ||
(#4237) | ||
|
||
Fixes #4234. | ||
|
||
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org> | ||
|
||
diff -purN systemd/src/core/manager.c systemd-izh/src/core/manager.c | ||
--- systemd/src/core/manager.c 2019-08-05 05:38:44.059368428 -0400 | ||
+++ systemd-izh/src/core/manager.c 2019-08-05 13:04:50.260358645 -0400 | ||
@@ -1543,6 +1543,10 @@ static int manager_dispatch_notify_fd(sd | ||
|
||
return -errno; | ||
} | ||
+ if (n == 0) { | ||
+ log_debug("Got zero-length notification message. Ignoring."); | ||
+ return 0; | ||
+ } | ||
|
||
CMSG_FOREACH(cmsg, &msghdr) { | ||
if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
This is the backport of the upstream commit | ||
https://github.com/systemd/systemd/commit/25cad95c82f4c45d6d7c872c39bbd72bc4946edb | ||
|
||
It fixes CVE-2013-4391. | ||
|
||
From 25cad95c82f4c45d6d7c872c39bbd72bc4946edb Mon Sep 17 00:00:00 2001 | ||
From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
Date: Mon, 12 Nov 2018 18:08:45 +0900 | ||
Subject: [PATCH] fuzz: decrease DATA_SIZE_MAX | ||
|
||
Fixes oss-fuzz#8658. | ||
|
||
diff -purN systemd/src/journal/coredump.c systemd-izh/src/journal/coredump.c | ||
--- systemd/src/journal/coredump.c 2019-08-05 05:38:44.075368451 -0400 | ||
+++ systemd-izh/src/journal/coredump.c 2019-08-05 09:23:47.773816172 -0400 | ||
@@ -59,7 +59,8 @@ | ||
|
||
/* The maximum size up to which we store the coredump in the | ||
* journal */ | ||
-#define JOURNAL_SIZE_MAX ((size_t) (767LU*1024LU*1024LU)) | ||
+/* oss-fuzz limits memory usage. */ | ||
+#define JOURNAL_SIZE_MAX ((size_t) (10LU*1024LU*1024LU)) | ||
|
||
/* Make sure to not make this larger than the maximum journal entry | ||
* size. See DATA_SIZE_MAX in journald-native.c. */ | ||
diff -purN systemd/src/journal/journald-native.h systemd-izh/src/journal/journald-native.h | ||
--- systemd/src/journal/journald-native.h 2019-08-05 08:19:55.982711293 -0400 | ||
+++ systemd-izh/src/journal/journald-native.h 2019-08-05 09:09:23.164321075 -0400 | ||
@@ -25,8 +25,8 @@ | ||
|
||
/* Make sure not to make this smaller than the maximum coredump | ||
* size. See COREDUMP_MAX in coredump.c */ | ||
-#define ENTRY_SIZE_MAX (1024*1024*770u) | ||
-#define DATA_SIZE_MAX (1024*1024*768u) | ||
+#define ENTRY_SIZE_MAX (1024*1024*13u) | ||
+#define DATA_SIZE_MAX (1024*1024*11u) | ||
|
||
bool valid_user_field(const char *p, size_t l, bool allow_protected); | ||
|
87 changes: 87 additions & 0 deletions
87
rpm/systemd-backport-journal-fix-syslog_parse_identifier.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
This is the backport of the upstream commits | ||
https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 | ||
https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421 | ||
|
||
It fixes CVE-2018-16866. | ||
|
||
From a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 Mon Sep 17 00:00:00 2001 | ||
From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
Date: Wed, 8 Aug 2018 15:06:36 +0900 | ||
Subject: [PATCH] journal: fix syslog_parse_identifier() | ||
|
||
Fixes #9829. | ||
|
||
From 8595102d3ddde6d25c282f965573a6de34ab4421 Mon Sep 17 00:00:00 2001 | ||
From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
Date: Fri, 10 Aug 2018 11:07:54 +0900 | ||
Subject: [PATCH] journal: do not remove multiple spaces after identifier in syslog message | ||
|
||
Single space is used as separator. | ||
C.f. discussions in #156. | ||
|
||
Fixes #9839 introduced by a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
|
||
diff -purN systemd/src/journal/journald-syslog.c systemd-izh/src/journal/journald-syslog.c | ||
--- systemd/src/journal/journald-syslog.c 2019-08-02 18:21:22.892939591 +0300 | ||
+++ systemd-izh/src/journal/journald-syslog.c 2019-08-05 16:54:03.176668148 +0300 | ||
@@ -209,7 +209,7 @@ size_t syslog_parse_identifier(const cha | ||
e = l; | ||
l--; | ||
|
||
- if (p[l-1] == ']') { | ||
+ if (l > 0 && p[l-1] == ']') { | ||
size_t k = l-1; | ||
|
||
for (;;) { | ||
@@ -234,8 +234,10 @@ size_t syslog_parse_identifier(const cha | ||
if (t) | ||
*identifier = t; | ||
|
||
- if (strchr(WHITESPACE, p[e])) | ||
+ /* Single space is used as separator */ | ||
+ if (p[e] != '\0' && strchr(WHITESPACE, p[e])) | ||
e++; | ||
+ | ||
*buf = p + e; | ||
return e; | ||
} | ||
diff -purN systemd/src/journal/test-journal-syslog.c systemd-izh/src/journal/test-journal-syslog.c | ||
--- systemd/src/journal/test-journal-syslog.c 2019-08-02 18:21:22.892939591 +0300 | ||
+++ systemd-izh/src/journal/test-journal-syslog.c 2019-08-05 16:54:03.176668148 +0300 | ||
@@ -22,8 +22,8 @@ | ||
#include "journald-syslog.h" | ||
#include "macro.h" | ||
|
||
-static void test_syslog_parse_identifier(const char* str, | ||
- const char *ident, const char*pid, int ret) { | ||
+static void test_syslog_parse_identifier(const char *str, | ||
+ const char *ident, const char *pid, const char *rest, int ret) { | ||
const char *buf = str; | ||
_cleanup_free_ char *ident2 = NULL, *pid2 = NULL; | ||
int ret2; | ||
@@ -33,12 +33,22 @@ static void test_syslog_parse_identifier | ||
assert_se(ret == ret2); | ||
assert_se(ident == ident2 || streq_ptr(ident, ident2)); | ||
assert_se(pid == pid2 || streq_ptr(pid, pid2)); | ||
+ assert_se(streq(buf, rest)); | ||
} | ||
|
||
int main(void) { | ||
- test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11); | ||
- test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6); | ||
- test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0); | ||
+ test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", "xxx", 11); | ||
+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, "xxx", 6); | ||
+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, " xxx", 6); | ||
+ test_syslog_parse_identifier("pidu xxx", NULL, NULL, "pidu xxx", 0); | ||
+ test_syslog_parse_identifier(" pidu xxx", NULL, NULL, " pidu xxx", 0); | ||
+ test_syslog_parse_identifier("", NULL, NULL, "", 0); | ||
+ test_syslog_parse_identifier(" ", NULL, NULL, " ", 0); | ||
+ test_syslog_parse_identifier(":", "", NULL, "", 1); | ||
+ test_syslog_parse_identifier(": ", "", NULL, " ", 2); | ||
+ test_syslog_parse_identifier("pidu:", "pidu", NULL, "", 5); | ||
+ test_syslog_parse_identifier("pidu: ", "pidu", NULL, "", 6); | ||
+ test_syslog_parse_identifier("pidu : ", NULL, NULL, "pidu : ", 0); | ||
|
||
return 0; | ||
} |
47 changes: 47 additions & 0 deletions
47
rpm/systemd-backport-journald-set-a-limit-on-the-number-of-fields-1k.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
This is the backport of the upstream commit | ||
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4 | ||
It is fixed it v241. | ||
|
||
From 052c57f132f04a3cf4148f87561618da1a6908b4 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
Date: Wed, 5 Dec 2018 22:45:02 +0100 | ||
Subject: [PATCH] journald: set a limit on the number of fields (1k) | ||
|
||
We allocate a iovec entry for each field, so with many short entries, | ||
our memory usage and processing time can be large, even with a relatively | ||
small message size. Let's refuse overly long entries. | ||
|
||
CVE-2018-16865 | ||
https://bugzilla.redhat.com/show_bug.cgi?id=1653861 | ||
|
||
What from I can see, the problem is not from an alloca, despite what the CVE | ||
description says, but from the attack multiplication that comes from creating | ||
many very small iovecs: (void* + size_t) for each three bytes of input message. | ||
|
||
diff -purN systemd/src/journal/journald-native.c systemd-izh/src/journal/journald-native.c | ||
--- systemd/src/journal/journald-native.c 2019-08-05 05:38:44.083368462 -0400 | ||
+++ systemd-izh/src/journal/journald-native.c 2019-08-05 05:56:53.357060530 -0400 | ||
@@ -133,6 +133,10 @@ void server_process_native_message( | ||
} | ||
|
||
/* A property follows */ | ||
+ if (n > ENTRY_FIELD_COUNT_MAX) { | ||
+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); | ||
+ goto finish; | ||
+ } | ||
|
||
/* n existing properties, 1 new, +1 for _TRANSPORT */ | ||
if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) { | ||
diff -purN systemd/src/journal/journald-native.h systemd-izh/src/journal/journald-native.h | ||
--- systemd/src/journal/journald-native.h 2019-08-05 05:38:44.083368462 -0400 | ||
+++ systemd-izh/src/journal/journald-native.h 2019-08-05 06:00:28.253422314 -0400 | ||
@@ -28,6 +28,9 @@ | ||
#define ENTRY_SIZE_MAX (1024*1024*770u) | ||
#define DATA_SIZE_MAX (1024*1024*768u) | ||
|
||
+/* The maximum number of fields in an entry */ | ||
+#define ENTRY_FIELD_COUNT_MAX 1024 | ||
+ | ||
bool valid_user_field(const char *p, size_t l, bool allow_protected); | ||
|
||
void server_process_native_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const struct timeval *tv, const char *label, size_t label_len); |
59 changes: 59 additions & 0 deletions
59
rpm/systemd-backport-pam-systemd-use-secure_getenv-rather-than-getenv.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
This is the backport of upstream commit | ||
https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a | ||
|
||
It fixes CVE-2019-3842. | ||
|
||
From 83d4ab55336ff8a0643c6aa627b31e351a24040a Mon Sep 17 00:00:00 2001 | ||
From: Lennart Poettering <lennart@poettering.net> | ||
Date: Mon, 4 Feb 2019 10:23:43 +0100 | ||
Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv() | ||
|
||
diff -purN systemd/src/login/pam_systemd.c systemd-izh/src/login/pam_systemd.c | ||
--- systemd/src/login/pam_systemd.c 2019-08-05 05:38:44.107368495 -0400 | ||
+++ systemd-izh/src/login/pam_systemd.c 2019-08-05 14:00:21.968726200 -0400 | ||
@@ -284,29 +284,40 @@ _public_ PAM_EXTERN int pam_sm_open_sess | ||
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user); | ||
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host); | ||
|
||
+ /* Looks for an environment variable, preferrably in the environment block associated with the | ||
+ * specified PAM handle, falling back to the process' block instead. Why check both? Because we want | ||
+ * to permit configuration of session properties from unit files that invoke PAM services, so that | ||
+ * PAM services don't have to be reworked to set systemd-specific properties, but these properties | ||
+ * can still be set from the unit file Environment= block. | ||
+ * | ||
+ * We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally | ||
+ * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they | ||
+ * currently don't (to be precise, they clean up the environment they pass to their children, but | ||
+ * not their own environ[]). */ | ||
+ | ||
seat = pam_getenv(handle, "XDG_SEAT"); | ||
if (isempty(seat)) | ||
- seat = getenv("XDG_SEAT"); | ||
+ seat = secure_getenv("XDG_SEAT"); | ||
|
||
cvtnr = pam_getenv(handle, "XDG_VTNR"); | ||
if (isempty(cvtnr)) | ||
- cvtnr = getenv("XDG_VTNR"); | ||
+ cvtnr = secure_getenv("XDG_VTNR"); | ||
|
||
type = pam_getenv(handle, "XDG_SESSION_TYPE"); | ||
if (isempty(type)) | ||
- type = getenv("XDG_SESSION_TYPE"); | ||
+ type = secure_getenv("XDG_SESSION_TYPE"); | ||
if (isempty(type)) | ||
type = type_pam; | ||
|
||
class = pam_getenv(handle, "XDG_SESSION_CLASS"); | ||
if (isempty(class)) | ||
- class = getenv("XDG_SESSION_CLASS"); | ||
+ class = secure_getenv("XDG_SESSION_CLASS"); | ||
if (isempty(class)) | ||
class = class_pam; | ||
|
||
desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP"); | ||
if (isempty(desktop)) | ||
- desktop = getenv("XDG_SESSION_DESKTOP"); | ||
+ desktop = secure_getenv("XDG_SESSION_DESKTOP"); | ||
|
||
tty = strempty(tty); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters