diff options
author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-01-28 13:57:44 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-24 16:48:38 +0000 |
commit | d693d371a64b47c35f2849b9bb5ca79b6e2eac1f (patch) | |
tree | bc2f764d311d2dd8cb66ccde0bc4ced3ee47366d | |
parent | 7fc2c193b294fc66992541d5c055c8bb86c17043 (diff) | |
download | poky-d693d371a64b47c35f2849b9bb5ca79b6e2eac1f.tar.gz |
systemd: Update recent CVE patches
* Added CVE tag, Upstream-Status tag and Sign-off-by tags.
* Removed the verification of the entry length in the header
* Squashed CVE-2018-16865 patches into one
* CVE-2018-16866 patch now taken from systemd-stable and includes
an additional heap buffer overflow fix.
(From OE-Core rev: bc79395e2fcb886f224a4ad837fd93c779d2c53d)
(From OE-Core rev: 554a65619c45fec24f1790792de2db12a098bd80)
Signed-off-by: Marcus Cooper <marcusc@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
8 files changed, 195 insertions, 306 deletions
diff --git a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch index c3009545b1..c2f78be39e 100644 --- a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch +++ b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fe19f5a9d0d8b9977e9507a9b66c3cc66744cd38 Mon Sep 17 00:00:00 2001 | 1 | From 9cb07e7d82c7c4f28bbaa1478e1387e8ea3d03dd Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | 2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> |
3 | Date: Wed, 5 Dec 2018 18:38:39 +0100 | 3 | Date: Wed, 5 Dec 2018 18:38:39 +0100 |
4 | Subject: [PATCH] journald: do not store the iovec entry for process | 4 | Subject: [PATCH] journald: do not store the iovec entry for process |
@@ -16,6 +16,10 @@ journal_file_append_entry() returns -E2BIG. | |||
16 | 16 | ||
17 | Patch backported from systemd master at | 17 | Patch backported from systemd master at |
18 | 084eeb865ca63887098e0945fb4e93c852b91b0f. | 18 | 084eeb865ca63887098e0945fb4e93c852b91b0f. |
19 | |||
20 | CVE: CVE-2018-16864 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Marcus Cooper <marcusc@axis.com> | ||
19 | --- | 23 | --- |
20 | src/basic/io-util.c | 10 ++++++++++ | 24 | src/basic/io-util.c | 10 ++++++++++ |
21 | src/basic/io-util.h | 2 ++ | 25 | src/basic/io-util.h | 2 ++ |
diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch deleted file mode 100644 index 50a01efe8f..0000000000 --- a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch +++ /dev/null | |||
@@ -1,56 +0,0 @@ | |||
1 | From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Wed, 5 Dec 2018 22:45:02 +0100 | ||
4 | Subject: [PATCH] journald: set a limit on the number of fields (1k) | ||
5 | |||
6 | We allocate a iovec entry for each field, so with many short entries, | ||
7 | our memory usage and processing time can be large, even with a relatively | ||
8 | small message size. Let's refuse overly long entries. | ||
9 | |||
10 | CVE-2018-16865 | ||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=1653861 | ||
12 | |||
13 | What from I can see, the problem is not from an alloca, despite what the CVE | ||
14 | description says, but from the attack multiplication that comes from creating | ||
15 | many very small iovecs: (void* + size_t) for each three bytes of input message. | ||
16 | |||
17 | Patch backported from systemd master at | ||
18 | 052c57f132f04a3cf4148f87561618da1a6908b4. | ||
19 | --- | ||
20 | src/basic/journal-importer.h | 3 +++ | ||
21 | src/journal/journald-native.c | 5 +++++ | ||
22 | 2 files changed, 8 insertions(+) | ||
23 | |||
24 | diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h | ||
25 | index f49ce734a1..c4ae45d32d 100644 | ||
26 | --- a/src/basic/journal-importer.h | ||
27 | +++ b/src/basic/journal-importer.h | ||
28 | @@ -16,6 +16,9 @@ | ||
29 | #define DATA_SIZE_MAX (1024*1024*768u) | ||
30 | #define LINE_CHUNK 8*1024u | ||
31 | |||
32 | +/* The maximum number of fields in an entry */ | ||
33 | +#define ENTRY_FIELD_COUNT_MAX 1024 | ||
34 | + | ||
35 | struct iovec_wrapper { | ||
36 | struct iovec *iovec; | ||
37 | size_t size_bytes; | ||
38 | diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c | ||
39 | index 5ff22a10af..951d092053 100644 | ||
40 | --- a/src/journal/journald-native.c | ||
41 | +++ b/src/journal/journald-native.c | ||
42 | @@ -140,6 +140,11 @@ static int server_process_entry( | ||
43 | } | ||
44 | |||
45 | /* A property follows */ | ||
46 | + if (n > ENTRY_FIELD_COUNT_MAX) { | ||
47 | + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); | ||
48 | + r = 1; | ||
49 | + goto finish; | ||
50 | + } | ||
51 | |||
52 | /* n existing properties, 1 new, +1 for _TRANSPORT */ | ||
53 | if (!GREEDY_REALLOC(iovec, m, | ||
54 | -- | ||
55 | 2.11.0 | ||
56 | |||
diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch new file mode 100644 index 0000000000..ae9ef5de56 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From 7cad044b72406cbadf048da432c29afea74c3c10 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Wed, 5 Dec 2018 22:45:02 +0100 | ||
4 | Subject: [PATCH] journald: set a limit on the number of fields | ||
5 | |||
6 | The fix for CVE-2018-16865 is plucked from two commits that have | ||
7 | been pushed to systemd master. | ||
8 | |||
9 | journald: set a limit on the number of fields (1k) | ||
10 | |||
11 | We allocate a iovec entry for each field, so with many short entries, | ||
12 | our memory usage and processing time can be large, even with a relatively | ||
13 | small message size. Let's refuse overly long entries. | ||
14 | |||
15 | CVE-2018-16865 | ||
16 | https://bugzilla.redhat.com/show_bug.cgi?id=1653861 | ||
17 | |||
18 | What from I can see, the problem is not from an alloca, despite what the CVE | ||
19 | description says, but from the attack multiplication that comes from creating | ||
20 | many very small iovecs: (void* + size_t) for each three bytes of input message. | ||
21 | |||
22 | Patch backported from systemd master at | ||
23 | 052c57f132f04a3cf4148f87561618da1a6908b4. | ||
24 | |||
25 | journal-remote: set a limit on the number of fields in a message | ||
26 | |||
27 | Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is | ||
28 | reused for the new error condition (too many fields). | ||
29 | |||
30 | This matches the change done for systemd-journald, hence forming the second | ||
31 | part of the fix for CVE-2018-16865 | ||
32 | (https://bugzilla.redhat.com/show_bug.cgi?id=1653861). | ||
33 | |||
34 | Patch backported from systemd master at | ||
35 | ef4d6abe7c7fab6cbff975b32e76b09feee56074. | ||
36 | with the changes applied by 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd | ||
37 | removed. | ||
38 | |||
39 | CVE: CVE-2018-16865 | ||
40 | Upstream-Status: Backport | ||
41 | Signed-off-by: Marcus Cooper <marcusc@axis.com> | ||
42 | --- | ||
43 | src/basic/journal-importer.c | 5 ++++- | ||
44 | src/basic/journal-importer.h | 3 +++ | ||
45 | src/journal-remote/journal-remote-main.c | 7 ++++++- | ||
46 | src/journal-remote/journal-remote.c | 5 ++++- | ||
47 | src/journal/journald-native.c | 5 +++++ | ||
48 | 5 files changed, 22 insertions(+), 3 deletions(-) | ||
49 | |||
50 | diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c | ||
51 | index ca203bbbfc..3ac55a66d9 100644 | ||
52 | --- a/src/basic/journal-importer.c | ||
53 | +++ b/src/basic/journal-importer.c | ||
54 | @@ -23,6 +23,9 @@ enum { | ||
55 | }; | ||
56 | |||
57 | static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { | ||
58 | + if (iovw->count >= ENTRY_FIELD_COUNT_MAX) | ||
59 | + return -E2BIG; | ||
60 | + | ||
61 | if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) | ||
62 | return log_oom(); | ||
63 | |||
64 | @@ -98,7 +101,7 @@ static int get_line(JournalImporter *imp, char **line, size_t *size) { | ||
65 | imp->scanned = imp->filled; | ||
66 | if (imp->scanned >= DATA_SIZE_MAX) { | ||
67 | log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX); | ||
68 | - return -E2BIG; | ||
69 | + return -ENOBUFS; | ||
70 | } | ||
71 | |||
72 | if (imp->passive_fd) | ||
73 | diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h | ||
74 | index f49ce734a1..c4ae45d32d 100644 | ||
75 | --- a/src/basic/journal-importer.h | ||
76 | +++ b/src/basic/journal-importer.h | ||
77 | @@ -16,6 +16,9 @@ | ||
78 | #define DATA_SIZE_MAX (1024*1024*768u) | ||
79 | #define LINE_CHUNK 8*1024u | ||
80 | |||
81 | +/* The maximum number of fields in an entry */ | ||
82 | +#define ENTRY_FIELD_COUNT_MAX 1024 | ||
83 | + | ||
84 | struct iovec_wrapper { | ||
85 | struct iovec *iovec; | ||
86 | size_t size_bytes; | ||
87 | diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c | ||
88 | index 8fda9d1499..3a01fef646 100644 | ||
89 | --- a/src/journal-remote/journal-remote-main.c | ||
90 | +++ b/src/journal-remote/journal-remote-main.c | ||
91 | @@ -212,7 +212,12 @@ static int process_http_upload( | ||
92 | break; | ||
93 | else if (r < 0) { | ||
94 | log_warning("Failed to process data for connection %p", connection); | ||
95 | - if (r == -E2BIG) | ||
96 | + if (r == -ENOBUFS) | ||
97 | + return mhd_respondf(connection, | ||
98 | + r, MHD_HTTP_PAYLOAD_TOO_LARGE, | ||
99 | + "Entry is above the maximum of %u, aborting connection %p.", | ||
100 | + DATA_SIZE_MAX, connection); | ||
101 | + else if (r == -E2BIG) | ||
102 | return mhd_respondf(connection, | ||
103 | r, MHD_HTTP_PAYLOAD_TOO_LARGE, | ||
104 | "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes."); | ||
105 | diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c | ||
106 | index beb75a1cb4..67e3a70c06 100644 | ||
107 | --- a/src/journal-remote/journal-remote.c | ||
108 | +++ b/src/journal-remote/journal-remote.c | ||
109 | @@ -408,7 +408,10 @@ int journal_remote_handle_raw_source( | ||
110 | log_debug("%zu active sources remaining", s->active); | ||
111 | return 0; | ||
112 | } else if (r == -E2BIG) { | ||
113 | - log_notice_errno(E2BIG, "Entry too big, skipped"); | ||
114 | + log_notice("Entry with too many fields, skipped"); | ||
115 | + return 1; | ||
116 | + } else if (r == -ENOBUFS) { | ||
117 | + log_notice("Entry too big, skipped"); | ||
118 | return 1; | ||
119 | } else if (r == -EAGAIN) { | ||
120 | return 0; | ||
121 | diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c | ||
122 | index 5ff22a10af..951d092053 100644 | ||
123 | --- a/src/journal/journald-native.c | ||
124 | +++ b/src/journal/journald-native.c | ||
125 | @@ -140,6 +140,11 @@ static int server_process_entry( | ||
126 | } | ||
127 | |||
128 | /* A property follows */ | ||
129 | + if (n > ENTRY_FIELD_COUNT_MAX) { | ||
130 | + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); | ||
131 | + r = 1; | ||
132 | + goto finish; | ||
133 | + } | ||
134 | |||
135 | /* n existing properties, 1 new, +1 for _TRANSPORT */ | ||
136 | if (!GREEDY_REALLOC(iovec, m, | ||
137 | -- | ||
138 | 2.11.0 | ||
139 | |||
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 0000000000..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filipe Brandenburger <filbranden@google.com> | ||
3 | Date: Thu, 10 Jan 2019 14:53:33 -0800 | ||
4 | Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 | ||
5 | |||
6 | The original code didn't account for the fact that strchr() would match on the | ||
7 | '\0' character, making it read past the end of the buffer if no non-whitespace | ||
8 | character was present. | ||
9 | |||
10 | This bug was introduced in commit ec5ff4445cca6a which was first released in | ||
11 | systemd v221 and later fixed in commit 8595102d3ddde6 which was released in | ||
12 | v240, so versions in the range [v221, v240) are affected. | ||
13 | |||
14 | Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b | ||
15 | also includes a change from systemd master which removes a heap buffer overflow | ||
16 | a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
17 | |||
18 | CVE: CVE-2018-16866 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Marcus Cooper <marcusc@axis.com> | ||
21 | --- | ||
22 | src/journal/journald-syslog.c | 4 ++-- | ||
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c | ||
26 | index 9dea116722..809b318c06 100644 | ||
27 | --- a/src/journal/journald-syslog.c | ||
28 | +++ b/src/journal/journald-syslog.c | ||
29 | @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
30 | e = l; | ||
31 | l--; | ||
32 | |||
33 | - if (p[l-1] == ']') { | ||
34 | + if (l > 0 && p[l-1] == ']') { | ||
35 | size_t k = l-1; | ||
36 | |||
37 | for (;;) { | ||
38 | @@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
39 | if (t) | ||
40 | *identifier = t; | ||
41 | |||
42 | - if (strchr(WHITESPACE, p[e])) | ||
43 | + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) | ||
44 | e++; | ||
45 | *buf = p + e; | ||
46 | return e; | ||
47 | -- | ||
48 | 2.11.0 | ||
49 | |||
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch deleted file mode 100644 index 104945cc25..0000000000 --- a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch +++ /dev/null | |||
@@ -1,84 +0,0 @@ | |||
1 | From 4183ec3a135663128834ca8b35d50a60999343a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Fri, 7 Dec 2018 10:48:10 +0100 | ||
4 | Subject: [PATCH] journal-remote: set a limit on the number of fields in a | ||
5 | message | ||
6 | |||
7 | Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is | ||
8 | reused for the new error condition (too many fields). | ||
9 | |||
10 | This matches the change done for systemd-journald, hence forming the second | ||
11 | part of the fix for CVE-2018-16865 | ||
12 | (https://bugzilla.redhat.com/show_bug.cgi?id=1653861). | ||
13 | |||
14 | Patch backported from systemd master at | ||
15 | ef4d6abe7c7fab6cbff975b32e76b09feee56074. | ||
16 | --- | ||
17 | src/basic/journal-importer.c | 5 ++++- | ||
18 | src/journal-remote/journal-remote-main.c | 10 ++++++---- | ||
19 | src/journal-remote/journal-remote.c | 5 ++++- | ||
20 | 3 files changed, 14 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c | ||
23 | index ca203bbbfc..3ac55a66d9 100644 | ||
24 | --- a/src/basic/journal-importer.c | ||
25 | +++ b/src/basic/journal-importer.c | ||
26 | @@ -23,6 +23,9 @@ enum { | ||
27 | }; | ||
28 | |||
29 | static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { | ||
30 | + if (iovw->count >= ENTRY_FIELD_COUNT_MAX) | ||
31 | + return -E2BIG; | ||
32 | + | ||
33 | if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) | ||
34 | return log_oom(); | ||
35 | |||
36 | @@ -98,7 +101,7 @@ static int get_line(JournalImporter *imp, char **line, size_t *size) { | ||
37 | imp->scanned = imp->filled; | ||
38 | if (imp->scanned >= DATA_SIZE_MAX) { | ||
39 | log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX); | ||
40 | - return -E2BIG; | ||
41 | + return -ENOBUFS; | ||
42 | } | ||
43 | |||
44 | if (imp->passive_fd) | ||
45 | diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c | ||
46 | index 8fda9d1499..f52618fb7b 100644 | ||
47 | --- a/src/journal-remote/journal-remote-main.c | ||
48 | +++ b/src/journal-remote/journal-remote-main.c | ||
49 | @@ -212,10 +212,12 @@ static int process_http_upload( | ||
50 | break; | ||
51 | else if (r < 0) { | ||
52 | log_warning("Failed to process data for connection %p", connection); | ||
53 | - if (r == -E2BIG) | ||
54 | - return mhd_respondf(connection, | ||
55 | - r, MHD_HTTP_PAYLOAD_TOO_LARGE, | ||
56 | - "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes."); | ||
57 | + if (r == -ENOBUFS) | ||
58 | + log_warning_errno(r, "Entry is above the maximum of %u, aborting connection %p.", | ||
59 | + DATA_SIZE_MAX, connection); | ||
60 | + else if (r == -E2BIG) | ||
61 | + log_warning_errno(r, "Entry with more fields than the maximum of %u, aborting connection %p.", | ||
62 | + ENTRY_FIELD_COUNT_MAX, connection); | ||
63 | else | ||
64 | return mhd_respondf(connection, | ||
65 | r, MHD_HTTP_UNPROCESSABLE_ENTITY, | ||
66 | diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c | ||
67 | index beb75a1cb4..67e3a70c06 100644 | ||
68 | --- a/src/journal-remote/journal-remote.c | ||
69 | +++ b/src/journal-remote/journal-remote.c | ||
70 | @@ -408,7 +408,10 @@ int journal_remote_handle_raw_source( | ||
71 | log_debug("%zu active sources remaining", s->active); | ||
72 | return 0; | ||
73 | } else if (r == -E2BIG) { | ||
74 | - log_notice_errno(E2BIG, "Entry too big, skipped"); | ||
75 | + log_notice("Entry with too many fields, skipped"); | ||
76 | + return 1; | ||
77 | + } else if (r == -ENOBUFS) { | ||
78 | + log_notice("Entry too big, skipped"); | ||
79 | return 1; | ||
80 | } else if (r == -EAGAIN) { | ||
81 | return 0; | ||
82 | -- | ||
83 | 2.11.0 | ||
84 | |||
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch deleted file mode 100644 index d4df0e12fd..0000000000 --- a/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | From 8ccebb04e07628f7fe10131d6cd4f19d6a0d8f45 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Wed, 8 Aug 2018 15:06:36 +0900 | ||
4 | Subject: [PATCH] journal: fix syslog_parse_identifier() | ||
5 | |||
6 | Fixes #9829. | ||
7 | |||
8 | An out of bounds read was discovered in systemd-journald in the way it | ||
9 | parses log messages that terminate with a colon ':'. A local attacker | ||
10 | can use this flaw to disclose process memory data. | ||
11 | |||
12 | Patch backported from systemd master at | ||
13 | a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
14 | |||
15 | This matches the change done for systemd-journald, hence forming the first | ||
16 | part of the fix for CVE-2018-16866. | ||
17 | --- | ||
18 | src/journal/journald-syslog.c | 6 +++--- | ||
19 | src/journal/test-journal-syslog.c | 10 ++++++++-- | ||
20 | 2 files changed, 11 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c | ||
23 | index 9dea116722..97711ac7a3 100644 | ||
24 | --- a/src/journal/journald-syslog.c | ||
25 | +++ b/src/journal/journald-syslog.c | ||
26 | @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
27 | e = l; | ||
28 | l--; | ||
29 | |||
30 | - if (p[l-1] == ']') { | ||
31 | + if (l > 0 && p[l-1] == ']') { | ||
32 | size_t k = l-1; | ||
33 | |||
34 | for (;;) { | ||
35 | @@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
36 | if (t) | ||
37 | *identifier = t; | ||
38 | |||
39 | - if (strchr(WHITESPACE, p[e])) | ||
40 | - e++; | ||
41 | + e += strspn(p + e, WHITESPACE); | ||
42 | + | ||
43 | *buf = p + e; | ||
44 | return e; | ||
45 | } | ||
46 | diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c | ||
47 | index 9ba86f6c8a..05f759817e 100644 | ||
48 | --- a/src/journal/test-journal-syslog.c | ||
49 | +++ b/src/journal/test-journal-syslog.c | ||
50 | @@ -5,8 +5,8 @@ | ||
51 | #include "macro.h" | ||
52 | #include "string-util.h" | ||
53 | |||
54 | -static void test_syslog_parse_identifier(const char* str, | ||
55 | - const char *ident, const char*pid, int ret) { | ||
56 | +static void test_syslog_parse_identifier(const char *str, | ||
57 | + const char *ident, const char *pid, int ret) { | ||
58 | const char *buf = str; | ||
59 | _cleanup_free_ char *ident2 = NULL, *pid2 = NULL; | ||
60 | int ret2; | ||
61 | @@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str, | ||
62 | int main(void) { | ||
63 | test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11); | ||
64 | test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6); | ||
65 | + test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7); | ||
66 | test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0); | ||
67 | + test_syslog_parse_identifier(":", "", NULL, 1); | ||
68 | + test_syslog_parse_identifier(": ", "", NULL, 3); | ||
69 | + test_syslog_parse_identifier("pidu:", "pidu", NULL, 5); | ||
70 | + test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6); | ||
71 | + test_syslog_parse_identifier("pidu : ", NULL, NULL, 0); | ||
72 | |||
73 | return 0; | ||
74 | } | ||
75 | -- | ||
76 | 2.11.0 | ||
77 | |||
diff --git a/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch b/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch deleted file mode 100644 index fa2c01034b..0000000000 --- a/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch +++ /dev/null | |||
@@ -1,84 +0,0 @@ | |||
1 | From c3a7da1bbb6d2df8ab7ea1c7ce34ded37a21959f Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Fri, 10 Aug 2018 11:07:54 +0900 | ||
4 | Subject: [PATCH] journal: do not remove multiple spaces after identifier in | ||
5 | syslog message | ||
6 | |||
7 | Single space is used as separator. | ||
8 | C.f. discussions in #156. | ||
9 | |||
10 | Fixes #9839 introduced by a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
11 | |||
12 | Patch backported from systemd master at | ||
13 | 8595102d3ddde6d25c282f965573a6de34ab4421. | ||
14 | |||
15 | This matches the change done for systemd-journald, hence forming the second | ||
16 | part of the fix for CVE-2018-16866 | ||
17 | --- | ||
18 | src/journal/journald-syslog.c | 4 +++- | ||
19 | src/journal/test-journal-syslog.c | 24 ++++++++++++++---------- | ||
20 | 2 files changed, 17 insertions(+), 11 deletions(-) | ||
21 | |||
22 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c | ||
23 | index 97711ac7a3..e0b55cc566 100644 | ||
24 | --- a/src/journal/journald-syslog.c | ||
25 | +++ b/src/journal/journald-syslog.c | ||
26 | @@ -219,7 +219,9 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
27 | if (t) | ||
28 | *identifier = t; | ||
29 | |||
30 | - e += strspn(p + e, WHITESPACE); | ||
31 | + /* Single space is used as separator */ | ||
32 | + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) | ||
33 | + e++; | ||
34 | |||
35 | *buf = p + e; | ||
36 | return e; | ||
37 | diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c | ||
38 | index 05f759817e..7294cde032 100644 | ||
39 | --- a/src/journal/test-journal-syslog.c | ||
40 | +++ b/src/journal/test-journal-syslog.c | ||
41 | @@ -6,7 +6,7 @@ | ||
42 | #include "string-util.h" | ||
43 | |||
44 | static void test_syslog_parse_identifier(const char *str, | ||
45 | - const char *ident, const char *pid, int ret) { | ||
46 | + const char *ident, const char *pid, const char *rest, int ret) { | ||
47 | const char *buf = str; | ||
48 | _cleanup_free_ char *ident2 = NULL, *pid2 = NULL; | ||
49 | int ret2; | ||
50 | @@ -16,18 +16,22 @@ static void test_syslog_parse_identifier(const char *str, | ||
51 | assert_se(ret == ret2); | ||
52 | assert_se(ident == ident2 || streq_ptr(ident, ident2)); | ||
53 | assert_se(pid == pid2 || streq_ptr(pid, pid2)); | ||
54 | + assert_se(streq(buf, rest)); | ||
55 | } | ||
56 | |||
57 | int main(void) { | ||
58 | - test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11); | ||
59 | - test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6); | ||
60 | - test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7); | ||
61 | - test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0); | ||
62 | - test_syslog_parse_identifier(":", "", NULL, 1); | ||
63 | - test_syslog_parse_identifier(": ", "", NULL, 3); | ||
64 | - test_syslog_parse_identifier("pidu:", "pidu", NULL, 5); | ||
65 | - test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6); | ||
66 | - test_syslog_parse_identifier("pidu : ", NULL, NULL, 0); | ||
67 | + test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", "xxx", 11); | ||
68 | + test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, "xxx", 6); | ||
69 | + test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, " xxx", 6); | ||
70 | + test_syslog_parse_identifier("pidu xxx", NULL, NULL, "pidu xxx", 0); | ||
71 | + test_syslog_parse_identifier(" pidu xxx", NULL, NULL, " pidu xxx", 0); | ||
72 | + test_syslog_parse_identifier("", NULL, NULL, "", 0); | ||
73 | + test_syslog_parse_identifier(" ", NULL, NULL, " ", 0); | ||
74 | + test_syslog_parse_identifier(":", "", NULL, "", 1); | ||
75 | + test_syslog_parse_identifier(": ", "", NULL, " ", 2); | ||
76 | + test_syslog_parse_identifier("pidu:", "pidu", NULL, "", 5); | ||
77 | + test_syslog_parse_identifier("pidu: ", "pidu", NULL, "", 6); | ||
78 | + test_syslog_parse_identifier("pidu : ", NULL, NULL, "pidu : ", 0); | ||
79 | |||
80 | return 0; | ||
81 | } | ||
82 | -- | ||
83 | 2.11.0 | ||
84 | |||
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb index 20c7ba44b6..8c0366232f 100644 --- a/meta/recipes-core/systemd/systemd_239.bb +++ b/meta/recipes-core/systemd/systemd_239.bb | |||
@@ -39,10 +39,8 @@ SRC_URI += "file://touchscreen.rules \ | |||
39 | file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \ | 39 | file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \ |
40 | file://0001-meson-rename-Ddebug-to-Ddebug-extra.patch \ | 40 | file://0001-meson-rename-Ddebug-to-Ddebug-extra.patch \ |
41 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ | 41 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ |
42 | file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ | 42 | file://0025-journald-set-a-limit-on-the-number-of-fields.patch \ |
43 | file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ | 43 | file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \ |
44 | file://0027-journal-fix-syslog_parse_identifier.patch \ | ||
45 | file://0028-journal-do-not-remove-multiple-spaces-after-identifi.patch \ | ||
46 | " | 44 | " |
47 | 45 | ||
48 | # patches made for musl are only applied on TCLIBC is musl | 46 | # patches made for musl are only applied on TCLIBC is musl |