summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKhem Raj <raj.khem@gmail.com>2018-12-16 21:54:42 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-12-18 16:19:34 +0000
commit1fa8e90c420c0475efd043c633bf3c7b057da2b2 (patch)
tree6ca8d5171e2939e0a0814abdde9e5683c6823907
parent18e0cec330c3450fd7e7da3a2832c61c36ffc01b (diff)
downloadpoky-1fa8e90c420c0475efd043c633bf3c7b057da2b2.tar.gz
systemd: Fix memory use after free errors
Found with gcc trunk (From OE-Core rev: 381c63ad2a6e004658b0232b6e6763f49f412b2b) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch31
-rw-r--r--meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch43
-rw-r--r--meta/recipes-core/systemd/systemd_239.bb2
3 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch b/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch
new file mode 100644
index 0000000000..0538c7bbc8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch
@@ -0,0 +1,31 @@
1From bfc4183ea995f1c211385d066cdb1fe9ce89f621 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 16 Dec 2018 20:53:38 -0800
4Subject: [PATCH 1/2] sysctl: Don't pass null directive argument to '%s'
5
6value pointer here is always NULL but subsequent use of that pointer
7with a %s format will always be NULL, printing p instead would be a
8valid string
9
10Signed-off-by: Khem Raj <raj.khem@gmail.com>
11---
12Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179]
13 src/sysctl/sysctl.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
17index 1cfe51018..c67d79032 100644
18--- a/src/sysctl/sysctl.c
19+++ b/src/sysctl/sysctl.c
20@@ -115,7 +115,7 @@ static int parse_file(OrderedHashmap *sysctl_options, const char *path, bool ign
21
22 value = strchr(p, '=');
23 if (!value) {
24- log_error("Line is not an assignment at '%s:%u': %s", path, c, value);
25+ log_error("Line is not an assignment at '%s:%u': %s", path, c, p);
26
27 if (r == 0)
28 r = -EINVAL;
29--
302.20.1
31
diff --git a/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch b/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch
new file mode 100644
index 0000000000..4da96e2920
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch
@@ -0,0 +1,43 @@
1From cb67aebd63d9f0077cbf3e769f0b223c5bba20ac Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 16 Dec 2018 20:58:35 -0800
4Subject: [PATCH 2/2] core: Fix use after free case in load_from_path()
5
6ensure that mfree() on filename is called after the logging function
7which uses the string pointed by filename
8
9Signed-off-by: Khem Raj <raj.khem@gmail.com>
10---
11Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179]
12 src/core/load-fragment.c | 6 ++++--
13 1 file changed, 4 insertions(+), 2 deletions(-)
14
15diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
16index fc5644f48..da585786e 100644
17--- a/src/core/load-fragment.c
18+++ b/src/core/load-fragment.c
19@@ -4531,7 +4531,6 @@ static int load_from_path(Unit *u, const char *path) {
20 r = open_follow(&filename, &f, symlink_names, &id);
21 if (r >= 0)
22 break;
23- filename = mfree(filename);
24
25 /* ENOENT means that the file is missing or is a dangling symlink.
26 * ENOTDIR means that one of paths we expect to be is a directory
27@@ -4540,9 +4539,12 @@ static int load_from_path(Unit *u, const char *path) {
28 */
29 if (r == -EACCES)
30 log_debug_errno(r, "Cannot access \"%s\": %m", filename);
31- else if (!IN_SET(r, -ENOENT, -ENOTDIR))
32+ else if (!IN_SET(r, -ENOENT, -ENOTDIR)) {
33+ filename = mfree(filename);
34 return r;
35+ }
36
37+ filename = mfree(filename);
38 /* Empty the symlink names for the next run */
39 set_clear_free(symlink_names);
40 }
41--
422.20.1
43
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index a40c89973a..03acce25b7 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -35,6 +35,8 @@ SRC_URI += "file://touchscreen.rules \
35 file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ 35 file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \
36 file://0001-Revert-sysctl.d-request-ECN-on-both-in-and-outgoing-.patch \ 36 file://0001-Revert-sysctl.d-request-ECN-on-both-in-and-outgoing-.patch \
37 file://0001-timesync-changes-type-of-drift_freq-to-int64_t.patch \ 37 file://0001-timesync-changes-type-of-drift_freq-to-int64_t.patch \
38 file://0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch \
39 file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \
38 " 40 "
39 41
40# patches made for musl are only applied on TCLIBC is musl 42# patches made for musl are only applied on TCLIBC is musl