diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2021-09-28 20:29:17 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-10-07 15:10:40 +0100 |
commit | c663e97a2d986f3b3193d7b4a012127740be6177 (patch) | |
tree | d013e8ed78265c4b81d4475ec4cbcd0cc101779f /meta/recipes-core/systemd | |
parent | a1fa9d11540b5de1abf4bedcde746f9727377950 (diff) | |
download | poky-c663e97a2d986f3b3193d7b4a012127740be6177.tar.gz |
systemd: fix CVE-2021-33910
Backport patch to fix CVE-2021-33910.
(From OE-Core rev: 866a880c4fb58dea1e8460acea8152658376cd12)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch | 72 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_247.6.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 0000000000..0ab8174441 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Wed, 23 Jun 2021 11:46:41 +0200 | ||
4 | Subject: [PATCH] basic/unit-name: do not use strdupa() on a path | ||
5 | |||
6 | The path may have unbounded length, for example through a fuse mount. | ||
7 | |||
8 | CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and | ||
9 | ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo | ||
10 | and each mountpoint is passed to mount_setup_unit(), which calls | ||
11 | unit_name_path_escape() underneath. A local attacker who is able to mount a | ||
12 | filesystem with a very long path can crash systemd and the whole system. | ||
13 | |||
14 | https://bugzilla.redhat.com/show_bug.cgi?id=1970887 | ||
15 | |||
16 | The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we | ||
17 | can't easily check the length after simplification before doing the | ||
18 | simplification, which in turns uses a copy of the string we can write to. | ||
19 | So we can't reject paths that are too long before doing the duplication. | ||
20 | Hence the most obvious solution is to switch back to strdup(), as before | ||
21 | 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. | ||
22 | |||
23 | (cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) | ||
24 | (cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce) | ||
25 | (cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b) | ||
26 | |||
27 | CVE: CVE-2021-33910 | ||
28 | Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538] | ||
29 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
30 | --- | ||
31 | src/basic/unit-name.c | 13 +++++-------- | ||
32 | 1 file changed, 5 insertions(+), 8 deletions(-) | ||
33 | |||
34 | diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c | ||
35 | index 5f595af944..9b6cacde87 100644 | ||
36 | --- a/src/basic/unit-name.c | ||
37 | +++ b/src/basic/unit-name.c | ||
38 | @@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { | ||
39 | } | ||
40 | |||
41 | int unit_name_path_escape(const char *f, char **ret) { | ||
42 | - char *p, *s; | ||
43 | + _cleanup_free_ char *p = NULL; | ||
44 | + char *s; | ||
45 | |||
46 | assert(f); | ||
47 | assert(ret); | ||
48 | |||
49 | - p = strdupa(f); | ||
50 | + p = strdup(f); | ||
51 | if (!p) | ||
52 | return -ENOMEM; | ||
53 | |||
54 | @@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { | ||
55 | if (!path_is_normalized(p)) | ||
56 | return -EINVAL; | ||
57 | |||
58 | - /* Truncate trailing slashes */ | ||
59 | + /* Truncate trailing slashes and skip leading slashes */ | ||
60 | delete_trailing_chars(p, "/"); | ||
61 | - | ||
62 | - /* Truncate leading slashes */ | ||
63 | - p = skip_leading_chars(p, "/"); | ||
64 | - | ||
65 | - s = unit_name_escape(p); | ||
66 | + s = unit_name_escape(skip_leading_chars(p, "/")); | ||
67 | } | ||
68 | if (!s) | ||
69 | return -ENOMEM; | ||
70 | -- | ||
71 | 2.33.0 | ||
72 | |||
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb index f1db1e922b..e79c79a7fd 100644 --- a/meta/recipes-core/systemd/systemd_247.6.bb +++ b/meta/recipes-core/systemd/systemd_247.6.bb | |||
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \ | |||
31 | file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ | 31 | file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ |
32 | file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ | 32 | file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ |
33 | file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ | 33 | file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ |
34 | file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \ | ||
34 | " | 35 | " |
35 | 36 | ||
36 | # patches needed by musl | 37 | # patches needed by musl |