diff options
Diffstat (limited to 'meta/recipes-core/systemd/systemd/CVE-2021-33910.patch')
-rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e92d721d3d --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
5 | Date: Wed, 23 Jun 2021 11:46:41 +0200 | ||
6 | Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path | ||
7 | |||
8 | The path may have unbounded length, for example through a fuse mount. | ||
9 | |||
10 | CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and | ||
11 | ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo | ||
12 | and each mountpoint is passed to mount_setup_unit(), which calls | ||
13 | unit_name_path_escape() underneath. A local attacker who is able to mount a | ||
14 | filesystem with a very long path can crash systemd and the whole system. | ||
15 | |||
16 | https://bugzilla.redhat.com/show_bug.cgi?id=1970887 | ||
17 | |||
18 | The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we | ||
19 | can't easily check the length after simplification before doing the | ||
20 | simplification, which in turns uses a copy of the string we can write to. | ||
21 | So we can't reject paths that are too long before doing the duplication. | ||
22 | Hence the most obvious solution is to switch back to strdup(), as before | ||
23 | 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. | ||
24 | |||
25 | Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9] | ||
26 | CVE: CVE-2021-33910 | ||
27 | |||
28 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
29 | |||
30 | --- | ||
31 | src/basic/unit-name.c | 13 +++++-------- | ||
32 | 1 file changed, 5 insertions(+), 8 deletions(-) | ||
33 | |||
34 | --- a/src/basic/unit-name.c | ||
35 | +++ b/src/basic/unit-name.c | ||
36 | @@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) { | ||
37 | } | ||
38 | |||
39 | int unit_name_path_escape(const char *f, char **ret) { | ||
40 | - char *p, *s; | ||
41 | + _cleanup_free_ char *p = NULL; | ||
42 | + char *s; | ||
43 | |||
44 | assert(f); | ||
45 | assert(ret); | ||
46 | |||
47 | - p = strdupa(f); | ||
48 | + p = strdup(f); | ||
49 | if (!p) | ||
50 | return -ENOMEM; | ||
51 | |||
52 | @@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) { | ||
53 | if (!path_is_normalized(p)) | ||
54 | return -EINVAL; | ||
55 | |||
56 | - /* Truncate trailing slashes */ | ||
57 | + /* Truncate trailing slashes and skip leading slashes */ | ||
58 | delete_trailing_chars(p, "/"); | ||
59 | - | ||
60 | - /* Truncate leading slashes */ | ||
61 | - p = skip_leading_chars(p, "/"); | ||
62 | - | ||
63 | - s = unit_name_escape(p); | ||
64 | + s = unit_name_escape(skip_leading_chars(p, "/")); | ||
65 | } | ||
66 | if (!s) | ||
67 | return -ENOMEM; | ||