diff options
author | George McCollister <george.mccollister@gmail.com> | 2019-02-25 10:37:10 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-24 16:49:54 +0000 |
commit | 7be61780af1fd1c0a63a41880ece124e874610fa (patch) | |
tree | d30e7a7cfe3e170e999b1fe268cdad14d3f73d3b /meta/recipes-core | |
parent | c3890467ff6f79b87eb9dc3ed3a24b9318f257a3 (diff) | |
download | poky-7be61780af1fd1c0a63a41880ece124e874610fa.tar.gz |
systemd: Security fix CVE-2018-16865
Affects < v240
Based on thud commit d5d2b821fc85b8cf39f683061ac2a45bddd2139f
The second patch in the thud commit doesn't apply against 237. Use the
version of the second patch CVE-2018-16865_2.patch from
systemd_237-3ubuntu10.13.debian.
(From OE-Core rev: da41e48567eb21a47426a6fbe23ea07ce780cd3c)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
3 files changed, 141 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch new file mode 100644 index 0000000000..e8a6f2b986 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Wed, 5 Dec 2018 22:45:02 +0100 | ||
4 | Subject: [PATCH] journald: set a limit on the number of fields (1k) | ||
5 | |||
6 | We allocate a iovec entry for each field, so with many short entries, | ||
7 | our memory usage and processing time can be large, even with a relatively | ||
8 | small message size. Let's refuse overly long entries. | ||
9 | |||
10 | CVE-2018-16865 | ||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=1653861 | ||
12 | |||
13 | What from I can see, the problem is not from an alloca, despite what the CVE | ||
14 | description says, but from the attack multiplication that comes from creating | ||
15 | many very small iovecs: (void* + size_t) for each three bytes of input message. | ||
16 | |||
17 | Patch backported from systemd master at | ||
18 | 052c57f132f04a3cf4148f87561618da1a6908b4. | ||
19 | |||
20 | CVE: CVE-2018-16865 | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | --- | ||
24 | src/basic/journal-importer.h | 3 +++ | ||
25 | src/journal/journald-native.c | 5 +++++ | ||
26 | 2 files changed, 8 insertions(+) | ||
27 | |||
28 | diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h | ||
29 | index f49ce734a1..c4ae45d32d 100644 | ||
30 | --- a/src/basic/journal-importer.h | ||
31 | +++ b/src/basic/journal-importer.h | ||
32 | @@ -16,6 +16,9 @@ | ||
33 | #define DATA_SIZE_MAX (1024*1024*768u) | ||
34 | #define LINE_CHUNK 8*1024u | ||
35 | |||
36 | +/* The maximum number of fields in an entry */ | ||
37 | +#define ENTRY_FIELD_COUNT_MAX 1024 | ||
38 | + | ||
39 | struct iovec_wrapper { | ||
40 | struct iovec *iovec; | ||
41 | size_t size_bytes; | ||
42 | diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c | ||
43 | index 5ff22a10af..951d092053 100644 | ||
44 | --- a/src/journal/journald-native.c | ||
45 | +++ b/src/journal/journald-native.c | ||
46 | @@ -140,6 +140,11 @@ static int server_process_entry( | ||
47 | } | ||
48 | |||
49 | /* A property follows */ | ||
50 | + if (n > ENTRY_FIELD_COUNT_MAX) { | ||
51 | + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); | ||
52 | + r = 1; | ||
53 | + goto finish; | ||
54 | + } | ||
55 | |||
56 | /* n existing properties, 1 new, +1 for _TRANSPORT */ | ||
57 | if (!GREEDY_REALLOC(iovec, m, | ||
58 | -- | ||
59 | 2.11.0 | ||
60 | |||
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch new file mode 100644 index 0000000000..f297333e72 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Fri, 7 Dec 2018 10:48:10 +0100 | ||
4 | Subject: [PATCH] journal-remote: set a limit on the number of fields in a | ||
5 | message | ||
6 | |||
7 | Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is | ||
8 | reused for the new error condition (too many fields). | ||
9 | |||
10 | This matches the change done for systemd-journald, hence forming the second | ||
11 | part of the fix for CVE-2018-16865 | ||
12 | (https://bugzilla.redhat.com/show_bug.cgi?id=1653861). | ||
13 | |||
14 | Patch backported from systemd master at | ||
15 | ef4d6abe7c7fab6cbff975b32e76b09feee56074. | ||
16 | |||
17 | Patch for 237 from: | ||
18 | systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch | ||
19 | |||
20 | CVE: CVE-2018-16865 | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | --- | ||
24 | src/journal-remote/journal-remote-main.c | 7 +++++-- | ||
25 | src/journal-remote/journal-remote.c | 3 +++ | ||
26 | src/shared/journal-importer.c | 5 ++++- | ||
27 | 3 files changed, 12 insertions(+), 3 deletions(-) | ||
28 | |||
29 | --- a/src/basic/journal-importer.c | ||
30 | +++ b/src/basic/journal-importer.c | ||
31 | @@ -38,6 +38,9 @@ | ||
32 | }; | ||
33 | |||
34 | static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { | ||
35 | + if (iovw->count >= ENTRY_FIELD_COUNT_MAX) | ||
36 | + return -E2BIG; | ||
37 | + | ||
38 | if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) | ||
39 | return log_oom(); | ||
40 | |||
41 | @@ -113,7 +116,7 @@ | ||
42 | imp->scanned = imp->filled; | ||
43 | if (imp->scanned >= DATA_SIZE_MAX) { | ||
44 | log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX); | ||
45 | - return -E2BIG; | ||
46 | + return -ENOBUFS; | ||
47 | } | ||
48 | |||
49 | if (imp->passive_fd) | ||
50 | --- a/src/journal-remote/journal-remote.c | ||
51 | +++ b/src/journal-remote/journal-remote.c | ||
52 | @@ -517,10 +517,16 @@ | ||
53 | break; | ||
54 | else if (r < 0) { | ||
55 | log_warning("Failed to process data for connection %p", connection); | ||
56 | - if (r == -E2BIG) | ||
57 | + if (r == -ENOBUFS) | ||
58 | return mhd_respondf(connection, | ||
59 | r, MHD_HTTP_PAYLOAD_TOO_LARGE, | ||
60 | "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes."); | ||
61 | + | ||
62 | + else if (r == -E2BIG) | ||
63 | + return mhd_respondf(connection, | ||
64 | + r, MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, | ||
65 | + "Entry with more fields than the maximum of " STRINGIFY(ENTRY_FIELD_COUNT_MAX) "."); | ||
66 | + | ||
67 | else | ||
68 | return mhd_respondf(connection, | ||
69 | r, MHD_HTTP_UNPROCESSABLE_ENTITY, | ||
70 | @@ -1090,6 +1096,9 @@ | ||
71 | log_debug("%zu active sources remaining", s->active); | ||
72 | return 0; | ||
73 | } else if (r == -E2BIG) { | ||
74 | + log_notice("Entry with too many fields, skipped"); | ||
75 | + return 1; | ||
76 | + } else if (r == -ENOBUFS) { | ||
77 | log_notice_errno(E2BIG, "Entry too big, skipped"); | ||
78 | return 1; | ||
79 | } else if (r == -EAGAIN) { | ||
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index 61d25e5135..fd110a8340 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb | |||
@@ -58,6 +58,8 @@ SRC_URI += "file://touchscreen.rules \ | |||
58 | file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \ | 58 | file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \ |
59 | file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ | 59 | file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ |
60 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ | 60 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ |
61 | file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ | ||
62 | file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ | ||
61 | " | 63 | " |
62 | SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" | 64 | SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" |
63 | 65 | ||