Browse code
Fix for CVE-2018-1049: Ack automount requests even when already mounted
Change-Id: I7542d1f1095e84d531cc14c27eee57287ebd4962
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5393
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Ankit Jain authored on 2018/07/24 05:25:38Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,77 @@ |
| 0 |
+commit e7d54bf58789545a9eb0b3964233defa0b007318 |
|
| 1 |
+Author: Anchor Cat <githubanchorcat@anchor.net.au> |
|
| 2 |
+Date: Wed May 10 21:23:58 2017 +1000 |
|
| 3 |
+ |
|
| 4 |
+ automount: ack automount requests even when already mounted (#5916) |
|
| 5 |
+ |
|
| 6 |
+ If a process accesses an autofs filesystem while systemd is in the |
|
| 7 |
+ middle of starting the mount unit on top of it, it is possible for the |
|
| 8 |
+ autofs_ptype_missing_direct request from the kernel to be received after |
|
| 9 |
+ the mount unit has been fully started: |
|
| 10 |
+ |
|
| 11 |
+ systemd forks and execs mount ... |
|
| 12 |
+ ... access autofs, blocks |
|
| 13 |
+ mount exits ... |
|
| 14 |
+ systemd receives SIGCHLD ... |
|
| 15 |
+ ... kernel sends request |
|
| 16 |
+ systemd receives request ... |
|
| 17 |
+ |
|
| 18 |
+ systemd needs to respond to this request, otherwise the kernel will |
|
| 19 |
+ continue to block access to the mount point. |
|
| 20 |
+ |
|
| 21 |
+diff --git a/src/core/automount.c b/src/core/automount.c |
|
| 22 |
+index 85b7b4e..180aecd 100644 |
|
| 23 |
+--- a/src/core/automount.c |
|
| 24 |
+@@ -701,8 +701,9 @@ static int automount_start_expire(Automount *a) {
|
|
| 25 |
+ return 0; |
|
| 26 |
+ } |
|
| 27 |
+ |
|
| 28 |
+-static void automount_enter_runnning(Automount *a) {
|
|
| 29 |
++static void automount_enter_running(Automount *a) {
|
|
| 30 |
+ _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL; |
|
| 31 |
++ Unit *trigger; |
|
| 32 |
+ struct stat st; |
|
| 33 |
+ int r; |
|
| 34 |
+ |
|
| 35 |
+@@ -724,15 +725,23 @@ static void automount_enter_runnning(Automount *a) {
|
|
| 36 |
+ log_unit_warning_errno(UNIT(a), errno, "Failed to stat automount point: %m"); |
|
| 37 |
+ goto fail; |
|
| 38 |
+ } |
|
| 39 |
+- |
|
| 40 |
+- if (!S_ISDIR(st.st_mode) || st.st_dev != a->dev_id) |
|
| 41 |
++ /* The mount unit may have been explicitly started before we got the |
|
| 42 |
++ * autofs request. Ack it to unblock anything waiting on the mount point. */ |
|
| 43 |
++ if (!S_ISDIR(st.st_mode) || st.st_dev != a->dev_id) {
|
|
| 44 |
+ log_unit_info(UNIT(a), "Automount point already active?"); |
|
| 45 |
+- else {
|
|
| 46 |
+- r = manager_add_job(UNIT(a)->manager, JOB_START, UNIT_TRIGGER(UNIT(a)), JOB_REPLACE, &error, NULL); |
|
| 47 |
+- if (r < 0) {
|
|
| 48 |
+- log_unit_warning(UNIT(a), "Failed to queue mount startup job: %s", bus_error_message(&error, r)); |
|
| 49 |
+- goto fail; |
|
| 50 |
+- } |
|
| 51 |
++ automount_send_ready(a, a->tokens, 0); |
|
| 52 |
++ return; |
|
| 53 |
++ } |
|
| 54 |
++ |
|
| 55 |
++ trigger = UNIT_TRIGGER(UNIT(a)); |
|
| 56 |
++ if (!trigger) {
|
|
| 57 |
++ log_unit_error(UNIT(a), "Unit to trigger vanished."); |
|
| 58 |
++ goto fail; |
|
| 59 |
++ } |
|
| 60 |
++ r = manager_add_job(UNIT(a)->manager, JOB_START, trigger, JOB_REPLACE, &error, NULL); |
|
| 61 |
++ if (r < 0) {
|
|
| 62 |
++ log_unit_warning(UNIT(a), "Failed to queue mount startup job: %s", bus_error_message(&error, r)); |
|
| 63 |
++ goto fail; |
|
| 64 |
+ } |
|
| 65 |
+ |
|
| 66 |
+ automount_set_state(a, AUTOMOUNT_RUNNING); |
|
| 67 |
+@@ -941,7 +950,7 @@ static int automount_dispatch_io(sd_event_source *s, int fd, uint32_t events, vo |
|
| 68 |
+ goto fail; |
|
| 69 |
+ } |
|
| 70 |
+ |
|
| 71 |
+- automount_enter_runnning(a); |
|
| 72 |
++ automount_enter_running(a); |
|
| 73 |
+ break; |
|
| 74 |
+ |
|
| 75 |
+ case autofs_ptype_expire_direct: |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Systemd-228 |
| 2 | 2 |
Name: systemd |
| 3 | 3 |
Version: 228 |
| 4 |
-Release: 46%{?dist}
|
|
| 4 |
+Release: 47%{?dist}
|
|
| 5 | 5 |
License: LGPLv2+ and GPLv2+ and MIT |
| 6 | 6 |
URL: http://www.freedesktop.org/wiki/Software/systemd/ |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -45,6 +45,7 @@ Patch27: systemd-228-resolved-null-deferencing-fix.patch |
| 45 | 45 |
Patch28: systemd-228-link-disabled-nullptr-fix.patch |
| 46 | 46 |
Patch29: systemd-228-CVE-2017-15908-dns-pkt-loop-fix.patch |
| 47 | 47 |
Patch30: systemd-228-CVE-2017-18078.patch |
| 48 |
+Patch31: systemd-228-CVE-2018-1049.patch |
|
| 48 | 49 |
Requires: Linux-PAM |
| 49 | 50 |
Requires: libcap |
| 50 | 51 |
Requires: xz |
| ... | ... |
@@ -109,6 +110,7 @@ sed -i "s:blkid/::" $(grep -rl "blkid/blkid.h") |
| 109 | 109 |
%patch28 -p1 |
| 110 | 110 |
%patch29 -p1 |
| 111 | 111 |
%patch30 -p1 |
| 112 |
+%patch31 -p1 |
|
| 112 | 113 |
sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf |
| 113 | 114 |
|
| 114 | 115 |
%build |
| ... | ... |
@@ -249,6 +251,8 @@ rm -rf %{buildroot}/*
|
| 249 | 249 |
|
| 250 | 250 |
|
| 251 | 251 |
%changelog |
| 252 |
+* Mon Jul 23 2018 Ankit Jain <ankitja@vmware.com> 228-47 |
|
| 253 |
+- Fix CVE-2018-1049. |
|
| 252 | 254 |
* Thu Jun 28 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 228-46 |
| 253 | 255 |
- Automatically load rdrand-rng kernel module on every boot. |
| 254 | 256 |
* Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> 228-45 |