Browse code
Fix systemd CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
Change-Id: I06bed4b308cb45d5315ba70828dad37975469fd0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6515
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
suezzelur authored on 2019/01/17 04:55:32Showing 4 changed files
- SPECS/systemd/systemd-228-CVE-2018-16864.patch
- SPECS/systemd/systemd-228-CVE-2018-16865.patch
- SPECS/systemd/systemd-228-CVE-2018-16866.patch
- SPECS/systemd/systemd.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,341 @@ |
| 0 |
+diff -rup systemd-228/src/basic/io-util.c systemd-228-new/src/basic/io-util.c |
|
| 1 |
+--- systemd-228/src/basic/io-util.c 2015-11-17 23:59:06.000000000 -0800 |
|
| 2 |
+@@ -23,6 +23,7 @@ |
|
| 3 |
+ #include <unistd.h> |
|
| 4 |
+ |
|
| 5 |
+ #include "io-util.h" |
|
| 6 |
++#include "string-util.h" |
|
| 7 |
+ |
|
| 8 |
+ int flush_fd(int fd) {
|
|
| 9 |
+ struct pollfd pollfd = {
|
|
| 10 |
+@@ -259,3 +260,20 @@ ssize_t sparse_write(int fd, const void |
|
| 11 |
+ |
|
| 12 |
+ return q - (const uint8_t*) p; |
|
| 13 |
+ } |
|
| 14 |
++ |
|
| 15 |
++char* set_iovec_string_field(struct iovec *iovec, unsigned int *n_iovec, const char *field, const char *value) {
|
|
| 16 |
++ char *x; |
|
| 17 |
++ |
|
| 18 |
++ x = strappend(field, value); |
|
| 19 |
++ if (x) |
|
| 20 |
++ iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x); |
|
| 21 |
++ return x; |
|
| 22 |
++} |
|
| 23 |
++ |
|
| 24 |
++char* set_iovec_field_free(struct iovec *iovec, unsigned int *n_iovec, const char *field, char *value) {
|
|
| 25 |
++ char *x; |
|
| 26 |
++ |
|
| 27 |
++ x = set_iovec_string_field(iovec, n_iovec, field, value); |
|
| 28 |
++ free(value); |
|
| 29 |
++ return x; |
|
| 30 |
++} |
|
| 31 |
+diff -rup systemd-228/src/basic/io-util.h systemd-228-new/src/basic/io-util.h |
|
| 32 |
+--- systemd-228/src/basic/io-util.h 2015-11-17 23:59:06.000000000 -0800 |
|
| 33 |
+@@ -47,6 +47,14 @@ ssize_t sparse_write(int fd, const void |
|
| 34 |
+ _i->iov_len = strlen(_s); \ |
|
| 35 |
+ } while(false) |
|
| 36 |
+ |
|
| 37 |
++#define IOVEC_INIT(base, len) { .iov_base = (base), .iov_len = (len) }
|
|
| 38 |
++#define IOVEC_MAKE(base, len) (struct iovec) IOVEC_INIT(base, len) |
|
| 39 |
++#define IOVEC_INIT_STRING(string) IOVEC_INIT((char*) string, strlen(string)) |
|
| 40 |
++#define IOVEC_MAKE_STRING(string) (struct iovec) IOVEC_INIT_STRING(string) |
|
| 41 |
++ |
|
| 42 |
++char* set_iovec_string_field(struct iovec *iovec, unsigned int *n_iovec, const char *field, const char *value); |
|
| 43 |
++char* set_iovec_field_free(struct iovec *iovec, unsigned int *n_iovec, const char *field, char *value); |
|
| 44 |
++ |
|
| 45 |
+ static inline size_t IOVEC_TOTAL_SIZE(const struct iovec *i, unsigned n) {
|
|
| 46 |
+ unsigned j; |
|
| 47 |
+ size_t r = 0; |
|
| 48 |
+diff -rup systemd-228/src/journal/coredump.c systemd-228-new/src/journal/coredump.c |
|
| 49 |
+--- systemd-228/src/journal/coredump.c 2015-11-17 23:59:06.000000000 -0800 |
|
| 50 |
+@@ -537,28 +537,16 @@ static int compose_open_fds(pid_t pid, c |
|
| 51 |
+ } |
|
| 52 |
+ |
|
| 53 |
+ int main(int argc, char* argv[]) {
|
|
| 54 |
+- |
|
| 55 |
+- /* The small core field we allocate on the stack, to keep things simple */ |
|
| 56 |
+- char |
|
| 57 |
+- *core_pid = NULL, *core_uid = NULL, *core_gid = NULL, *core_signal = NULL, |
|
| 58 |
+- *core_session = NULL, *core_exe = NULL, *core_comm = NULL, *core_cmdline = NULL, |
|
| 59 |
+- *core_cgroup = NULL, *core_cwd = NULL, *core_root = NULL, *core_unit = NULL, |
|
| 60 |
+- *core_slice = NULL; |
|
| 61 |
+- |
|
| 62 |
+- /* The larger ones we allocate on the heap */ |
|
| 63 |
+- _cleanup_free_ char |
|
| 64 |
+- *core_timestamp = NULL, *core_message = NULL, *coredump_data = NULL, *core_owner_uid = NULL, |
|
| 65 |
+- *core_open_fds = NULL, *core_proc_status = NULL, *core_proc_maps = NULL, *core_proc_limits = NULL, |
|
| 66 |
+- *core_proc_cgroup = NULL, *core_environ = NULL; |
|
| 67 |
+- |
|
| 68 |
+- _cleanup_free_ char *exe = NULL, *comm = NULL, *filename = NULL; |
|
| 69 |
++ _cleanup_free_ char *core_timestamp = NULL, *core_owner_uid = NULL, *coredump_data = NULL; |
|
| 70 |
++ _cleanup_free_ char *exe = NULL, *comm = NULL, *filename = NULL, *core_message = NULL; |
|
| 71 |
+ const char *info[_INFO_LEN]; |
|
| 72 |
+ |
|
| 73 |
+ _cleanup_close_ int coredump_fd = -1; |
|
| 74 |
+ |
|
| 75 |
+ struct iovec iovec[26]; |
|
| 76 |
+ uint64_t coredump_size; |
|
| 77 |
+- int r, j = 0; |
|
| 78 |
++ int r; |
|
| 79 |
++ unsigned n_iovec = 0; |
|
| 80 |
+ uid_t uid, owner_uid; |
|
| 81 |
+ gid_t gid; |
|
| 82 |
+ pid_t pid; |
|
| 83 |
+@@ -645,151 +633,101 @@ int main(int argc, char* argv[]) {
|
|
| 84 |
+ goto finish; |
|
| 85 |
+ } |
|
| 86 |
+ |
|
| 87 |
+- core_unit = strjoina("COREDUMP_UNIT=", t);
|
|
| 88 |
+- free(t); |
|
| 89 |
++ if (!set_iovec_field_free(iovec, &n_iovec, "COREDUMP_UNIT=", t)) |
|
| 90 |
++ return log_oom(); |
|
| 91 |
+ |
|
| 92 |
+ } else if (cg_pid_get_user_unit(pid, &t) >= 0) {
|
|
| 93 |
+- core_unit = strjoina("COREDUMP_USER_UNIT=", t);
|
|
| 94 |
+- free(t); |
|
| 95 |
++ if (!set_iovec_field_free(iovec, &n_iovec, "COREDUMP_USER_UNIT=", t)) |
|
| 96 |
++ return log_oom(); |
|
| 97 |
+ } |
|
| 98 |
+ |
|
| 99 |
+- if (core_unit) |
|
| 100 |
+- IOVEC_SET_STRING(iovec[j++], core_unit); |
|
| 101 |
+- |
|
| 102 |
+ /* OK, now we know it's not the journal, hence we can make use |
|
| 103 |
+ * of it now. */ |
|
| 104 |
+ log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); |
|
| 105 |
+ log_open(); |
|
| 106 |
+ |
|
| 107 |
+- core_pid = strjoina("COREDUMP_PID=", info[INFO_PID]);
|
|
| 108 |
+- IOVEC_SET_STRING(iovec[j++], core_pid); |
|
| 109 |
+- |
|
| 110 |
+- core_uid = strjoina("COREDUMP_UID=", info[INFO_UID]);
|
|
| 111 |
+- IOVEC_SET_STRING(iovec[j++], core_uid); |
|
| 112 |
+- |
|
| 113 |
+- core_gid = strjoina("COREDUMP_GID=", info[INFO_GID]);
|
|
| 114 |
+- IOVEC_SET_STRING(iovec[j++], core_gid); |
|
| 115 |
+- |
|
| 116 |
+- core_signal = strjoina("COREDUMP_SIGNAL=", info[INFO_SIGNAL]);
|
|
| 117 |
+- IOVEC_SET_STRING(iovec[j++], core_signal); |
|
| 118 |
++ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_PID=", info[INFO_PID])) |
|
| 119 |
++ return log_oom(); |
|
| 120 |
++ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_UID=", info[INFO_UID])) |
|
| 121 |
++ return log_oom(); |
|
| 122 |
++ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_GID=", info[INFO_GID])) |
|
| 123 |
++ return log_oom(); |
|
| 124 |
++ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_SIGNAL=", info[INFO_SIGNAL])) |
|
| 125 |
++ return log_oom(); |
|
| 126 |
+ |
|
| 127 |
+ if (sd_pid_get_session(pid, &t) >= 0) {
|
|
| 128 |
+- core_session = strjoina("COREDUMP_SESSION=", t);
|
|
| 129 |
+- free(t); |
|
| 130 |
+- |
|
| 131 |
+- IOVEC_SET_STRING(iovec[j++], core_session); |
|
| 132 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_SESSION=", t); |
|
| 133 |
+ } |
|
| 134 |
+ |
|
| 135 |
+ if (sd_pid_get_owner_uid(pid, &owner_uid) >= 0) {
|
|
| 136 |
+ r = asprintf(&core_owner_uid, |
|
| 137 |
+ "COREDUMP_OWNER_UID=" UID_FMT, owner_uid); |
|
| 138 |
+ if (r > 0) |
|
| 139 |
+- IOVEC_SET_STRING(iovec[j++], core_owner_uid); |
|
| 140 |
++ IOVEC_SET_STRING(iovec[n_iovec++], core_owner_uid); |
|
| 141 |
+ } |
|
| 142 |
+ |
|
| 143 |
+ if (sd_pid_get_slice(pid, &t) >= 0) {
|
|
| 144 |
+- core_slice = strjoina("COREDUMP_SLICE=", t);
|
|
| 145 |
+- free(t); |
|
| 146 |
+- |
|
| 147 |
+- IOVEC_SET_STRING(iovec[j++], core_slice); |
|
| 148 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_SLICE=", t); |
|
| 149 |
+ } |
|
| 150 |
+ |
|
| 151 |
+- if (comm) {
|
|
| 152 |
+- core_comm = strjoina("COREDUMP_COMM=", comm);
|
|
| 153 |
+- IOVEC_SET_STRING(iovec[j++], core_comm); |
|
| 154 |
++ if (comm && !set_iovec_string_field(iovec, &n_iovec, "COREDUMP_COMM=", comm)) {
|
|
| 155 |
++ return log_oom(); |
|
| 156 |
+ } |
|
| 157 |
+ |
|
| 158 |
+- if (exe) {
|
|
| 159 |
+- core_exe = strjoina("COREDUMP_EXE=", exe);
|
|
| 160 |
+- IOVEC_SET_STRING(iovec[j++], core_exe); |
|
| 161 |
++ if (exe && !set_iovec_string_field(iovec, &n_iovec, "COREDUMP_EXE=", exe)) {
|
|
| 162 |
++ return log_oom(); |
|
| 163 |
+ } |
|
| 164 |
+ |
|
| 165 |
+ if (get_process_cmdline(pid, 0, false, &t) >= 0) {
|
|
| 166 |
+- core_cmdline = strjoina("COREDUMP_CMDLINE=", t);
|
|
| 167 |
+- free(t); |
|
| 168 |
+- |
|
| 169 |
+- IOVEC_SET_STRING(iovec[j++], core_cmdline); |
|
| 170 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CMDLINE=", t); |
|
| 171 |
+ } |
|
| 172 |
+ |
|
| 173 |
+ if (cg_pid_get_path_shifted(pid, NULL, &t) >= 0) {
|
|
| 174 |
+- core_cgroup = strjoina("COREDUMP_CGROUP=", t);
|
|
| 175 |
+- free(t); |
|
| 176 |
+- |
|
| 177 |
+- IOVEC_SET_STRING(iovec[j++], core_cgroup); |
|
| 178 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CGROUP=", t); |
|
| 179 |
+ } |
|
| 180 |
+ |
|
| 181 |
+ if (compose_open_fds(pid, &t) >= 0) {
|
|
| 182 |
+- core_open_fds = strappend("COREDUMP_OPEN_FDS=", t);
|
|
| 183 |
+- free(t); |
|
| 184 |
+- |
|
| 185 |
+- if (core_open_fds) |
|
| 186 |
+- IOVEC_SET_STRING(iovec[j++], core_open_fds); |
|
| 187 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_OPEN_FDS=", t); |
|
| 188 |
+ } |
|
| 189 |
+ |
|
| 190 |
+ p = procfs_file_alloca(pid, "status"); |
|
| 191 |
+ if (read_full_file(p, &t, NULL) >= 0) {
|
|
| 192 |
+- core_proc_status = strappend("COREDUMP_PROC_STATUS=", t);
|
|
| 193 |
+- free(t); |
|
| 194 |
+- |
|
| 195 |
+- if (core_proc_status) |
|
| 196 |
+- IOVEC_SET_STRING(iovec[j++], core_proc_status); |
|
| 197 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_STATUS=", t); |
|
| 198 |
+ } |
|
| 199 |
+ |
|
| 200 |
+ p = procfs_file_alloca(pid, "maps"); |
|
| 201 |
+ if (read_full_file(p, &t, NULL) >= 0) {
|
|
| 202 |
+- core_proc_maps = strappend("COREDUMP_PROC_MAPS=", t);
|
|
| 203 |
+- free(t); |
|
| 204 |
+- |
|
| 205 |
+- if (core_proc_maps) |
|
| 206 |
+- IOVEC_SET_STRING(iovec[j++], core_proc_maps); |
|
| 207 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_MAPS=", t); |
|
| 208 |
+ } |
|
| 209 |
+ |
|
| 210 |
+ p = procfs_file_alloca(pid, "limits"); |
|
| 211 |
+ if (read_full_file(p, &t, NULL) >= 0) {
|
|
| 212 |
+- core_proc_limits = strappend("COREDUMP_PROC_LIMITS=", t);
|
|
| 213 |
+- free(t); |
|
| 214 |
+- |
|
| 215 |
+- if (core_proc_limits) |
|
| 216 |
+- IOVEC_SET_STRING(iovec[j++], core_proc_limits); |
|
| 217 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_LIMITS=", t); |
|
| 218 |
+ } |
|
| 219 |
+ |
|
| 220 |
+ p = procfs_file_alloca(pid, "cgroup"); |
|
| 221 |
+ if (read_full_file(p, &t, NULL) >=0) {
|
|
| 222 |
+- core_proc_cgroup = strappend("COREDUMP_PROC_CGROUP=", t);
|
|
| 223 |
+- free(t); |
|
| 224 |
+- |
|
| 225 |
+- if (core_proc_cgroup) |
|
| 226 |
+- IOVEC_SET_STRING(iovec[j++], core_proc_cgroup); |
|
| 227 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_CGROUP=", t); |
|
| 228 |
+ } |
|
| 229 |
+ |
|
| 230 |
+ if (get_process_cwd(pid, &t) >= 0) {
|
|
| 231 |
+- core_cwd = strjoina("COREDUMP_CWD=", t);
|
|
| 232 |
+- free(t); |
|
| 233 |
+- |
|
| 234 |
+- IOVEC_SET_STRING(iovec[j++], core_cwd); |
|
| 235 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CWD=", t); |
|
| 236 |
+ } |
|
| 237 |
+ |
|
| 238 |
+ if (get_process_root(pid, &t) >= 0) {
|
|
| 239 |
+- core_root = strjoina("COREDUMP_ROOT=", t);
|
|
| 240 |
+- free(t); |
|
| 241 |
+- |
|
| 242 |
+- IOVEC_SET_STRING(iovec[j++], core_root); |
|
| 243 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_ROOT=", t); |
|
| 244 |
+ } |
|
| 245 |
+ |
|
| 246 |
+ if (get_process_environ(pid, &t) >= 0) {
|
|
| 247 |
+- core_environ = strappend("COREDUMP_ENVIRON=", t);
|
|
| 248 |
+- free(t); |
|
| 249 |
+- |
|
| 250 |
+- if (core_environ) |
|
| 251 |
+- IOVEC_SET_STRING(iovec[j++], core_environ); |
|
| 252 |
++ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_ENVIRON=", t); |
|
| 253 |
+ } |
|
| 254 |
+ |
|
| 255 |
+ core_timestamp = strjoin("COREDUMP_TIMESTAMP=", info[INFO_TIMESTAMP], "000000", NULL);
|
|
| 256 |
+ if (core_timestamp) |
|
| 257 |
+- IOVEC_SET_STRING(iovec[j++], core_timestamp); |
|
| 258 |
++ IOVEC_SET_STRING(iovec[n_iovec++], core_timestamp); |
|
| 259 |
+ |
|
| 260 |
+- IOVEC_SET_STRING(iovec[j++], "MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1"); |
|
| 261 |
+- IOVEC_SET_STRING(iovec[j++], "PRIORITY=2"); |
|
| 262 |
++ IOVEC_SET_STRING(iovec[n_iovec++], "MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1"); |
|
| 263 |
++ IOVEC_SET_STRING(iovec[n_iovec++], "PRIORITY=2"); |
|
| 264 |
+ |
|
| 265 |
+ /* Vacuum before we write anything again */ |
|
| 266 |
+ coredump_vacuum(-1, arg_keep_free, arg_max_use); |
|
| 267 |
+@@ -811,7 +749,7 @@ int main(int argc, char* argv[]) {
|
|
| 268 |
+ const char *coredump_filename; |
|
| 269 |
+ |
|
| 270 |
+ coredump_filename = strjoina("COREDUMP_FILENAME=", filename);
|
|
| 271 |
+- IOVEC_SET_STRING(iovec[j++], coredump_filename); |
|
| 272 |
++ IOVEC_SET_STRING(iovec[n_iovec++], coredump_filename); |
|
| 273 |
+ } |
|
| 274 |
+ |
|
| 275 |
+ /* Vacuum again, but exclude the coredump we just created */ |
|
| 276 |
+@@ -849,7 +787,7 @@ int main(int argc, char* argv[]) {
|
|
| 277 |
+ log: |
|
| 278 |
+ core_message = strjoin("MESSAGE=Process ", info[INFO_PID], " (", comm, ") of user ", info[INFO_UID], " dumped core.", NULL);
|
|
| 279 |
+ if (core_message) |
|
| 280 |
+- IOVEC_SET_STRING(iovec[j++], core_message); |
|
| 281 |
++ IOVEC_SET_STRING(iovec[n_iovec++], core_message); |
|
| 282 |
+ |
|
| 283 |
+ /* Optionally store the entire coredump in the journal */ |
|
| 284 |
+ if (IN_SET(arg_storage, COREDUMP_STORAGE_JOURNAL, COREDUMP_STORAGE_BOTH) && |
|
| 285 |
+@@ -860,13 +798,13 @@ log: |
|
| 286 |
+ |
|
| 287 |
+ r = allocate_journal_field(coredump_fd, (size_t) coredump_size, &coredump_data, &sz); |
|
| 288 |
+ if (r >= 0) {
|
|
| 289 |
+- iovec[j].iov_base = coredump_data; |
|
| 290 |
+- iovec[j].iov_len = sz; |
|
| 291 |
+- j++; |
|
| 292 |
++ iovec[n_iovec].iov_base = coredump_data; |
|
| 293 |
++ iovec[n_iovec].iov_len = sz; |
|
| 294 |
++ n_iovec++; |
|
| 295 |
+ } |
|
| 296 |
+ } |
|
| 297 |
+ |
|
| 298 |
+- r = sd_journal_sendv(iovec, j); |
|
| 299 |
++ r = sd_journal_sendv(iovec, n_iovec); |
|
| 300 |
+ if (r < 0) |
|
| 301 |
+ log_error_errno(r, "Failed to log coredump: %m"); |
|
| 302 |
+ |
|
| 303 |
+diff -rup systemd-228/src/journal/journald-server.c systemd-228-new/src/journal/journald-server.c |
|
| 304 |
+--- systemd-228/src/journal/journald-server.c 2015-11-17 23:59:06.000000000 -0800 |
|
| 305 |
+@@ -579,6 +579,7 @@ static void dispatch_message_real( |
|
| 306 |
+ o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
|
|
| 307 |
+ o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
|
|
| 308 |
+ o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
|
|
| 309 |
++ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; |
|
| 310 |
+ uid_t object_uid; |
|
| 311 |
+ gid_t object_gid; |
|
| 312 |
+ char *x; |
|
| 313 |
+@@ -629,9 +630,9 @@ static void dispatch_message_real( |
|
| 314 |
+ |
|
| 315 |
+ r = get_process_cmdline(ucred->pid, 0, false, &t); |
|
| 316 |
+ if (r >= 0) {
|
|
| 317 |
+- x = strjoina("_CMDLINE=", t);
|
|
| 318 |
+- free(t); |
|
| 319 |
+- IOVEC_SET_STRING(iovec[n++], x); |
|
| 320 |
++ /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. |
|
| 321 |
++ * Let's use a heap allocation for this one. */ |
|
| 322 |
++ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t); |
|
| 323 |
+ } |
|
| 324 |
+ |
|
| 325 |
+ r = get_process_capeff(ucred->pid, &t); |
|
| 326 |
+@@ -757,9 +758,7 @@ static void dispatch_message_real( |
|
| 327 |
+ |
|
| 328 |
+ r = get_process_cmdline(object_pid, 0, false, &t); |
|
| 329 |
+ if (r >= 0) {
|
|
| 330 |
+- x = strjoina("OBJECT_CMDLINE=", t);
|
|
| 331 |
+- free(t); |
|
| 332 |
+- IOVEC_SET_STRING(iovec[n++], x); |
|
| 333 |
++ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); |
|
| 334 |
+ } |
|
| 335 |
+ |
|
| 336 |
+ #ifdef HAVE_AUDIT |
| 0 | 337 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,117 @@ |
| 0 |
+From 4489ac6683386805742f7ee678cb8580d669556b Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> |
|
| 2 |
+Date: Wed, 5 Dec 2018 22:45:02 +0100 |
|
| 3 |
+Subject: [PATCH 06/11] journald: set a limit on the number of fields (1k) |
|
| 4 |
+ |
|
| 5 |
+We allocate a iovec entry for each field, so with many short entries, |
|
| 6 |
+our memory usage and processing time can be large, even with a relatively |
|
| 7 |
+small message size. Let's refuse overly long entries. |
|
| 8 |
+ |
|
| 9 |
+CVE-2018-16865 |
|
| 10 |
+https://bugzilla.redhat.com/show_bug.cgi?id=1653861 |
|
| 11 |
+ |
|
| 12 |
+What from I can see, the problem is not from an alloca, despite what the CVE |
|
| 13 |
+description says, but from the attack multiplication that comes from creating |
|
| 14 |
+many very small iovecs: (void* + size_t) for each three bytes of input message. |
|
| 15 |
+--- |
|
| 16 |
+ src/journal/journald-native.c | 5 +++++ |
|
| 17 |
+ src/shared/journal-importer.h | 3 +++ |
|
| 18 |
+ 2 files changed, 8 insertions(+) |
|
| 19 |
+ |
|
| 20 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> |
|
| 21 |
+Date: Fri, 7 Dec 2018 10:48:10 +0100 |
|
| 22 |
+Subject: [PATCH 11/11] journal-remote: set a limit on the number of fields in |
|
| 23 |
+ a message |
|
| 24 |
+ |
|
| 25 |
+Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is |
|
| 26 |
+reused for the new error condition (too many fields). |
|
| 27 |
+ |
|
| 28 |
+This matches the change done for systemd-journald, hence forming the second |
|
| 29 |
+part of the fix for CVE-2018-16865 |
|
| 30 |
+(https://bugzilla.redhat.com/show_bug.cgi?id=1653861). |
|
| 31 |
+--- |
|
| 32 |
+ src/journal-remote/journal-remote-main.c | 7 +++++-- |
|
| 33 |
+ src/journal-remote/journal-remote.c | 3 +++ |
|
| 34 |
+ src/shared/journal-importer.c | 5 ++++- |
|
| 35 |
+ 3 files changed, 12 insertions(+), 3 deletions(-) |
|
| 36 |
+ |
|
| 37 |
+--- a/src/journal/journald-native.c |
|
| 38 |
+@@ -138,6 +138,10 @@ |
|
| 39 |
+ } |
|
| 40 |
+ |
|
| 41 |
+ /* A property follows */ |
|
| 42 |
++ if (n > ENTRY_FIELD_COUNT_MAX) {
|
|
| 43 |
++ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
|
|
| 44 |
++ goto finish; |
|
| 45 |
++ } |
|
| 46 |
+ |
|
| 47 |
+ /* n existing properties, 1 new, +1 for _TRANSPORT */ |
|
| 48 |
+ if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
|
|
| 49 |
+--- a/src/journal/journal-file.h |
|
| 50 |
+@@ -160,6 +160,9 @@ |
|
| 51 |
+ * files without adding too many zeros. */ |
|
| 52 |
+ #define OFSfmt "%06"PRIx64 |
|
| 53 |
+ |
|
| 54 |
++/* The maximum number of fields in an entry */ |
|
| 55 |
++#define ENTRY_FIELD_COUNT_MAX 1024 |
|
| 56 |
++ |
|
| 57 |
+ static inline bool VALID_REALTIME(uint64_t u) {
|
|
| 58 |
+ /* This considers timestamps until the year 3112 valid. That should be plenty room... */ |
|
| 59 |
+ return u > 0 && u < (1ULL << 55); |
|
| 60 |
+ |
|
| 61 |
+--- a/src/journal-remote/journal-remote-parse.c |
|
| 62 |
+@@ -109,7 +109,7 @@ |
|
| 63 |
+ source->scanned = source->filled; |
|
| 64 |
+ if (source->scanned >= DATA_SIZE_MAX) {
|
|
| 65 |
+ log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
|
|
| 66 |
+- return -E2BIG; |
|
| 67 |
++ return -ENOBUFS; |
|
| 68 |
+ } |
|
| 69 |
+ |
|
| 70 |
+ if (source->passive_fd) |
|
| 71 |
+--- a/src/journal-remote/journal-remote.c |
|
| 72 |
+@@ -526,11 +526,18 @@ |
|
| 73 |
+ break; |
|
| 74 |
+ else if (r < 0) {
|
|
| 75 |
+ log_warning("Failed to process data for connection %p", connection);
|
|
| 76 |
+- if (r == -E2BIG) |
|
| 77 |
++ if (r == -ENOBUFS) |
|
| 78 |
+ return mhd_respondf(connection, |
|
| 79 |
+ MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, |
|
| 80 |
+ "Entry is too large, maximum is %u bytes.\n", |
|
| 81 |
+ DATA_SIZE_MAX); |
|
| 82 |
++ |
|
| 83 |
++ else if (r == -E2BIG) |
|
| 84 |
++ return mhd_respondf(connection, |
|
| 85 |
++ MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, |
|
| 86 |
++ "Entry with more fields than the maximum of %u\n", |
|
| 87 |
++ ENTRY_FIELD_COUNT_MAX); |
|
| 88 |
++ |
|
| 89 |
+ else |
|
| 90 |
+ return mhd_respondf(connection, |
|
| 91 |
+ MHD_HTTP_UNPROCESSABLE_ENTITY, |
|
| 92 |
+@@ -1056,6 +1063,9 @@ |
|
| 93 |
+ log_debug("%zu active sources remaining", s->active);
|
|
| 94 |
+ return 0; |
|
| 95 |
+ } else if (r == -E2BIG) {
|
|
| 96 |
++ log_notice("Entry with too many fields, skipped");
|
|
| 97 |
++ return 1; |
|
| 98 |
++ } else if (r == -ENOBUFS) {
|
|
| 99 |
+ log_notice_errno(E2BIG, "Entry too big, skipped"); |
|
| 100 |
+ return 1; |
|
| 101 |
+ } else if (r == -EAGAIN) {
|
|
| 102 |
+--- a/src/journal-remote/journal-remote-write.c |
|
| 103 |
+@@ -21,6 +21,9 @@ |
|
| 104 |
+ #include "journal-remote.h" |
|
| 105 |
+ |
|
| 106 |
+ int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
|
|
| 107 |
++ if (iovw->count >= ENTRY_FIELD_COUNT_MAX) |
|
| 108 |
++ return -E2BIG; |
|
| 109 |
++ |
|
| 110 |
+ if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) |
|
| 111 |
+ return log_oom(); |
| 0 | 112 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,60 @@ |
| 0 |
+From a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Yu Watanabe <watanabe.yu+github@gmail.com> |
|
| 2 |
+Date: Wed, 8 Aug 2018 15:06:36 +0900 |
|
| 3 |
+Subject: [PATCH] journal: fix syslog_parse_identifier() |
|
| 4 |
+ |
|
| 5 |
+Fixes #9829. |
|
| 6 |
+--- |
|
| 7 |
+ src/journal/journald-syslog.c | 6 +++--- |
|
| 8 |
+ src/journal/test-journal-syslog.c | 10 ++++++++-- |
|
| 9 |
+ 2 files changed, 11 insertions(+), 5 deletions(-) |
|
| 10 |
+ |
|
| 11 |
+--- a/src/journal/journald-syslog.c |
|
| 12 |
+@@ -212,7 +212,7 @@ |
|
| 13 |
+ e = l; |
|
| 14 |
+ l--; |
|
| 15 |
+ |
|
| 16 |
+- if (p[l-1] == ']') {
|
|
| 17 |
++ if (l > 0 && p[l-1] == ']') {
|
|
| 18 |
+ size_t k = l-1; |
|
| 19 |
+ |
|
| 20 |
+ for (;;) {
|
|
| 21 |
+@@ -237,8 +237,8 @@ |
|
| 22 |
+ if (t) |
|
| 23 |
+ *identifier = t; |
|
| 24 |
+ |
|
| 25 |
+- if (strchr(WHITESPACE, p[e])) |
|
| 26 |
+- e++; |
|
| 27 |
++ e += strspn(p + e, WHITESPACE); |
|
| 28 |
++ |
|
| 29 |
+ *buf = p + e; |
|
| 30 |
+ return e; |
|
| 31 |
+ } |
|
| 32 |
+--- a/src/journal/test-journal-syslog.c |
|
| 33 |
+@@ -23,8 +23,8 @@ |
|
| 34 |
+ #include "macro.h" |
|
| 35 |
+ #include "string-util.h" |
|
| 36 |
+ |
|
| 37 |
+-static void test_syslog_parse_identifier(const char* str, |
|
| 38 |
+- const char *ident, const char*pid, int ret) {
|
|
| 39 |
++static void test_syslog_parse_identifier(const char *str, |
|
| 40 |
++ const char *ident, const char *pid, int ret) {
|
|
| 41 |
+ const char *buf = str; |
|
| 42 |
+ _cleanup_free_ char *ident2 = NULL, *pid2 = NULL; |
|
| 43 |
+ int ret2; |
|
| 44 |
+@@ -39,7 +39,13 @@ |
|
| 45 |
+ int main(void) {
|
|
| 46 |
+ test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
|
|
| 47 |
+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
|
|
| 48 |
++ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7);
|
|
| 49 |
+ test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
|
|
| 50 |
++ test_syslog_parse_identifier(":", "", NULL, 1);
|
|
| 51 |
++ test_syslog_parse_identifier(": ", "", NULL, 3);
|
|
| 52 |
++ test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
|
|
| 53 |
++ test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
|
|
| 54 |
++ test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);
|
|
| 55 |
+ |
|
| 56 |
+ return 0; |
|
| 57 |
+ } |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Systemd-228 |
| 2 | 2 |
Name: systemd |
| 3 | 3 |
Version: 228 |
| 4 |
-Release: 49%{?dist}
|
|
| 4 |
+Release: 50%{?dist}
|
|
| 5 | 5 |
License: LGPLv2+ and GPLv2+ and MIT |
| 6 | 6 |
URL: http://www.freedesktop.org/wiki/Software/systemd/ |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -46,8 +46,11 @@ Patch28: systemd-228-link-disabled-nullptr-fix.patch |
| 46 | 46 |
Patch29: systemd-228-CVE-2017-15908-dns-pkt-loop-fix.patch |
| 47 | 47 |
Patch30: systemd-228-CVE-2017-18078.patch |
| 48 | 48 |
Patch31: systemd-228-CVE-2018-1049.patch |
| 49 |
-Patch32: systemd-228-CVE-2018-15688.patch |
|
| 50 |
-Patch33: systemd-228-CVE-2018-15686.patch |
|
| 49 |
+Patch32: systemd-228-CVE-2018-15688.patch |
|
| 50 |
+Patch33: systemd-228-CVE-2018-15686.patch |
|
| 51 |
+Patch34: systemd-228-CVE-2018-16864.patch |
|
| 52 |
+Patch35: systemd-228-CVE-2018-16865.patch |
|
| 53 |
+Patch36: systemd-228-CVE-2018-16866.patch |
|
| 51 | 54 |
Requires: Linux-PAM |
| 52 | 55 |
Requires: libcap |
| 53 | 56 |
Requires: xz |
| ... | ... |
@@ -115,6 +118,9 @@ sed -i "s:blkid/::" $(grep -rl "blkid/blkid.h") |
| 115 | 115 |
%patch31 -p1 |
| 116 | 116 |
%patch32 -p1 |
| 117 | 117 |
%patch33 -p1 |
| 118 |
+%patch34 -p1 |
|
| 119 |
+%patch35 -p1 |
|
| 120 |
+%patch36 -p1 |
|
| 118 | 121 |
sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf |
| 119 | 122 |
|
| 120 | 123 |
%build |
| ... | ... |
@@ -255,6 +261,8 @@ rm -rf %{buildroot}/*
|
| 255 | 255 |
|
| 256 | 256 |
|
| 257 | 257 |
%changelog |
| 258 |
+* Thu Jan 10 2019 Anish Swaminathan <anishs@vmware.com> 228-50 |
|
| 259 |
+- Fix CVE-2018-16864, CVE-2018-16865, CVE-2018-16866 |
|
| 258 | 260 |
* Fri Jan 04 2019 Anish Swaminathan <anishs@vmware.com> 228-49 |
| 259 | 261 |
- Fix CVE-2018-15686 |
| 260 | 262 |
* Fri Nov 02 2018 Tapas Kundu <tkundu@vmware.com> 228-48 |