systemd: fix CVE-2020-13529

Backport patches to fix CVE-2020-13529. (From OE-Core rev: 5dcd5071d61fac240ff95672778ba1eed1312a03) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chen Qi <Qi.Chen@windriver.com> 2021-07-28 23:27:52 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-06 09:59:14 +0100
commit: f8c1193fb56cb4738aea08a3a5f3571c1670a972 (patch)
tree: 4375d74dff2f0c0a0ceb4a1ae618948d5537cea7 /meta/recipes-core
parent: a21c4c48b84a01453c252ab19b9d50ad257f348f (diff)
download: poky-f8c1193fb56cb4738aea08a3a5f3571c1670a972.tar.gz
5 files changed, 353 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch
new file mode 100644
index 0000000000..ff877d9175
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch
@@ -0,0 +1,172 @@
+From ac6c7f2d2389c5c0ae90554a58f1c75f60cc8e5a Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 00:48:23 +0900
+Subject: [PATCH] sd-dhcp-client: check error earlier and reduce indentation
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 128 ++++++++++++------------
+ 1 file changed, 64 insertions(+), 64 deletions(-)
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index d472fcd941..86bc3c6181 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1770,21 +1770,21 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+         case DHCP_STATE_SELECTING:
+ 
+                 r = client_handle_offer(client, message, len);
+-                if (r >= 0) {
+                if (r == -ENOMSG)
+                        return 0; /* invalid message, let's ignore it */
+                if (r < 0)
+                        goto error;
+ 
+-                        client->state = DHCP_STATE_REQUESTING;
+-                        client->attempt = 0;
+                client->state = DHCP_STATE_REQUESTING;
+                client->attempt = 0;
+ 
+-                        r = event_reset_time(client->event, &client->timeout_resend,
+-                                             clock_boottime_or_monotonic(),
+-                                             0, 0,
+-                                             client_timeout_resend, client,
+-                                             client->event_priority, "dhcp4-resend-timer", true);
+-                        if (r < 0)
+-                                goto error;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
+                r = event_reset_time(client->event, &client->timeout_resend,
+                                     clock_boottime_or_monotonic(),
+                                     0, 0,
+                                     client_timeout_resend, client,
+                                     client->event_priority, "dhcp4-resend-timer", true);
+                if (r < 0)
+                        goto error;
+ 
+                 break;
+ 
+@@ -1794,47 +1794,9 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+         case DHCP_STATE_REBINDING:
+ 
+                 r = client_handle_ack(client, message, len);
+-                if (r >= 0) {
+-                        client->start_delay = 0;
+-                        (void) event_source_disable(client->timeout_resend);
+-                        client->receive_message =
+-                                sd_event_source_unref(client->receive_message);
+-                        client->fd = safe_close(client->fd);
+-
+-                        if (IN_SET(client->state, DHCP_STATE_REQUESTING,
+-                                   DHCP_STATE_REBOOTING))
+-                                notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+-                        else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+-                                notify_event = r;
+-
+-                        client->state = DHCP_STATE_BOUND;
+-                        client->attempt = 0;
+-
+-                        client->last_addr = client->lease->address;
+-
+-                        r = client_set_lease_timeouts(client);
+-                        if (r < 0) {
+-                                log_dhcp_client(client, "could not set lease timeouts");
+-                                goto error;
+-                        }
+-
+-                        r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
+-                        if (r < 0) {
+-                                log_dhcp_client(client, "could not bind UDP socket");
+-                                goto error;
+-                        }
+-
+-                        client->fd = r;
+-
+-                        client_initialize_io_events(client, client_receive_message_udp);
+-
+-                        if (notify_event) {
+-                                client_notify(client, notify_event);
+-                                if (client->state == DHCP_STATE_STOPPED)
+-                                        return 0;
+-                        }
+-
+-                } else if (r == -EADDRNOTAVAIL) {
+                if (r == -ENOMSG)
+                        return 0; /* invalid message, let's ignore it */
+                if (r == -EADDRNOTAVAIL) {
+                         /* got a NAK, let's restart the client */
+                         client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
+ 
+@@ -1853,21 +1815,59 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                                                     RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
+ 
+                         return 0;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
+                }
+                if (r < 0)
+                        goto error;
+
+                client->start_delay = 0;
+                (void) event_source_disable(client->timeout_resend);
+                client->receive_message = sd_event_source_unref(client->receive_message);
+                client->fd = safe_close(client->fd);
+
+                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
+                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+                else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+                        notify_event = r;
+
+                client->state = DHCP_STATE_BOUND;
+                client->attempt = 0;
+
+                client->last_addr = client->lease->address;
+
+                r = client_set_lease_timeouts(client);
+                if (r < 0) {
+                        log_dhcp_client(client, "could not set lease timeouts");
+                        goto error;
+                }
+
+                r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
+                if (r < 0) {
+                        log_dhcp_client(client, "could not bind UDP socket");
+                        goto error;
+                }
+
+                client->fd = r;
+
+                client_initialize_io_events(client, client_receive_message_udp);
+
+                if (notify_event) {
+                        client_notify(client, notify_event);
+                        if (client->state == DHCP_STATE_STOPPED)
+                                return 0;
+                }
+ 
+                 break;
+ 
+         case DHCP_STATE_BOUND:
+                 r = client_handle_forcerenew(client, message, len);
+-                if (r >= 0) {
+-                        r = client_timeout_t1(NULL, 0, client);
+-                        if (r < 0)
+-                                goto error;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
+                if (r == -ENOMSG)
+                        return 0; /* invalid message, let's ignore it */
+                if (r < 0)
+                        goto error;
+
+                r = client_timeout_t1(NULL, 0, client);
+                if (r < 0)
+                        goto error;
+ 
+                 break;
+ 
diff --git a/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch
new file mode 100644
index 0000000000..41d0c7b1e4
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch
@@ -0,0 +1,66 @@
+From 875f3773e383d99e7d43020f02acad7681a05914 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 00:51:52 +0900
+Subject: [PATCH] sd-dhcp-client: shorten code a bit
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index 86bc3c6181..ef3a7d2c6b 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
+ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) {
+         DHCP_CLIENT_DONT_DESTROY(client);
+         char time_string[FORMAT_TIMESPAN_MAX];
+-        int r = 0, notify_event = 0;
+        int r, notify_event = 0;
+ 
+         assert(client);
+         assert(client->event);
+@@ -1783,9 +1783,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                                      0, 0,
+                                      client_timeout_resend, client,
+                                      client->event_priority, "dhcp4-resend-timer", true);
+-                if (r < 0)
+-                        goto error;
+-
+                 break;
+ 
+         case DHCP_STATE_REBOOTING:
+@@ -1813,7 +1810,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+ 
+                         client->start_delay = CLAMP(client->start_delay * 2,
+                                                     RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
+-
+                         return 0;
+                 }
+                 if (r < 0)
+@@ -1866,19 +1862,18 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                         goto error;
+ 
+                 r = client_timeout_t1(NULL, 0, client);
+-                if (r < 0)
+-                        goto error;
+-
+                 break;
+ 
+         case DHCP_STATE_INIT:
+         case DHCP_STATE_INIT_REBOOT:
+-
+                r = 0;
+                 break;
+ 
+         case DHCP_STATE_STOPPED:
+                 r = -EINVAL;
+                 goto error;
+        default:
+                assert_not_reached("invalid state");
+         }
+ 
+ error:
diff --git a/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
new file mode 100644
index 0000000000..07c7da8c21
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
@@ -0,0 +1,69 @@
+From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:14:12 +0900
+Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a
+ new lease
+Previously, such situation is handled silently.
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index ef3a7d2c6b..04a75c6966 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
+ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) {
+         DHCP_CLIENT_DONT_DESTROY(client);
+         char time_string[FORMAT_TIMESPAN_MAX];
+-        int r, notify_event = 0;
+        int r, notify_event;
+ 
+         assert(client);
+         assert(client->event);
+@@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                 if (r < 0)
+                         goto error;
+ 
+                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
+                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+                else
+                        notify_event = r;
+
+                 client->start_delay = 0;
+                 (void) event_source_disable(client->timeout_resend);
+                 client->receive_message = sd_event_source_unref(client->receive_message);
+                 client->fd = safe_close(client->fd);
+ 
+-                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
+-                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+-                else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+-                        notify_event = r;
+-
+                 client->state = DHCP_STATE_BOUND;
+                 client->attempt = 0;
+ 
+@@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+ 
+                 client_initialize_io_events(client, client_receive_message_udp);
+ 
+-                if (notify_event) {
+                if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) &&
+                    notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+                        /* FIXME: hmm, maybe this is a bug... */
+                        log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.",
+                                        client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding");
+                else
+                         client_notify(client, notify_event);
+-                        if (client->state == DHCP_STATE_STOPPED)
+-                                return 0;
+-                }
+-
+                 break;
+ 
+         case DHCP_STATE_BOUND:
diff --git a/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch
new file mode 100644
index 0000000000..c65fb45ab9
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch
@@ -0,0 +1,42 @@
+From ae18277a6cfd04af8a914780f04a867254ab2341 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+Fixes #16774.
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index 04a75c6966..54eb3a2ab0 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+         if (r != DHCP_FORCERENEW)
+                 return -ENOMSG;
+ 
+#if 0
+         log_dhcp_client(client, "FORCERENEW");
+ 
+         return 0;
+#else
+        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
+         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
+         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
+        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
+        return -ENOMSG;
+#endif
+ }
+ 
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb
index 32afa159ec..f1db1e922b 100644
--- a/meta/recipes-core/systemd/systemd_247.6.bb
+++ b/meta/recipes-core/systemd/systemd_247.6.bb
@@ -27,6 +27,10 @@ SRC_URI += "file://touchscreen.rules \
           file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
           file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \
           file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \
+           file://0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch \
+           file://0002-sd-dhcp-client-shorten-code-a-bit.patch \
+           file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \
+           file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \
           "
 # patches needed by musl
author	Chen Qi <Qi.Chen@windriver.com>	2021-07-28 23:27:52 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-06 09:59:14 +0100
commit	f8c1193fb56cb4738aea08a3a5f3571c1670a972 (patch)
tree	4375d74dff2f0c0a0ceb4a1ae618948d5537cea7 /meta/recipes-core
parent	a21c4c48b84a01453c252ab19b9d50ad257f348f (diff)
download	poky-f8c1193fb56cb4738aea08a3a5f3571c1670a972.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch new file mode 100644 index 0000000000..ff877d9175 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch
@@ -0,0 +1,172 @@
		1	From ac6c7f2d2389c5c0ae90554a58f1c75f60cc8e5a Mon Sep 17 00:00:00 2001
		2	From: Yu Watanabe <watanabe.yu+github@gmail.com>
		3	Date: Thu, 24 Jun 2021 00:48:23 +0900
		4	Subject: [PATCH] sd-dhcp-client: check error earlier and reduce indentation
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2020-13529
		8	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		9	---
		10	src/libsystemd-network/sd-dhcp-client.c \| 128 ++++++++++++------------
		11	1 file changed, 64 insertions(+), 64 deletions(-)
		12
		13	diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
		14	index d472fcd941..86bc3c6181 100644
		15	--- a/src/libsystemd-network/sd-dhcp-client.c
		16	+++ b/src/libsystemd-network/sd-dhcp-client.c
		17	@@ -1770,21 +1770,21 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		18	case DHCP_STATE_SELECTING:
		19
		20	r = client_handle_offer(client, message, len);
		21	- if (r >= 0) {
		22	+ if (r == -ENOMSG)
		23	+ return 0; /* invalid message, let's ignore it */
		24	+ if (r < 0)
		25	+ goto error;
		26
		27	- client->state = DHCP_STATE_REQUESTING;
		28	- client->attempt = 0;
		29	+ client->state = DHCP_STATE_REQUESTING;
		30	+ client->attempt = 0;
		31
		32	- r = event_reset_time(client->event, &client->timeout_resend,
		33	- clock_boottime_or_monotonic(),
		34	- 0, 0,
		35	- client_timeout_resend, client,
		36	- client->event_priority, "dhcp4-resend-timer", true);
		37	- if (r < 0)
		38	- goto error;
		39	- } else if (r == -ENOMSG)
		40	- /* invalid message, let's ignore it */
		41	- return 0;
		42	+ r = event_reset_time(client->event, &client->timeout_resend,
		43	+ clock_boottime_or_monotonic(),
		44	+ 0, 0,
		45	+ client_timeout_resend, client,
		46	+ client->event_priority, "dhcp4-resend-timer", true);
		47	+ if (r < 0)
		48	+ goto error;
		49
		50	break;
		51
		52	@@ -1794,47 +1794,9 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		53	case DHCP_STATE_REBINDING:
		54
		55	r = client_handle_ack(client, message, len);
		56	- if (r >= 0) {
		57	- client->start_delay = 0;
		58	- (void) event_source_disable(client->timeout_resend);
		59	- client->receive_message =
		60	- sd_event_source_unref(client->receive_message);
		61	- client->fd = safe_close(client->fd);
		62	-
		63	- if (IN_SET(client->state, DHCP_STATE_REQUESTING,
		64	- DHCP_STATE_REBOOTING))
		65	- notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
		66	- else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
		67	- notify_event = r;
		68	-
		69	- client->state = DHCP_STATE_BOUND;
		70	- client->attempt = 0;
		71	-
		72	- client->last_addr = client->lease->address;
		73	-
		74	- r = client_set_lease_timeouts(client);
		75	- if (r < 0) {
		76	- log_dhcp_client(client, "could not set lease timeouts");
		77	- goto error;
		78	- }
		79	-
		80	- r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
		81	- if (r < 0) {
		82	- log_dhcp_client(client, "could not bind UDP socket");
		83	- goto error;
		84	- }
		85	-
		86	- client->fd = r;
		87	-
		88	- client_initialize_io_events(client, client_receive_message_udp);
		89	-
		90	- if (notify_event) {
		91	- client_notify(client, notify_event);
		92	- if (client->state == DHCP_STATE_STOPPED)
		93	- return 0;
		94	- }
		95	-
		96	- } else if (r == -EADDRNOTAVAIL) {
		97	+ if (r == -ENOMSG)
		98	+ return 0; /* invalid message, let's ignore it */
		99	+ if (r == -EADDRNOTAVAIL) {
		100	/* got a NAK, let's restart the client */
		101	client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
		102
		103	@@ -1853,21 +1815,59 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		104	RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
		105
		106	return 0;
		107	- } else if (r == -ENOMSG)
		108	- /* invalid message, let's ignore it */
		109	- return 0;
		110	+ }
		111	+ if (r < 0)
		112	+ goto error;
		113	+
		114	+ client->start_delay = 0;
		115	+ (void) event_source_disable(client->timeout_resend);
		116	+ client->receive_message = sd_event_source_unref(client->receive_message);
		117	+ client->fd = safe_close(client->fd);
		118	+
		119	+ if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
		120	+ notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
		121	+ else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
		122	+ notify_event = r;
		123	+
		124	+ client->state = DHCP_STATE_BOUND;
		125	+ client->attempt = 0;
		126	+
		127	+ client->last_addr = client->lease->address;
		128	+
		129	+ r = client_set_lease_timeouts(client);
		130	+ if (r < 0) {
		131	+ log_dhcp_client(client, "could not set lease timeouts");
		132	+ goto error;
		133	+ }
		134	+
		135	+ r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
		136	+ if (r < 0) {
		137	+ log_dhcp_client(client, "could not bind UDP socket");
		138	+ goto error;
		139	+ }
		140	+
		141	+ client->fd = r;
		142	+
		143	+ client_initialize_io_events(client, client_receive_message_udp);
		144	+
		145	+ if (notify_event) {
		146	+ client_notify(client, notify_event);
		147	+ if (client->state == DHCP_STATE_STOPPED)
		148	+ return 0;
		149	+ }
		150
		151	break;
		152
		153	case DHCP_STATE_BOUND:
		154	r = client_handle_forcerenew(client, message, len);
		155	- if (r >= 0) {
		156	- r = client_timeout_t1(NULL, 0, client);
		157	- if (r < 0)
		158	- goto error;
		159	- } else if (r == -ENOMSG)
		160	- /* invalid message, let's ignore it */
		161	- return 0;
		162	+ if (r == -ENOMSG)
		163	+ return 0; /* invalid message, let's ignore it */
		164	+ if (r < 0)
		165	+ goto error;
		166	+
		167	+ r = client_timeout_t1(NULL, 0, client);
		168	+ if (r < 0)
		169	+ goto error;
		170
		171	break;
		172


diff --git a/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch new file mode 100644 index 0000000000..41d0c7b1e4 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch
@@ -0,0 +1,66 @@
		1	From 875f3773e383d99e7d43020f02acad7681a05914 Mon Sep 17 00:00:00 2001
		2	From: Yu Watanabe <watanabe.yu+github@gmail.com>
		3	Date: Thu, 24 Jun 2021 00:51:52 +0900
		4	Subject: [PATCH] sd-dhcp-client: shorten code a bit
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2020-13529
		8	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		9	---
		10	src/libsystemd-network/sd-dhcp-client.c \| 13 ++++---------
		11	1 file changed, 4 insertions(+), 9 deletions(-)
		12
		13	diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
		14	index 86bc3c6181..ef3a7d2c6b 100644
		15	--- a/src/libsystemd-network/sd-dhcp-client.c
		16	+++ b/src/libsystemd-network/sd-dhcp-client.c
		17	@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
		18	static int client_handle_message(sd_dhcp_client client, DHCPMessage message, int len) {
		19	DHCP_CLIENT_DONT_DESTROY(client);
		20	char time_string[FORMAT_TIMESPAN_MAX];
		21	- int r = 0, notify_event = 0;
		22	+ int r, notify_event = 0;
		23
		24	assert(client);
		25	assert(client->event);
		26	@@ -1783,9 +1783,6 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		27	0, 0,
		28	client_timeout_resend, client,
		29	client->event_priority, "dhcp4-resend-timer", true);
		30	- if (r < 0)
		31	- goto error;
		32	-
		33	break;
		34
		35	case DHCP_STATE_REBOOTING:
		36	@@ -1813,7 +1810,6 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		37
		38	client->start_delay = CLAMP(client->start_delay * 2,
		39	RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
		40	-
		41	return 0;
		42	}
		43	if (r < 0)
		44	@@ -1866,19 +1862,18 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		45	goto error;
		46
		47	r = client_timeout_t1(NULL, 0, client);
		48	- if (r < 0)
		49	- goto error;
		50	-
		51	break;
		52
		53	case DHCP_STATE_INIT:
		54	case DHCP_STATE_INIT_REBOOT:
		55	-
		56	+ r = 0;
		57	break;
		58
		59	case DHCP_STATE_STOPPED:
		60	r = -EINVAL;
		61	goto error;
		62	+ default:
		63	+ assert_not_reached("invalid state");
		64	}
		65
		66	error:


diff --git a/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch new file mode 100644 index 0000000000..07c7da8c21 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
@@ -0,0 +1,69 @@
		1	From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001
		2	From: Yu Watanabe <watanabe.yu+github@gmail.com>
		3	Date: Thu, 24 Jun 2021 01:14:12 +0900
		4	Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a
		5	new lease
		6
		7	Previously, such situation is handled silently.
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2020-13529
		11	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		12	---
		13	src/libsystemd-network/sd-dhcp-client.c \| 23 ++++++++++++-----------
		14	1 file changed, 12 insertions(+), 11 deletions(-)
		15
		16	diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
		17	index ef3a7d2c6b..04a75c6966 100644
		18	--- a/src/libsystemd-network/sd-dhcp-client.c
		19	+++ b/src/libsystemd-network/sd-dhcp-client.c
		20	@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
		21	static int client_handle_message(sd_dhcp_client client, DHCPMessage message, int len) {
		22	DHCP_CLIENT_DONT_DESTROY(client);
		23	char time_string[FORMAT_TIMESPAN_MAX];
		24	- int r, notify_event = 0;
		25	+ int r, notify_event;
		26
		27	assert(client);
		28	assert(client->event);
		29	@@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		30	if (r < 0)
		31	goto error;
		32
		33	+ if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
		34	+ notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
		35	+ else
		36	+ notify_event = r;
		37	+
		38	client->start_delay = 0;
		39	(void) event_source_disable(client->timeout_resend);
		40	client->receive_message = sd_event_source_unref(client->receive_message);
		41	client->fd = safe_close(client->fd);
		42
		43	- if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
		44	- notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
		45	- else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
		46	- notify_event = r;
		47	-
		48	client->state = DHCP_STATE_BOUND;
		49	client->attempt = 0;
		50
		51	@@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client client, DHCPMessage message, i
		52
		53	client_initialize_io_events(client, client_receive_message_udp);
		54
		55	- if (notify_event) {
		56	+ if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) &&
		57	+ notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
		58	+ /* FIXME: hmm, maybe this is a bug... */
		59	+ log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.",
		60	+ client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding");
		61	+ else
		62	client_notify(client, notify_event);
		63	- if (client->state == DHCP_STATE_STOPPED)
		64	- return 0;
		65	- }
		66	-
		67	break;
		68
		69	case DHCP_STATE_BOUND:


diff --git a/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch new file mode 100644 index 0000000000..c65fb45ab9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch
@@ -0,0 +1,42 @@
		1	From ae18277a6cfd04af8a914780f04a867254ab2341 Mon Sep 17 00:00:00 2001
		2	From: Yu Watanabe <watanabe.yu+github@gmail.com>
		3	Date: Thu, 24 Jun 2021 01:22:07 +0900
		4	Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
		5
		6	This makes DHCP client ignore FORCERENEW requests, as unauthenticated
		7	FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
		8
		9	Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
		10	and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
		11
		12	Fixes #16774.
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2020-13529
		16	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		17	---
		18	src/libsystemd-network/sd-dhcp-client.c \| 8 ++++++++
		19	1 file changed, 8 insertions(+)
		20
		21	diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
		22	index 04a75c6966..54eb3a2ab0 100644
		23	--- a/src/libsystemd-network/sd-dhcp-client.c
		24	+++ b/src/libsystemd-network/sd-dhcp-client.c
		25	@@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client client, DHCPMessage force,
		26	if (r != DHCP_FORCERENEW)
		27	return -ENOMSG;
		28
		29	+#if 0
		30	log_dhcp_client(client, "FORCERENEW");
		31
		32	return 0;
		33	+#else
		34	+ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
		35	+ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
		36	+ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
		37	+ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
		38	+ return -ENOMSG;
		39	+#endif
		40	}
		41
		42	static bool lease_equal(const sd_dhcp_lease a, const sd_dhcp_lease b) {


diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb index 32afa159ec..f1db1e922b 100644 --- a/meta/recipes-core/systemd/systemd_247.6.bb +++ b/meta/recipes-core/systemd/systemd_247.6.bb
@@ -27,6 +27,10 @@ SRC_URI += "file://touchscreen.rules \
27	file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \	27	file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
28	file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \	28	file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \
29	file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \	29	file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \
		30	file://0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch \
		31	file://0002-sd-dhcp-client-shorten-code-a-bit.patch \
		32	file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \
		33	file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \
30	"	34	"
31		35
32	# patches needed by musl	36	# patches needed by musl