systemd: fix CVE-2019-6454

Apply patches from systemd_237-3ubuntu10.13 to fix CVE-2019-6454. CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a specially formed D-Bus message. For information see: https://usn.ubuntu.com/3891-1/ https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates&id=d7584b894afcaa8a4a1abb69db2a9c81a6276e80 (From OE-Core rev: 342157b135e7493e5965b706ede93bee190fbe32) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2019-02-25 10:37:13 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-24 16:49:54 +0000
commit: 0278e515fd8b08ae6646d90bec69ee67cdccc209 (patch)
tree: e6cc70d5b39bacb8b225e81e8407ba813bef07a9 /meta
parent: 4c55db6d5c6f93e5fd851ed2d0c8ebc5ec043cab (diff)
download: poky-0278e515fd8b08ae6646d90bec69ee67cdccc209.tar.gz
3 files changed, 273 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 0000000000..e3c67c166c
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+Patch from: systemd_237-3ubuntu10.13
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates&id=d7584b894afcaa8a4a1abb69db2a9c81a6276e80
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -61,7 +61,7 @@
+         if (slash)
+                 return false;
+ 
+-        return true;
+        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ 
+ char* object_path_startswith(const char *a, const char *b) {
+--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -339,6 +339,10 @@
+ 
+ #define BUS_MESSAGE_SIZE_MAX (64*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
+ * to not clash unnecessarily with real-life applications. */
+#define BUS_PATH_SIZE_MAX (64*1024)
+ 
+ #define BUS_CONTAINER_DEPTH 128
+ 
+--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1150,7 +1150,8 @@
+                 const char *path,
+                 sd_bus_error *error) {
+ 
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -1166,7 +1167,12 @@
+                 return 0;
+ 
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1362,6 +1368,7 @@
+ }
+ 
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1386,9 +1393,12 @@
+         assert(m->member);
+ 
+         pl = strlen(m->path);
+-        do {
+-                char prefix[pl+1];
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+ 
+        do {
+                 bus->nodes_modified = false;
+ 
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1516,9 +1526,15 @@
+ 
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
+                _cleanup_free_ char *prefix = NULL;
+                size_t pl;
+
+                pl = strlen(path);
+                assert(pl <= BUS_PATH_SIZE_MAX);
+                prefix = new(char, pl + 1);
+                if (!prefix)
+                        return -ENOMEM;
+ 
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2108,8 +2124,9 @@
+                 char **names) {
+ 
+         BUS_DONT_DESTROY(bus);
+        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
+        size_t pl;
+         int r;
+ 
+         assert_return(bus, -EINVAL);
+@@ -2128,6 +2145,12 @@
+         if (names && names[0] == NULL)
+                 return 0;
+ 
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         do {
+                 bus->nodes_modified = false;
+ 
+@@ -2137,7 +2160,6 @@
+                 if (bus->nodes_modified)
+                         continue;
+ 
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2269,7 +2291,8 @@
+ 
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2314,7 +2337,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2453,7 +2481,8 @@
+ 
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2485,7 +2514,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2635,7 +2669,8 @@
+                 const char *path,
+                 const char *interface) {
+ 
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2649,7 +2684,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
diff --git a/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
new file mode 100644
index 0000000000..4ffa739145
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
@@ -0,0 +1,61 @@
+Description: sd-bus: if we receive an invalid dbus message, ignore and
+ proceeed
+ .
+ dbus-daemon might have a slightly different idea of what a valid msg is
+ than us (for example regarding valid msg and field sizes). Let's hence
+ try to proceed if we can and thus drop messages rather than fail the
+ connection if we fail to validate a message.
+ .
+ Hopefully the differences in what is considered valid are not visible
+ for real-life usecases, but are specific to exploit attempts only.
+Author: Lennart Poettering <lennart@poettering.net>
+Forwarded: other,https://github.com/systemd/systemd/pull/11708/
+Patch from: systemd_237-3ubuntu10.13
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates&id=d7584b894afcaa8a4a1abb69db2a9c81a6276e80
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
+index 30d6455b6f..441b4a816f 100644
+--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
+ }
+ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+-        sd_bus_message *t;
+        sd_bus_message *t = NULL;
+         void *b;
+         int r;
+@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+                                     bus->fds, bus->n_fds,
+                                     NULL,
+                                     &t);
+-        if (r < 0) {
+        if (r == -EBADMSG)
+                log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
+        else if (r < 0) {
+                 free(b);
+                 return r;
+         }
+@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+         bus->fds = NULL;
+         bus->n_fds = 0;
+-        bus->rqueue[bus->rqueue_size++] = t;
+        if (t)
+                bus->rqueue[bus->rqueue_size++] = t;
+         return 1;
+ }
+--
+2.17.1
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb
index bc33fbebdc..a0e5d512e0 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -63,6 +63,8 @@ SRC_URI += "file://touchscreen.rules \
           file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
           file://0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch \
           file://0002-Make-tmpfiles-safe.patch \
+           file://CVE-2019-6454.patch \
+           file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
           "
 SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
author	George McCollister <george.mccollister@gmail.com>	2019-02-25 10:37:13 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-24 16:49:54 +0000
commit	0278e515fd8b08ae6646d90bec69ee67cdccc209 (patch)
tree	e6cc70d5b39bacb8b225e81e8407ba813bef07a9 /meta
parent	4c55db6d5c6f93e5fd851ed2d0c8ebc5ec043cab (diff)
download	poky-0278e515fd8b08ae6646d90bec69ee67cdccc209.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch new file mode 100644 index 0000000000..e3c67c166c --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
		1	Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
		2	them on the stacka
		3	Forwarded: no
		4
		5	Patch from: systemd_237-3ubuntu10.13
		6
		7	For information see:
		8	https://usn.ubuntu.com/3891-1/
		9	https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates&id=d7584b894afcaa8a4a1abb69db2a9c81a6276e80
		10
		11	CVE: CVE-2019-6454
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		15
		16	--- a/src/libsystemd/sd-bus/bus-internal.c
		17	+++ b/src/libsystemd/sd-bus/bus-internal.c
		18	@@ -61,7 +61,7 @@
		19	if (slash)
		20	return false;
		21
		22	- return true;
		23	+ return (q - p) <= BUS_PATH_SIZE_MAX;
		24	}
		25
		26	char* object_path_startswith(const char a, const char b) {
		27	--- a/src/libsystemd/sd-bus/bus-internal.h
		28	+++ b/src/libsystemd/sd-bus/bus-internal.h
		29	@@ -339,6 +339,10 @@
		30
		31	#define BUS_MESSAGE_SIZE_MAX (6410241024)
		32	#define BUS_AUTH_SIZE_MAX (64*1024)
		33	+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
		34	+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
		35	+ * to not clash unnecessarily with real-life applications. */
		36	+#define BUS_PATH_SIZE_MAX (64*1024)
		37
		38	#define BUS_CONTAINER_DEPTH 128
		39
		40	--- a/src/libsystemd/sd-bus/bus-objects.c
		41	+++ b/src/libsystemd/sd-bus/bus-objects.c
		42	@@ -1150,7 +1150,8 @@
		43	const char *path,
		44	sd_bus_error *error) {
		45
		46	- char *prefix;
		47	+ _cleanup_free_ char *prefix = NULL;
		48	+ size_t pl;
		49	int r;
		50
		51	assert(bus);
		52	@@ -1166,7 +1167,12 @@
		53	return 0;
		54
		55	/* Second, add fallback vtables registered for any of the prefixes */
		56	- prefix = alloca(strlen(path) + 1);
		57	+ pl = strlen(path);
		58	+ assert(pl <= BUS_PATH_SIZE_MAX);
		59	+ prefix = new(char, pl + 1);
		60	+ if (!prefix)
		61	+ return -ENOMEM;
		62	+
		63	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		64	r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
		65	if (r < 0)
		66	@@ -1362,6 +1368,7 @@
		67	}
		68
		69	int bus_process_object(sd_bus bus, sd_bus_message m) {
		70	+ _cleanup_free_ char *prefix = NULL;
		71	int r;
		72	size_t pl;
		73	bool found_object = false;
		74	@@ -1386,9 +1393,12 @@
		75	assert(m->member);
		76
		77	pl = strlen(m->path);
		78	- do {
		79	- char prefix[pl+1];
		80	+ assert(pl <= BUS_PATH_SIZE_MAX);
		81	+ prefix = new(char, pl + 1);
		82	+ if (!prefix)
		83	+ return -ENOMEM;
		84
		85	+ do {
		86	bus->nodes_modified = false;
		87
		88	r = object_find_and_run(bus, m, m->path, false, &found_object);
		89	@@ -1516,9 +1526,15 @@
		90
		91	n = hashmap_get(bus->nodes, path);
		92	if (!n) {
		93	- char *prefix;
		94	+ _cleanup_free_ char *prefix = NULL;
		95	+ size_t pl;
		96	+
		97	+ pl = strlen(path);
		98	+ assert(pl <= BUS_PATH_SIZE_MAX);
		99	+ prefix = new(char, pl + 1);
		100	+ if (!prefix)
		101	+ return -ENOMEM;
		102
		103	- prefix = alloca(strlen(path) + 1);
		104	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		105	n = hashmap_get(bus->nodes, prefix);
		106	if (n)
		107	@@ -2108,8 +2124,9 @@
		108	char **names) {
		109
		110	BUS_DONT_DESTROY(bus);
		111	+ _cleanup_free_ char *prefix = NULL;
		112	bool found_interface = false;
		113	- char *prefix;
		114	+ size_t pl;
		115	int r;
		116
		117	assert_return(bus, -EINVAL);
		118	@@ -2128,6 +2145,12 @@
		119	if (names && names[0] == NULL)
		120	return 0;
		121
		122	+ pl = strlen(path);
		123	+ assert(pl <= BUS_PATH_SIZE_MAX);
		124	+ prefix = new(char, pl + 1);
		125	+ if (!prefix)
		126	+ return -ENOMEM;
		127	+
		128	do {
		129	bus->nodes_modified = false;
		130
		131	@@ -2137,7 +2160,6 @@
		132	if (bus->nodes_modified)
		133	continue;
		134
		135	- prefix = alloca(strlen(path) + 1);
		136	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		137	r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
		138	if (r != 0)
		139	@@ -2269,7 +2291,8 @@
		140
		141	static int object_added_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		142	_cleanup_set_free_ Set *s = NULL;
		143	- char *prefix;
		144	+ _cleanup_free_ char *prefix = NULL;
		145	+ size_t pl;
		146	int r;
		147
		148	assert(bus);
		149	@@ -2314,7 +2337,12 @@
		150	if (bus->nodes_modified)
		151	return 0;
		152
		153	- prefix = alloca(strlen(path) + 1);
		154	+ pl = strlen(path);
		155	+ assert(pl <= BUS_PATH_SIZE_MAX);
		156	+ prefix = new(char, pl + 1);
		157	+ if (!prefix)
		158	+ return -ENOMEM;
		159	+
		160	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		161	r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
		162	if (r < 0)
		163	@@ -2453,7 +2481,8 @@
		164
		165	static int object_removed_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		166	_cleanup_set_free_ Set *s = NULL;
		167	- char *prefix;
		168	+ _cleanup_free_ char *prefix = NULL;
		169	+ size_t pl;
		170	int r;
		171
		172	assert(bus);
		173	@@ -2485,7 +2514,12 @@
		174	if (bus->nodes_modified)
		175	return 0;
		176
		177	- prefix = alloca(strlen(path) + 1);
		178	+ pl = strlen(path);
		179	+ assert(pl <= BUS_PATH_SIZE_MAX);
		180	+ prefix = new(char, pl + 1);
		181	+ if (!prefix)
		182	+ return -ENOMEM;
		183	+
		184	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		185	r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
		186	if (r < 0)
		187	@@ -2635,7 +2669,8 @@
		188	const char *path,
		189	const char *interface) {
		190
		191	- char *prefix;
		192	+ _cleanup_free_ char *prefix = NULL;
		193	+ size_t pl;
		194	int r;
		195
		196	assert(bus);
		197	@@ -2649,7 +2684,12 @@
		198	if (bus->nodes_modified)
		199	return 0;
		200
		201	- prefix = alloca(strlen(path) + 1);
		202	+ pl = strlen(path);
		203	+ assert(pl <= BUS_PATH_SIZE_MAX);
		204	+ prefix = new(char, pl + 1);
		205	+ if (!prefix)
		206	+ return -ENOMEM;
		207	+
		208	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		209	r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
		210	if (r != 0)


diff --git a/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch new file mode 100644 index 0000000000..4ffa739145 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
@@ -0,0 +1,61 @@
		1	Description: sd-bus: if we receive an invalid dbus message, ignore and
		2	proceeed
		3	.
		4	dbus-daemon might have a slightly different idea of what a valid msg is
		5	than us (for example regarding valid msg and field sizes). Let's hence
		6	try to proceed if we can and thus drop messages rather than fail the
		7	connection if we fail to validate a message.
		8	.
		9	Hopefully the differences in what is considered valid are not visible
		10	for real-life usecases, but are specific to exploit attempts only.
		11	Author: Lennart Poettering <lennart@poettering.net>
		12	Forwarded: other,https://github.com/systemd/systemd/pull/11708/
		13
		14	Patch from: systemd_237-3ubuntu10.13
		15
		16	For information see:
		17	https://usn.ubuntu.com/3891-1/
		18	https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates&id=d7584b894afcaa8a4a1abb69db2a9c81a6276e80
		19
		20	CVE: CVE-2019-6454
		21	Upstream-Status: Backport
		22
		23	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		24
		25	diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
		26	index 30d6455b6f..441b4a816f 100644
		27	--- a/src/libsystemd/sd-bus/bus-socket.c
		28	+++ b/src/libsystemd/sd-bus/bus-socket.c
		29	@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus bus, size_t need) {
		30	}
		31
		32	static int bus_socket_make_message(sd_bus *bus, size_t size) {
		33	- sd_bus_message *t;
		34	+ sd_bus_message *t = NULL;
		35	void *b;
		36	int r;
		37
		38	@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
		39	bus->fds, bus->n_fds,
		40	NULL,
		41	&t);
		42	- if (r < 0) {
		43	+ if (r == -EBADMSG)
		44	+ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
		45	+ else if (r < 0) {
		46	free(b);
		47	return r;
		48	}
		49	@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
		50	bus->fds = NULL;
		51	bus->n_fds = 0;
		52
		53	- bus->rqueue[bus->rqueue_size++] = t;
		54	+ if (t)
		55	+ bus->rqueue[bus->rqueue_size++] = t;
		56
		57	return 1;
		58	}
		59	--
		60	2.17.1
		61


diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index bc33fbebdc..a0e5d512e0 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -63,6 +63,8 @@ SRC_URI += "file://touchscreen.rules \
63	file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \	63	file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
64	file://0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch \	64	file://0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch \
65	file://0002-Make-tmpfiles-safe.patch \	65	file://0002-Make-tmpfiles-safe.patch \
		66	file://CVE-2019-6454.patch \
		67	file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
66	"	68	"
67	SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"	69	SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
68		70