systemd: fix CVE-2019-6454

The original fix was deleted when systemd was bumped from v239 to v241, however not all of the patches have made it into the latest version. Refactor the original patch to contain the missing changes. (From OE-Core rev: 400a0468a0f12f7f92f5287053a5fee0bb257fc1) Signed-off-by: Marcus Cooper <marcusc@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marcus Cooper <marcus.cooper@axis.com> 2019-03-13 14:07:15 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-18 11:12:26 +0000
commit: f915e9c3d975d3b2335c1dc85a3c6e512db204b5 (patch)
tree: 25854b23b1ceb9bd80ed0dc5ed67d8ca70a260b3 /meta
parent: 100a30bdb11738e6ce7d1fe224a6da9e9829ce3e (diff)
download: poky-f915e9c3d975d3b2335c1dc85a3c6e512db204b5.tar.gz
2 files changed, 217 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 0000000000..b84809ef17
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,216 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+Patch from: systemd_239-7ubuntu10.8
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
+index 40acae2133..598b7f110c 100644
+--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) {
+         if (slash)
+                 return false;
+ 
+-        return true;
+        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ 
+ char* object_path_startswith(const char *a, const char *b) {
+diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
+index f208b294d8..a8d61bf72a 100644
+--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -332,6 +332,10 @@ struct sd_bus {
+ 
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
+ * to not clash unnecessarily with real-life applications. */
+#define BUS_PATH_SIZE_MAX (64*1024)
+ 
+ #define BUS_CONTAINER_DEPTH 128
+ 
+diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
+index 58329f3fe7..54b977418e 100644
+--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks(
+                 const char *path,
+                 sd_bus_error *error) {
+ 
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks(
+                 return 0;
+ 
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = newa(char, strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1345,6 +1351,7 @@ static int object_find_and_run(
+ }
+ 
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+         assert(m->member);
+ 
+         pl = strlen(m->path);
+-        do {
+-                char prefix[pl+1];
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+ 
+        do {
+                 bus->nodes_modified = false;
+ 
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const
+ 
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
+                _cleanup_free_ char *prefix = NULL;
+                size_t pl;
+
+                pl = strlen(path);
+                assert(pl <= BUS_PATH_SIZE_MAX);
+                prefix = new(char, pl + 1);
+                if (!prefix)
+                        return -ENOMEM;
+ 
+-                prefix = newa(char, strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv(
+                 const char *interface,
+                 char **names) {
+ 
+        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
+        size_t pl;
+         int r;
+ 
+         assert_return(bus, -EINVAL);
+@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv(
+ 
+         BUS_DONT_DESTROY(bus);
+ 
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         do {
+                 bus->nodes_modified = false;
+ 
+@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv(
+                 if (bus->nodes_modified)
+                         continue;
+ 
+-                prefix = newa(char, strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix(
+ 
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix(
+ 
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one(
+                 const char *path,
+                 const char *interface) {
+ 
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one(
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
diff --git a/meta/recipes-core/systemd/systemd_241.bb b/meta/recipes-core/systemd/systemd_241.bb
index 6532a58cf8..5d09e5d5fb 100644
--- a/meta/recipes-core/systemd/systemd_241.bb
+++ b/meta/recipes-core/systemd/systemd_241.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
           file://0001-meson-declare-version.h-as-dep-for-various-targets-t.patch \
           file://0001-meson-declare-version.h-as-dependency-for-systemd.patch \
+           file://CVE-2019-6454.patch \
           "
 # patches needed by musl
author	Marcus Cooper <marcus.cooper@axis.com>	2019-03-13 14:07:15 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-18 11:12:26 +0000
commit	f915e9c3d975d3b2335c1dc85a3c6e512db204b5 (patch)
tree	25854b23b1ceb9bd80ed0dc5ed67d8ca70a260b3 /meta
parent	100a30bdb11738e6ce7d1fe224a6da9e9829ce3e (diff)
download	poky-f915e9c3d975d3b2335c1dc85a3c6e512db204b5.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch new file mode 100644 index 0000000000..b84809ef17 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,216 @@
		1	Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
		2	them on the stacka
		3	Forwarded: no
		4
		5	Patch from: systemd_239-7ubuntu10.8
		6
		7	For information see:
		8	https://usn.ubuntu.com/3891-1/
		9	https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
		10
		11	CVE: CVE-2019-6454
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		15
		16	diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
		17	index 40acae2133..598b7f110c 100644
		18	--- a/src/libsystemd/sd-bus/bus-internal.c
		19	+++ b/src/libsystemd/sd-bus/bus-internal.c
		20	@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) {
		21	if (slash)
		22	return false;
		23
		24	- return true;
		25	+ return (q - p) <= BUS_PATH_SIZE_MAX;
		26	}
		27
		28	char* object_path_startswith(const char a, const char b) {
		29	diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
		30	index f208b294d8..a8d61bf72a 100644
		31	--- a/src/libsystemd/sd-bus/bus-internal.h
		32	+++ b/src/libsystemd/sd-bus/bus-internal.h
		33	@@ -332,6 +332,10 @@ struct sd_bus {
		34
		35	#define BUS_MESSAGE_SIZE_MAX (12810241024)
		36	#define BUS_AUTH_SIZE_MAX (64*1024)
		37	+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
		38	+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
		39	+ * to not clash unnecessarily with real-life applications. */
		40	+#define BUS_PATH_SIZE_MAX (64*1024)
		41
		42	#define BUS_CONTAINER_DEPTH 128
		43
		44	diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
		45	index 58329f3fe7..54b977418e 100644
		46	--- a/src/libsystemd/sd-bus/bus-objects.c
		47	+++ b/src/libsystemd/sd-bus/bus-objects.c
		48	@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks(
		49	const char *path,
		50	sd_bus_error *error) {
		51
		52	- char *prefix;
		53	+ _cleanup_free_ char *prefix = NULL;
		54	+ size_t pl;
		55	int r;
		56
		57	assert(bus);
		58	@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks(
		59	return 0;
		60
		61	/* Second, add fallback vtables registered for any of the prefixes */
		62	- prefix = newa(char, strlen(path) + 1);
		63	+ pl = strlen(path);
		64	+ assert(pl <= BUS_PATH_SIZE_MAX);
		65	+ prefix = new(char, pl + 1);
		66	+ if (!prefix)
		67	+ return -ENOMEM;
		68	+
		69	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		70	r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
		71	if (r < 0)
		72	@@ -1345,6 +1351,7 @@ static int object_find_and_run(
		73	}
		74
		75	int bus_process_object(sd_bus bus, sd_bus_message m) {
		76	+ _cleanup_free_ char *prefix = NULL;
		77	int r;
		78	size_t pl;
		79	bool found_object = false;
		80	@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus bus, sd_bus_message m) {
		81	assert(m->member);
		82
		83	pl = strlen(m->path);
		84	- do {
		85	- char prefix[pl+1];
		86	+ assert(pl <= BUS_PATH_SIZE_MAX);
		87	+ prefix = new(char, pl + 1);
		88	+ if (!prefix)
		89	+ return -ENOMEM;
		90
		91	+ do {
		92	bus->nodes_modified = false;
		93
		94	r = object_find_and_run(bus, m, m->path, false, &found_object);
		95	@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus bus, struct node *out, const
		96
		97	n = hashmap_get(bus->nodes, path);
		98	if (!n) {
		99	- char *prefix;
		100	+ _cleanup_free_ char *prefix = NULL;
		101	+ size_t pl;
		102	+
		103	+ pl = strlen(path);
		104	+ assert(pl <= BUS_PATH_SIZE_MAX);
		105	+ prefix = new(char, pl + 1);
		106	+ if (!prefix)
		107	+ return -ENOMEM;
		108
		109	- prefix = newa(char, strlen(path) + 1);
		110	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		111	n = hashmap_get(bus->nodes, prefix);
		112	if (n)
		113	@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv(
		114	const char *interface,
		115	char **names) {
		116
		117	+ _cleanup_free_ char *prefix = NULL;
		118	bool found_interface = false;
		119	- char *prefix;
		120	+ size_t pl;
		121	int r;
		122
		123	assert_return(bus, -EINVAL);
		124	@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv(
		125
		126	BUS_DONT_DESTROY(bus);
		127
		128	+ pl = strlen(path);
		129	+ assert(pl <= BUS_PATH_SIZE_MAX);
		130	+ prefix = new(char, pl + 1);
		131	+ if (!prefix)
		132	+ return -ENOMEM;
		133	+
		134	do {
		135	bus->nodes_modified = false;
		136
		137	@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv(
		138	if (bus->nodes_modified)
		139	continue;
		140
		141	- prefix = newa(char, strlen(path) + 1);
		142	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		143	r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
		144	if (r != 0)
		145	@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix(
		146
		147	static int object_added_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		148	_cleanup_set_free_ Set *s = NULL;
		149	- char *prefix;
		150	+ _cleanup_free_ char *prefix = NULL;
		151	+ size_t pl;
		152	int r;
		153
		154	assert(bus);
		155	@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus bus, sd_bus_message m, const char *p
		156	if (bus->nodes_modified)
		157	return 0;
		158
		159	- prefix = newa(char, strlen(path) + 1);
		160	+ pl = strlen(path);
		161	+ assert(pl <= BUS_PATH_SIZE_MAX);
		162	+ prefix = new(char, pl + 1);
		163	+ if (!prefix)
		164	+ return -ENOMEM;
		165	+
		166	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		167	r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
		168	if (r < 0)
		169	@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix(
		170
		171	static int object_removed_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		172	_cleanup_set_free_ Set *s = NULL;
		173	- char *prefix;
		174	+ _cleanup_free_ char *prefix = NULL;
		175	+ size_t pl;
		176	int r;
		177
		178	assert(bus);
		179	@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus bus, sd_bus_message m, const char
		180	if (bus->nodes_modified)
		181	return 0;
		182
		183	- prefix = newa(char, strlen(path) + 1);
		184	+ pl = strlen(path);
		185	+ assert(pl <= BUS_PATH_SIZE_MAX);
		186	+ prefix = new(char, pl + 1);
		187	+ if (!prefix)
		188	+ return -ENOMEM;
		189	+
		190	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		191	r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
		192	if (r < 0)
		193	@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one(
		194	const char *path,
		195	const char *interface) {
		196
		197	- char *prefix;
		198	+ _cleanup_free_ char *prefix = NULL;
		199	+ size_t pl;
		200	int r;
		201
		202	assert(bus);
		203	@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one(
		204	if (bus->nodes_modified)
		205	return 0;
		206
		207	- prefix = newa(char, strlen(path) + 1);
		208	+ pl = strlen(path);
		209	+ assert(pl <= BUS_PATH_SIZE_MAX);
		210	+ prefix = new(char, pl + 1);
		211	+ if (!prefix)
		212	+ return -ENOMEM;
		213	+
		214	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		215	r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
		216	if (r != 0)


diff --git a/meta/recipes-core/systemd/systemd_241.bb b/meta/recipes-core/systemd/systemd_241.bb index 6532a58cf8..5d09e5d5fb 100644 --- a/meta/recipes-core/systemd/systemd_241.bb +++ b/meta/recipes-core/systemd/systemd_241.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \
24	file://0005-rules-watch-metadata-changes-in-ide-devices.patch \	24	file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
25	file://0001-meson-declare-version.h-as-dep-for-various-targets-t.patch \	25	file://0001-meson-declare-version.h-as-dep-for-various-targets-t.patch \
26	file://0001-meson-declare-version.h-as-dependency-for-systemd.patch \	26	file://0001-meson-declare-version.h-as-dependency-for-systemd.patch \
		27	file://CVE-2019-6454.patch \
27	"	28	"
28		29
29	# patches needed by musl	30	# patches needed by musl