systemd: fix CVE-2019-6454

Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454. CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a specially formed D-Bus message. For information see: https://usn.ubuntu.com/3891-1/ https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb (From OE-Core rev: 9d2ec5970adfc906fcc4581528321a879953fd55) (From OE-Core rev: 81199a83c5e5c4a107a025403bc0a79157ba6630) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2019-02-22 10:54:50 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-24 16:48:38 +0000
commit: 39bc9d5f2304c61458821eaa1fadb63d02a4d779 (patch)
tree: 7fbb7b880e0b2c8312a764cfa5dcaca0c162ac6b
parent: d693d371a64b47c35f2849b9bb5ca79b6e2eac1f (diff)
download: poky-39bc9d5f2304c61458821eaa1fadb63d02a4d779.tar.gz
3 files changed, 273 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 0000000000..80170dac0f
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+Patch from: systemd_239-7ubuntu10.8
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -45,7 +45,7 @@
+         if (slash)
+                 return false;
+-        return true;
+        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ char* object_path_startswith(const char *a, const char *b) {
+--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -333,6 +333,10 @@
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
+ * to not clash unnecessarily with real-life applications. */
+#define BUS_PATH_SIZE_MAX (64*1024)
+ #define BUS_CONTAINER_DEPTH 128
+--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1134,7 +1134,8 @@
+                 const char *path,
+                 sd_bus_error *error) {
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+         assert(bus);
+@@ -1150,7 +1151,12 @@
+                 return 0;
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1346,6 +1352,7 @@
+ }
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1370,9 +1377,12 @@
+         assert(m->member);
+         pl = strlen(m->path);
+-        do {
+-                char prefix[pl+1];
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+        do {
+                 bus->nodes_modified = false;
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1499,9 +1509,15 @@
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
+                _cleanup_free_ char *prefix = NULL;
+                size_t pl;
+
+                pl = strlen(path);
+                assert(pl <= BUS_PATH_SIZE_MAX);
+                prefix = new(char, pl + 1);
+                if (!prefix)
+                        return -ENOMEM;
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2091,8 +2107,9 @@
+                 char **names) {
+         BUS_DONT_DESTROY(bus);
+        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
+        size_t pl;
+         int r;
+         assert_return(bus, -EINVAL);
+@@ -2111,6 +2128,12 @@
+         if (names && names[0] == NULL)
+                 return 0;
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         do {
+                 bus->nodes_modified = false;
+@@ -2120,7 +2143,6 @@
+                 if (bus->nodes_modified)
+                         continue;
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2252,7 +2274,8 @@
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+         assert(bus);
+@@ -2297,7 +2320,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2436,7 +2464,8 @@
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+         assert(bus);
+@@ -2468,7 +2497,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2618,7 +2652,8 @@
+                 const char *path,
+                 const char *interface) {
+-        char *prefix;
+        _cleanup_free_ char *prefix = NULL;
+        size_t pl;
+         int r;
+         assert(bus);
+@@ -2632,7 +2667,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+-        prefix = alloca(strlen(path) + 1);
+        pl = strlen(path);
+        assert(pl <= BUS_PATH_SIZE_MAX);
+        prefix = new(char, pl + 1);
+        if (!prefix)
+                return -ENOMEM;
+
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
diff --git a/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
new file mode 100644
index 0000000000..57311faa60
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
@@ -0,0 +1,61 @@
+Description: sd-bus: if we receive an invalid dbus message, ignore and
+ proceeed
+ .
+ dbus-daemon might have a slightly different idea of what a valid msg is
+ than us (for example regarding valid msg and field sizes). Let's hence
+ try to proceed if we can and thus drop messages rather than fail the
+ connection if we fail to validate a message.
+ .
+ Hopefully the differences in what is considered valid are not visible
+ for real-life usecases, but are specific to exploit attempts only.
+Author: Lennart Poettering <lennart@poettering.net>
+Forwarded: other,https://github.com/systemd/systemd/pull/11708/
+Patch from: systemd_239-7ubuntu10.8
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
+index 30d6455b6f..441b4a816f 100644
+--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
+ }
+ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+-        sd_bus_message *t;
+        sd_bus_message *t = NULL;
+         void *b;
+         int r;
+@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+                                     bus->fds, bus->n_fds,
+                                     NULL,
+                                     &t);
+-        if (r < 0) {
+        if (r == -EBADMSG)
+                log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
+        else if (r < 0) {
+                 free(b);
+                 return r;
+         }
+@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+         bus->fds = NULL;
+         bus->n_fds = 0;
+-        bus->rqueue[bus->rqueue_size++] = t;
+        if (t)
+                bus->rqueue[bus->rqueue_size++] = t;
+         return 1;
+ }
+--
+2.17.1
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index 8c0366232f..7fbd64ced7 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -41,6 +41,8 @@ SRC_URI += "file://touchscreen.rules \
           file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
           file://0025-journald-set-a-limit-on-the-number-of-fields.patch \
           file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
+           file://CVE-2019-6454.patch \
+           file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
           "
 # patches made for musl are only applied on TCLIBC is musl
author	George McCollister <george.mccollister@gmail.com>	2019-02-22 10:54:50 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-24 16:48:38 +0000
commit	39bc9d5f2304c61458821eaa1fadb63d02a4d779 (patch)
tree	7fbb7b880e0b2c8312a764cfa5dcaca0c162ac6b
parent	d693d371a64b47c35f2849b9bb5ca79b6e2eac1f (diff)
download	poky-39bc9d5f2304c61458821eaa1fadb63d02a4d779.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch new file mode 100644 index 0000000000..80170dac0f --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
		1	Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
		2	them on the stacka
		3	Forwarded: no
		4
		5	Patch from: systemd_239-7ubuntu10.8
		6
		7	For information see:
		8	https://usn.ubuntu.com/3891-1/
		9	https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
		10
		11	CVE: CVE-2019-6454
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		15
		16	--- a/src/libsystemd/sd-bus/bus-internal.c
		17	+++ b/src/libsystemd/sd-bus/bus-internal.c
		18	@@ -45,7 +45,7 @@
		19	if (slash)
		20	return false;
		21
		22	- return true;
		23	+ return (q - p) <= BUS_PATH_SIZE_MAX;
		24	}
		25
		26	char* object_path_startswith(const char a, const char b) {
		27	--- a/src/libsystemd/sd-bus/bus-internal.h
		28	+++ b/src/libsystemd/sd-bus/bus-internal.h
		29	@@ -333,6 +333,10 @@
		30
		31	#define BUS_MESSAGE_SIZE_MAX (12810241024)
		32	#define BUS_AUTH_SIZE_MAX (64*1024)
		33	+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
		34	+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
		35	+ * to not clash unnecessarily with real-life applications. */
		36	+#define BUS_PATH_SIZE_MAX (64*1024)
		37
		38	#define BUS_CONTAINER_DEPTH 128
		39
		40	--- a/src/libsystemd/sd-bus/bus-objects.c
		41	+++ b/src/libsystemd/sd-bus/bus-objects.c
		42	@@ -1134,7 +1134,8 @@
		43	const char *path,
		44	sd_bus_error *error) {
		45
		46	- char *prefix;
		47	+ _cleanup_free_ char *prefix = NULL;
		48	+ size_t pl;
		49	int r;
		50
		51	assert(bus);
		52	@@ -1150,7 +1151,12 @@
		53	return 0;
		54
		55	/* Second, add fallback vtables registered for any of the prefixes */
		56	- prefix = alloca(strlen(path) + 1);
		57	+ pl = strlen(path);
		58	+ assert(pl <= BUS_PATH_SIZE_MAX);
		59	+ prefix = new(char, pl + 1);
		60	+ if (!prefix)
		61	+ return -ENOMEM;
		62	+
		63	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		64	r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
		65	if (r < 0)
		66	@@ -1346,6 +1352,7 @@
		67	}
		68
		69	int bus_process_object(sd_bus bus, sd_bus_message m) {
		70	+ _cleanup_free_ char *prefix = NULL;
		71	int r;
		72	size_t pl;
		73	bool found_object = false;
		74	@@ -1370,9 +1377,12 @@
		75	assert(m->member);
		76
		77	pl = strlen(m->path);
		78	- do {
		79	- char prefix[pl+1];
		80	+ assert(pl <= BUS_PATH_SIZE_MAX);
		81	+ prefix = new(char, pl + 1);
		82	+ if (!prefix)
		83	+ return -ENOMEM;
		84
		85	+ do {
		86	bus->nodes_modified = false;
		87
		88	r = object_find_and_run(bus, m, m->path, false, &found_object);
		89	@@ -1499,9 +1509,15 @@
		90
		91	n = hashmap_get(bus->nodes, path);
		92	if (!n) {
		93	- char *prefix;
		94	+ _cleanup_free_ char *prefix = NULL;
		95	+ size_t pl;
		96	+
		97	+ pl = strlen(path);
		98	+ assert(pl <= BUS_PATH_SIZE_MAX);
		99	+ prefix = new(char, pl + 1);
		100	+ if (!prefix)
		101	+ return -ENOMEM;
		102
		103	- prefix = alloca(strlen(path) + 1);
		104	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		105	n = hashmap_get(bus->nodes, prefix);
		106	if (n)
		107	@@ -2091,8 +2107,9 @@
		108	char **names) {
		109
		110	BUS_DONT_DESTROY(bus);
		111	+ _cleanup_free_ char *prefix = NULL;
		112	bool found_interface = false;
		113	- char *prefix;
		114	+ size_t pl;
		115	int r;
		116
		117	assert_return(bus, -EINVAL);
		118	@@ -2111,6 +2128,12 @@
		119	if (names && names[0] == NULL)
		120	return 0;
		121
		122	+ pl = strlen(path);
		123	+ assert(pl <= BUS_PATH_SIZE_MAX);
		124	+ prefix = new(char, pl + 1);
		125	+ if (!prefix)
		126	+ return -ENOMEM;
		127	+
		128	do {
		129	bus->nodes_modified = false;
		130
		131	@@ -2120,7 +2143,6 @@
		132	if (bus->nodes_modified)
		133	continue;
		134
		135	- prefix = alloca(strlen(path) + 1);
		136	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		137	r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
		138	if (r != 0)
		139	@@ -2252,7 +2274,8 @@
		140
		141	static int object_added_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		142	_cleanup_set_free_ Set *s = NULL;
		143	- char *prefix;
		144	+ _cleanup_free_ char *prefix = NULL;
		145	+ size_t pl;
		146	int r;
		147
		148	assert(bus);
		149	@@ -2297,7 +2320,12 @@
		150	if (bus->nodes_modified)
		151	return 0;
		152
		153	- prefix = alloca(strlen(path) + 1);
		154	+ pl = strlen(path);
		155	+ assert(pl <= BUS_PATH_SIZE_MAX);
		156	+ prefix = new(char, pl + 1);
		157	+ if (!prefix)
		158	+ return -ENOMEM;
		159	+
		160	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		161	r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
		162	if (r < 0)
		163	@@ -2436,7 +2464,8 @@
		164
		165	static int object_removed_append_all(sd_bus bus, sd_bus_message m, const char *path) {
		166	_cleanup_set_free_ Set *s = NULL;
		167	- char *prefix;
		168	+ _cleanup_free_ char *prefix = NULL;
		169	+ size_t pl;
		170	int r;
		171
		172	assert(bus);
		173	@@ -2468,7 +2497,12 @@
		174	if (bus->nodes_modified)
		175	return 0;
		176
		177	- prefix = alloca(strlen(path) + 1);
		178	+ pl = strlen(path);
		179	+ assert(pl <= BUS_PATH_SIZE_MAX);
		180	+ prefix = new(char, pl + 1);
		181	+ if (!prefix)
		182	+ return -ENOMEM;
		183	+
		184	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		185	r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
		186	if (r < 0)
		187	@@ -2618,7 +2652,8 @@
		188	const char *path,
		189	const char *interface) {
		190
		191	- char *prefix;
		192	+ _cleanup_free_ char *prefix = NULL;
		193	+ size_t pl;
		194	int r;
		195
		196	assert(bus);
		197	@@ -2632,7 +2667,12 @@
		198	if (bus->nodes_modified)
		199	return 0;
		200
		201	- prefix = alloca(strlen(path) + 1);
		202	+ pl = strlen(path);
		203	+ assert(pl <= BUS_PATH_SIZE_MAX);
		204	+ prefix = new(char, pl + 1);
		205	+ if (!prefix)
		206	+ return -ENOMEM;
		207	+
		208	OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
		209	r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
		210	if (r != 0)


diff --git a/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch new file mode 100644 index 0000000000..57311faa60 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
@@ -0,0 +1,61 @@
		1	Description: sd-bus: if we receive an invalid dbus message, ignore and
		2	proceeed
		3	.
		4	dbus-daemon might have a slightly different idea of what a valid msg is
		5	than us (for example regarding valid msg and field sizes). Let's hence
		6	try to proceed if we can and thus drop messages rather than fail the
		7	connection if we fail to validate a message.
		8	.
		9	Hopefully the differences in what is considered valid are not visible
		10	for real-life usecases, but are specific to exploit attempts only.
		11	Author: Lennart Poettering <lennart@poettering.net>
		12	Forwarded: other,https://github.com/systemd/systemd/pull/11708/
		13
		14	Patch from: systemd_239-7ubuntu10.8
		15
		16	For information see:
		17	https://usn.ubuntu.com/3891-1/
		18	https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
		19
		20	CVE: CVE-2019-6454
		21	Upstream-Status: Backport
		22
		23	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		24
		25	diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
		26	index 30d6455b6f..441b4a816f 100644
		27	--- a/src/libsystemd/sd-bus/bus-socket.c
		28	+++ b/src/libsystemd/sd-bus/bus-socket.c
		29	@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus bus, size_t need) {
		30	}
		31
		32	static int bus_socket_make_message(sd_bus *bus, size_t size) {
		33	- sd_bus_message *t;
		34	+ sd_bus_message *t = NULL;
		35	void *b;
		36	int r;
		37
		38	@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
		39	bus->fds, bus->n_fds,
		40	NULL,
		41	&t);
		42	- if (r < 0) {
		43	+ if (r == -EBADMSG)
		44	+ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
		45	+ else if (r < 0) {
		46	free(b);
		47	return r;
		48	}
		49	@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
		50	bus->fds = NULL;
		51	bus->n_fds = 0;
		52
		53	- bus->rqueue[bus->rqueue_size++] = t;
		54	+ if (t)
		55	+ bus->rqueue[bus->rqueue_size++] = t;
		56
		57	return 1;
		58	}
		59	--
		60	2.17.1
		61


diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb index 8c0366232f..7fbd64ced7 100644 --- a/meta/recipes-core/systemd/systemd_239.bb +++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -41,6 +41,8 @@ SRC_URI += "file://touchscreen.rules \
41	file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \	41	file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
42	file://0025-journald-set-a-limit-on-the-number-of-fields.patch \	42	file://0025-journald-set-a-limit-on-the-number-of-fields.patch \
43	file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \	43	file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
		44	file://CVE-2019-6454.patch \
		45	file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
44	"	46	"
45		47
46	# patches made for musl are only applied on TCLIBC is musl	48	# patches made for musl are only applied on TCLIBC is musl