summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2016-10-26 14:09:47 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-06 23:35:32 +0000
commit92d604ca28acfaf2c2a1db8332d9ed938c6bebd6 (patch)
tree0eb40ae743dfee451316622794c3c1137e448715 /meta
parentd31d1ad4e566e42d0bbcf1f41ac25e33181fb517 (diff)
downloadpoky-92d604ca28acfaf2c2a1db8332d9ed938c6bebd6.tar.gz
systemd: CVE-2016-7795
The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. The patch is a backport from the latest git repo. Please see the link below for more information. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795 (From OE-Core rev: 543570cafa8d7f595b489d03d05f0aa4478f8539) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2016-7795.patch69
-rw-r--r--meta/recipes-core/systemd/systemd_230.bb1
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch
new file mode 100644
index 0000000000..5ecb9c32de
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch
@@ -0,0 +1,69 @@
1Subject: Fix CVE-2016-7795
2
3This undoes 531ac2b. I acked that patch without looking at the code
4carefully enough. There are two problems:
5- we want to process the fds anyway
6- in principle empty notification messages are valid, and we should
7 process them as usual, including logging using log_unit_debug().
8
9Upstream-Status: Backport
10CVE: CVE-2016-7795
11
12Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
13---
14 src/core/manager.c | 11 ++++++-----
15 1 file changed, 6 insertions(+), 5 deletions(-)
16
17diff --git a/src/core/manager.c b/src/core/manager.c
18index 7838f56..f165d08e 100644
19--- a/src/core/manager.c
20+++ b/src/core/manager.c
21@@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
22 return 0;
23 }
24
25-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) {
26+static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
27 _cleanup_strv_free_ char **tags = NULL;
28
29 assert(m);
30 assert(u);
31 assert(buf);
32- assert(n > 0);
33
34 tags = strv_split(buf, "\n\r");
35 if (!tags) {
36@@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
37 return 0;
38 }
39
40+ /* The message should be a string. Here we make sure it's NUL-terminated,
41+ * but only the part until first NUL will be used anyway. */
42 buf[n] = 0;
43
44 /* Notify every unit that might be interested, but try
45 * to avoid notifying the same one multiple times. */
46 u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
47 if (u1) {
48- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds);
49+ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
50 found = true;
51 }
52
53 u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid));
54 if (u2 && u2 != u1) {
55- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds);
56+ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
57 found = true;
58 }
59
60 u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid));
61 if (u3 && u3 != u2 && u3 != u1) {
62- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds);
63+ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
64 found = true;
65 }
66
67--
682.8.3
69
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index 542f99d04b..f60dd60d01 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -36,6 +36,7 @@ SRC_URI += " \
36 file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \ 36 file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
37 file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \ 37 file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
38 file://udev-re-enable-mount-propagation-for-udevd.patch \ 38 file://udev-re-enable-mount-propagation-for-udevd.patch \
39 file://CVE-2016-7795.patch \
39" 40"
40SRC_URI_append_libc-uclibc = "\ 41SRC_URI_append_libc-uclibc = "\
41 file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \ 42 file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \