diff options
| author | Chen Qi <Qi.Chen@windriver.com> | 2021-09-28 20:29:17 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-10-07 15:10:40 +0100 |
| commit | c663e97a2d986f3b3193d7b4a012127740be6177 (patch) | |
| tree | d013e8ed78265c4b81d4475ec4cbcd0cc101779f /meta/recipes-core/systemd | |
| parent | a1fa9d11540b5de1abf4bedcde746f9727377950 (diff) | |
| download | poky-c663e97a2d986f3b3193d7b4a012127740be6177.tar.gz | |
systemd: fix CVE-2021-33910
Backport patch to fix CVE-2021-33910.
(From OE-Core rev: 866a880c4fb58dea1e8460acea8152658376cd12)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd')
| -rw-r--r-- | meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch | 72 | ||||
| -rw-r--r-- | meta/recipes-core/systemd/systemd_247.6.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 0000000000..0ab8174441 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
| 3 | Date: Wed, 23 Jun 2021 11:46:41 +0200 | ||
| 4 | Subject: [PATCH] basic/unit-name: do not use strdupa() on a path | ||
| 5 | |||
| 6 | The path may have unbounded length, for example through a fuse mount. | ||
| 7 | |||
| 8 | CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and | ||
| 9 | ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo | ||
| 10 | and each mountpoint is passed to mount_setup_unit(), which calls | ||
| 11 | unit_name_path_escape() underneath. A local attacker who is able to mount a | ||
| 12 | filesystem with a very long path can crash systemd and the whole system. | ||
| 13 | |||
| 14 | https://bugzilla.redhat.com/show_bug.cgi?id=1970887 | ||
| 15 | |||
| 16 | The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we | ||
| 17 | can't easily check the length after simplification before doing the | ||
| 18 | simplification, which in turns uses a copy of the string we can write to. | ||
| 19 | So we can't reject paths that are too long before doing the duplication. | ||
| 20 | Hence the most obvious solution is to switch back to strdup(), as before | ||
| 21 | 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. | ||
| 22 | |||
| 23 | (cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) | ||
| 24 | (cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce) | ||
| 25 | (cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b) | ||
| 26 | |||
| 27 | CVE: CVE-2021-33910 | ||
| 28 | Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538] | ||
| 29 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
| 30 | --- | ||
| 31 | src/basic/unit-name.c | 13 +++++-------- | ||
| 32 | 1 file changed, 5 insertions(+), 8 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c | ||
| 35 | index 5f595af944..9b6cacde87 100644 | ||
| 36 | --- a/src/basic/unit-name.c | ||
| 37 | +++ b/src/basic/unit-name.c | ||
| 38 | @@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { | ||
| 39 | } | ||
| 40 | |||
| 41 | int unit_name_path_escape(const char *f, char **ret) { | ||
| 42 | - char *p, *s; | ||
| 43 | + _cleanup_free_ char *p = NULL; | ||
| 44 | + char *s; | ||
| 45 | |||
| 46 | assert(f); | ||
| 47 | assert(ret); | ||
| 48 | |||
| 49 | - p = strdupa(f); | ||
| 50 | + p = strdup(f); | ||
| 51 | if (!p) | ||
| 52 | return -ENOMEM; | ||
| 53 | |||
| 54 | @@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { | ||
| 55 | if (!path_is_normalized(p)) | ||
| 56 | return -EINVAL; | ||
| 57 | |||
| 58 | - /* Truncate trailing slashes */ | ||
| 59 | + /* Truncate trailing slashes and skip leading slashes */ | ||
| 60 | delete_trailing_chars(p, "/"); | ||
| 61 | - | ||
| 62 | - /* Truncate leading slashes */ | ||
| 63 | - p = skip_leading_chars(p, "/"); | ||
| 64 | - | ||
| 65 | - s = unit_name_escape(p); | ||
| 66 | + s = unit_name_escape(skip_leading_chars(p, "/")); | ||
| 67 | } | ||
| 68 | if (!s) | ||
| 69 | return -ENOMEM; | ||
| 70 | -- | ||
| 71 | 2.33.0 | ||
| 72 | |||
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb index f1db1e922b..e79c79a7fd 100644 --- a/meta/recipes-core/systemd/systemd_247.6.bb +++ b/meta/recipes-core/systemd/systemd_247.6.bb | |||
| @@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \ | |||
| 31 | file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ | 31 | file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ |
| 32 | file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ | 32 | file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ |
| 33 | file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ | 33 | file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ |
| 34 | file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \ | ||
| 34 | " | 35 | " |
| 35 | 36 | ||
| 36 | # patches needed by musl | 37 | # patches needed by musl |