diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2021-07-28 23:27:52 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-06 09:59:14 +0100 |
commit | f8c1193fb56cb4738aea08a3a5f3571c1670a972 (patch) | |
tree | 4375d74dff2f0c0a0ceb4a1ae618948d5537cea7 /meta/recipes-core | |
parent | a21c4c48b84a01453c252ab19b9d50ad257f348f (diff) | |
download | poky-f8c1193fb56cb4738aea08a3a5f3571c1670a972.tar.gz |
systemd: fix CVE-2020-13529
Backport patches to fix CVE-2020-13529.
(From OE-Core rev: 5dcd5071d61fac240ff95672778ba1eed1312a03)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
5 files changed, 353 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch new file mode 100644 index 0000000000..ff877d9175 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From ac6c7f2d2389c5c0ae90554a58f1c75f60cc8e5a Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Thu, 24 Jun 2021 00:48:23 +0900 | ||
4 | Subject: [PATCH] sd-dhcp-client: check error earlier and reduce indentation | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2020-13529 | ||
8 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
9 | --- | ||
10 | src/libsystemd-network/sd-dhcp-client.c | 128 ++++++++++++------------ | ||
11 | 1 file changed, 64 insertions(+), 64 deletions(-) | ||
12 | |||
13 | diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c | ||
14 | index d472fcd941..86bc3c6181 100644 | ||
15 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
16 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
17 | @@ -1770,21 +1770,21 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
18 | case DHCP_STATE_SELECTING: | ||
19 | |||
20 | r = client_handle_offer(client, message, len); | ||
21 | - if (r >= 0) { | ||
22 | + if (r == -ENOMSG) | ||
23 | + return 0; /* invalid message, let's ignore it */ | ||
24 | + if (r < 0) | ||
25 | + goto error; | ||
26 | |||
27 | - client->state = DHCP_STATE_REQUESTING; | ||
28 | - client->attempt = 0; | ||
29 | + client->state = DHCP_STATE_REQUESTING; | ||
30 | + client->attempt = 0; | ||
31 | |||
32 | - r = event_reset_time(client->event, &client->timeout_resend, | ||
33 | - clock_boottime_or_monotonic(), | ||
34 | - 0, 0, | ||
35 | - client_timeout_resend, client, | ||
36 | - client->event_priority, "dhcp4-resend-timer", true); | ||
37 | - if (r < 0) | ||
38 | - goto error; | ||
39 | - } else if (r == -ENOMSG) | ||
40 | - /* invalid message, let's ignore it */ | ||
41 | - return 0; | ||
42 | + r = event_reset_time(client->event, &client->timeout_resend, | ||
43 | + clock_boottime_or_monotonic(), | ||
44 | + 0, 0, | ||
45 | + client_timeout_resend, client, | ||
46 | + client->event_priority, "dhcp4-resend-timer", true); | ||
47 | + if (r < 0) | ||
48 | + goto error; | ||
49 | |||
50 | break; | ||
51 | |||
52 | @@ -1794,47 +1794,9 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
53 | case DHCP_STATE_REBINDING: | ||
54 | |||
55 | r = client_handle_ack(client, message, len); | ||
56 | - if (r >= 0) { | ||
57 | - client->start_delay = 0; | ||
58 | - (void) event_source_disable(client->timeout_resend); | ||
59 | - client->receive_message = | ||
60 | - sd_event_source_unref(client->receive_message); | ||
61 | - client->fd = safe_close(client->fd); | ||
62 | - | ||
63 | - if (IN_SET(client->state, DHCP_STATE_REQUESTING, | ||
64 | - DHCP_STATE_REBOOTING)) | ||
65 | - notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; | ||
66 | - else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) | ||
67 | - notify_event = r; | ||
68 | - | ||
69 | - client->state = DHCP_STATE_BOUND; | ||
70 | - client->attempt = 0; | ||
71 | - | ||
72 | - client->last_addr = client->lease->address; | ||
73 | - | ||
74 | - r = client_set_lease_timeouts(client); | ||
75 | - if (r < 0) { | ||
76 | - log_dhcp_client(client, "could not set lease timeouts"); | ||
77 | - goto error; | ||
78 | - } | ||
79 | - | ||
80 | - r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type); | ||
81 | - if (r < 0) { | ||
82 | - log_dhcp_client(client, "could not bind UDP socket"); | ||
83 | - goto error; | ||
84 | - } | ||
85 | - | ||
86 | - client->fd = r; | ||
87 | - | ||
88 | - client_initialize_io_events(client, client_receive_message_udp); | ||
89 | - | ||
90 | - if (notify_event) { | ||
91 | - client_notify(client, notify_event); | ||
92 | - if (client->state == DHCP_STATE_STOPPED) | ||
93 | - return 0; | ||
94 | - } | ||
95 | - | ||
96 | - } else if (r == -EADDRNOTAVAIL) { | ||
97 | + if (r == -ENOMSG) | ||
98 | + return 0; /* invalid message, let's ignore it */ | ||
99 | + if (r == -EADDRNOTAVAIL) { | ||
100 | /* got a NAK, let's restart the client */ | ||
101 | client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED); | ||
102 | |||
103 | @@ -1853,21 +1815,59 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
104 | RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC); | ||
105 | |||
106 | return 0; | ||
107 | - } else if (r == -ENOMSG) | ||
108 | - /* invalid message, let's ignore it */ | ||
109 | - return 0; | ||
110 | + } | ||
111 | + if (r < 0) | ||
112 | + goto error; | ||
113 | + | ||
114 | + client->start_delay = 0; | ||
115 | + (void) event_source_disable(client->timeout_resend); | ||
116 | + client->receive_message = sd_event_source_unref(client->receive_message); | ||
117 | + client->fd = safe_close(client->fd); | ||
118 | + | ||
119 | + if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) | ||
120 | + notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; | ||
121 | + else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) | ||
122 | + notify_event = r; | ||
123 | + | ||
124 | + client->state = DHCP_STATE_BOUND; | ||
125 | + client->attempt = 0; | ||
126 | + | ||
127 | + client->last_addr = client->lease->address; | ||
128 | + | ||
129 | + r = client_set_lease_timeouts(client); | ||
130 | + if (r < 0) { | ||
131 | + log_dhcp_client(client, "could not set lease timeouts"); | ||
132 | + goto error; | ||
133 | + } | ||
134 | + | ||
135 | + r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type); | ||
136 | + if (r < 0) { | ||
137 | + log_dhcp_client(client, "could not bind UDP socket"); | ||
138 | + goto error; | ||
139 | + } | ||
140 | + | ||
141 | + client->fd = r; | ||
142 | + | ||
143 | + client_initialize_io_events(client, client_receive_message_udp); | ||
144 | + | ||
145 | + if (notify_event) { | ||
146 | + client_notify(client, notify_event); | ||
147 | + if (client->state == DHCP_STATE_STOPPED) | ||
148 | + return 0; | ||
149 | + } | ||
150 | |||
151 | break; | ||
152 | |||
153 | case DHCP_STATE_BOUND: | ||
154 | r = client_handle_forcerenew(client, message, len); | ||
155 | - if (r >= 0) { | ||
156 | - r = client_timeout_t1(NULL, 0, client); | ||
157 | - if (r < 0) | ||
158 | - goto error; | ||
159 | - } else if (r == -ENOMSG) | ||
160 | - /* invalid message, let's ignore it */ | ||
161 | - return 0; | ||
162 | + if (r == -ENOMSG) | ||
163 | + return 0; /* invalid message, let's ignore it */ | ||
164 | + if (r < 0) | ||
165 | + goto error; | ||
166 | + | ||
167 | + r = client_timeout_t1(NULL, 0, client); | ||
168 | + if (r < 0) | ||
169 | + goto error; | ||
170 | |||
171 | break; | ||
172 | |||
diff --git a/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch new file mode 100644 index 0000000000..41d0c7b1e4 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 875f3773e383d99e7d43020f02acad7681a05914 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Thu, 24 Jun 2021 00:51:52 +0900 | ||
4 | Subject: [PATCH] sd-dhcp-client: shorten code a bit | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2020-13529 | ||
8 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
9 | --- | ||
10 | src/libsystemd-network/sd-dhcp-client.c | 13 ++++--------- | ||
11 | 1 file changed, 4 insertions(+), 9 deletions(-) | ||
12 | |||
13 | diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c | ||
14 | index 86bc3c6181..ef3a7d2c6b 100644 | ||
15 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
16 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
17 | @@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) { | ||
18 | static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) { | ||
19 | DHCP_CLIENT_DONT_DESTROY(client); | ||
20 | char time_string[FORMAT_TIMESPAN_MAX]; | ||
21 | - int r = 0, notify_event = 0; | ||
22 | + int r, notify_event = 0; | ||
23 | |||
24 | assert(client); | ||
25 | assert(client->event); | ||
26 | @@ -1783,9 +1783,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
27 | 0, 0, | ||
28 | client_timeout_resend, client, | ||
29 | client->event_priority, "dhcp4-resend-timer", true); | ||
30 | - if (r < 0) | ||
31 | - goto error; | ||
32 | - | ||
33 | break; | ||
34 | |||
35 | case DHCP_STATE_REBOOTING: | ||
36 | @@ -1813,7 +1810,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
37 | |||
38 | client->start_delay = CLAMP(client->start_delay * 2, | ||
39 | RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC); | ||
40 | - | ||
41 | return 0; | ||
42 | } | ||
43 | if (r < 0) | ||
44 | @@ -1866,19 +1862,18 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
45 | goto error; | ||
46 | |||
47 | r = client_timeout_t1(NULL, 0, client); | ||
48 | - if (r < 0) | ||
49 | - goto error; | ||
50 | - | ||
51 | break; | ||
52 | |||
53 | case DHCP_STATE_INIT: | ||
54 | case DHCP_STATE_INIT_REBOOT: | ||
55 | - | ||
56 | + r = 0; | ||
57 | break; | ||
58 | |||
59 | case DHCP_STATE_STOPPED: | ||
60 | r = -EINVAL; | ||
61 | goto error; | ||
62 | + default: | ||
63 | + assert_not_reached("invalid state"); | ||
64 | } | ||
65 | |||
66 | error: | ||
diff --git a/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch new file mode 100644 index 0000000000..07c7da8c21 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Thu, 24 Jun 2021 01:14:12 +0900 | ||
4 | Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a | ||
5 | new lease | ||
6 | |||
7 | Previously, such situation is handled silently. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2020-13529 | ||
11 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
12 | --- | ||
13 | src/libsystemd-network/sd-dhcp-client.c | 23 ++++++++++++----------- | ||
14 | 1 file changed, 12 insertions(+), 11 deletions(-) | ||
15 | |||
16 | diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c | ||
17 | index ef3a7d2c6b..04a75c6966 100644 | ||
18 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
19 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
20 | @@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) { | ||
21 | static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) { | ||
22 | DHCP_CLIENT_DONT_DESTROY(client); | ||
23 | char time_string[FORMAT_TIMESPAN_MAX]; | ||
24 | - int r, notify_event = 0; | ||
25 | + int r, notify_event; | ||
26 | |||
27 | assert(client); | ||
28 | assert(client->event); | ||
29 | @@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
30 | if (r < 0) | ||
31 | goto error; | ||
32 | |||
33 | + if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) | ||
34 | + notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; | ||
35 | + else | ||
36 | + notify_event = r; | ||
37 | + | ||
38 | client->start_delay = 0; | ||
39 | (void) event_source_disable(client->timeout_resend); | ||
40 | client->receive_message = sd_event_source_unref(client->receive_message); | ||
41 | client->fd = safe_close(client->fd); | ||
42 | |||
43 | - if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) | ||
44 | - notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; | ||
45 | - else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) | ||
46 | - notify_event = r; | ||
47 | - | ||
48 | client->state = DHCP_STATE_BOUND; | ||
49 | client->attempt = 0; | ||
50 | |||
51 | @@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i | ||
52 | |||
53 | client_initialize_io_events(client, client_receive_message_udp); | ||
54 | |||
55 | - if (notify_event) { | ||
56 | + if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) && | ||
57 | + notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) | ||
58 | + /* FIXME: hmm, maybe this is a bug... */ | ||
59 | + log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.", | ||
60 | + client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding"); | ||
61 | + else | ||
62 | client_notify(client, notify_event); | ||
63 | - if (client->state == DHCP_STATE_STOPPED) | ||
64 | - return 0; | ||
65 | - } | ||
66 | - | ||
67 | break; | ||
68 | |||
69 | case DHCP_STATE_BOUND: | ||
diff --git a/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch new file mode 100644 index 0000000000..c65fb45ab9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From ae18277a6cfd04af8a914780f04a867254ab2341 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Thu, 24 Jun 2021 01:22:07 +0900 | ||
4 | Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command | ||
5 | |||
6 | This makes DHCP client ignore FORCERENEW requests, as unauthenticated | ||
7 | FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). | ||
8 | |||
9 | Let's re-enable this after RFC3118 (Authentication for DHCP Messages) | ||
10 | and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. | ||
11 | |||
12 | Fixes #16774. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2020-13529 | ||
16 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
17 | --- | ||
18 | src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ | ||
19 | 1 file changed, 8 insertions(+) | ||
20 | |||
21 | diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c | ||
22 | index 04a75c6966..54eb3a2ab0 100644 | ||
23 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
24 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
25 | @@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, | ||
26 | if (r != DHCP_FORCERENEW) | ||
27 | return -ENOMSG; | ||
28 | |||
29 | +#if 0 | ||
30 | log_dhcp_client(client, "FORCERENEW"); | ||
31 | |||
32 | return 0; | ||
33 | +#else | ||
34 | + /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP | ||
35 | + * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW | ||
36 | + * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ | ||
37 | + log_dhcp_client(client, "Received FORCERENEW, ignoring."); | ||
38 | + return -ENOMSG; | ||
39 | +#endif | ||
40 | } | ||
41 | |||
42 | static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { | ||
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb index 32afa159ec..f1db1e922b 100644 --- a/meta/recipes-core/systemd/systemd_247.6.bb +++ b/meta/recipes-core/systemd/systemd_247.6.bb | |||
@@ -27,6 +27,10 @@ SRC_URI += "file://touchscreen.rules \ | |||
27 | file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \ | 27 | file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \ |
28 | file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \ | 28 | file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \ |
29 | file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \ | 29 | file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \ |
30 | file://0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch \ | ||
31 | file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ | ||
32 | file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ | ||
33 | file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ | ||
30 | " | 34 | " |
31 | 35 | ||
32 | # patches needed by musl | 36 | # patches needed by musl |