diff options
| author | Chen Qi <Qi.Chen@windriver.com> | 2016-10-26 14:09:47 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:32 +0000 |
| commit | 92d604ca28acfaf2c2a1db8332d9ed938c6bebd6 (patch) | |
| tree | 0eb40ae743dfee451316622794c3c1137e448715 | |
| parent | d31d1ad4e566e42d0bbcf1f41ac25e33181fb517 (diff) | |
| download | poky-92d604ca28acfaf2c2a1db8332d9ed938c6bebd6.tar.gz | |
systemd: CVE-2016-7795
The manager_invoke_notify_message function in systemd 231 and earlier allows
local users to cause a denial of service (assertion failure and PID 1 hang)
via a zero-length message received over a notify socket.
The patch is a backport from the latest git repo.
Please see the link below for more information.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795
(From OE-Core rev: 543570cafa8d7f595b489d03d05f0aa4478f8539)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2016-7795.patch | 69 | ||||
| -rw-r--r-- | meta/recipes-core/systemd/systemd_230.bb | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch new file mode 100644 index 0000000000..5ecb9c32de --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch | |||
| @@ -0,0 +1,69 @@ | |||
| 1 | Subject: Fix CVE-2016-7795 | ||
| 2 | |||
| 3 | This undoes 531ac2b. I acked that patch without looking at the code | ||
| 4 | carefully enough. There are two problems: | ||
| 5 | - we want to process the fds anyway | ||
| 6 | - in principle empty notification messages are valid, and we should | ||
| 7 | process them as usual, including logging using log_unit_debug(). | ||
| 8 | |||
| 9 | Upstream-Status: Backport | ||
| 10 | CVE: CVE-2016-7795 | ||
| 11 | |||
| 12 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
| 13 | --- | ||
| 14 | src/core/manager.c | 11 ++++++----- | ||
| 15 | 1 file changed, 6 insertions(+), 5 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/src/core/manager.c b/src/core/manager.c | ||
| 18 | index 7838f56..f165d08e 100644 | ||
| 19 | --- a/src/core/manager.c | ||
| 20 | +++ b/src/core/manager.c | ||
| 21 | @@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui | ||
| 22 | return 0; | ||
| 23 | } | ||
| 24 | |||
| 25 | -static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) { | ||
| 26 | +static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) { | ||
| 27 | _cleanup_strv_free_ char **tags = NULL; | ||
| 28 | |||
| 29 | assert(m); | ||
| 30 | assert(u); | ||
| 31 | assert(buf); | ||
| 32 | - assert(n > 0); | ||
| 33 | |||
| 34 | tags = strv_split(buf, "\n\r"); | ||
| 35 | if (!tags) { | ||
| 36 | @@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t | ||
| 37 | return 0; | ||
| 38 | } | ||
| 39 | |||
| 40 | + /* The message should be a string. Here we make sure it's NUL-terminated, | ||
| 41 | + * but only the part until first NUL will be used anyway. */ | ||
| 42 | buf[n] = 0; | ||
| 43 | |||
| 44 | /* Notify every unit that might be interested, but try | ||
| 45 | * to avoid notifying the same one multiple times. */ | ||
| 46 | u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid); | ||
| 47 | if (u1) { | ||
| 48 | - manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds); | ||
| 49 | + manager_invoke_notify_message(m, u1, ucred->pid, buf, fds); | ||
| 50 | found = true; | ||
| 51 | } | ||
| 52 | |||
| 53 | u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid)); | ||
| 54 | if (u2 && u2 != u1) { | ||
| 55 | - manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds); | ||
| 56 | + manager_invoke_notify_message(m, u2, ucred->pid, buf, fds); | ||
| 57 | found = true; | ||
| 58 | } | ||
| 59 | |||
| 60 | u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid)); | ||
| 61 | if (u3 && u3 != u2 && u3 != u1) { | ||
| 62 | - manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds); | ||
| 63 | + manager_invoke_notify_message(m, u3, ucred->pid, buf, fds); | ||
| 64 | found = true; | ||
| 65 | } | ||
| 66 | |||
| 67 | -- | ||
| 68 | 2.8.3 | ||
| 69 | |||
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb index 542f99d04b..f60dd60d01 100644 --- a/meta/recipes-core/systemd/systemd_230.bb +++ b/meta/recipes-core/systemd/systemd_230.bb | |||
| @@ -36,6 +36,7 @@ SRC_URI += " \ | |||
| 36 | file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \ | 36 | file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \ |
| 37 | file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \ | 37 | file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \ |
| 38 | file://udev-re-enable-mount-propagation-for-udevd.patch \ | 38 | file://udev-re-enable-mount-propagation-for-udevd.patch \ |
| 39 | file://CVE-2016-7795.patch \ | ||
| 39 | " | 40 | " |
| 40 | SRC_URI_append_libc-uclibc = "\ | 41 | SRC_URI_append_libc-uclibc = "\ |
| 41 | file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \ | 42 | file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \ |