!36 systemd：fix buffer overrun when urlifying

Merge pull request !36 from fayeinseu/lts
2020-07-08 09:11:49 +08:00 · 2020-07-08 09:11:49 +08:00 · 26d7539839
commit 26d7539839
parent 92a5c0c7f1 657ad8be9a
2 changed files with 57 additions and 1 deletions
--- a/journal-fix-buffer-overrun-when-urlifying.patch
+++ b/journal-fix-buffer-overrun-when-urlifying.patch
@ -0,0 +1,49 @@
+From 85fbebe61a1aec2f86e36fb464283b6b55d3d76d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 23 Jun 2020 20:51:13 +0200
+Subject: [PATCH] journal: fix buffer overrun when urlifying
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.
+
+message is only valid until message_len, and we need to make sure we're not
+reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.
+---
+ src/shared/logs-show.c                       |   9 ++++++---
+ test/fuzz/fuzz-journal-remote/oss-fuzz-21122 | Bin 0 -> 35798 bytes
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+ create mode 100644 test/fuzz/fuzz-journal-remote/oss-fuzz-21122
+
+diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
+index 570377dc76..fee6ccdf2a 100644
+--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
+@@ -573,19 +573,22 @@ static int output_short(
+                 if (config_file &&
+                     message_len >= config_file_len &&
+                     memcmp(message, config_file, config_file_len) == 0 &&
+-                    IN_SET(message[config_file_len], ':', ' ', '\0') &&
+                    (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
+                     (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
+ 
+                         _cleanup_free_ char *t = NULL, *urlified = NULL;
+ 
+                         t = strndup(config_file, config_file_len);
+                         if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
+-                                size_t shift = strlen(urlified) - config_file_len;
+                                size_t urlified_len = strlen(urlified);
+                                size_t shift = urlified_len - config_file_len;
+                                 char *joined;
+ 
+-                                joined = strjoin(urlified, message + config_file_len);
+                                joined = realloc(urlified, message_len + shift);
+                                 if (joined) {
+                                        memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
+                                         free_and_replace(message, joined);
+                                        TAKE_PTR(urlified);
+                                         message_len += shift;
+                                         if (highlight) {
+                                                 highlight_shifted[0] += shift;
+
+-- 
+2.23.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        25
+Release:        26
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -113,6 +113,7 @@ Patch0062:      core-use-unit-based-logging-instead-of-generic-loggi.patch
 Patch0063:      core-set-error-value-correctly.patch
 Patch0064:      core-fix-re-realization-of-cgroup-siblings.patch
 Patch0065:      basic-string-table-avoid-crash-when-table-is-sparse.patch
+Patch0066:      journal-fix-buffer-overrun-when-urlifying.patch

 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@ -1505,6 +1506,12 @@ fi
 %exclude /usr/share/man/man3/*

 %changelog
+* Tue Jul 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-26
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:fix buffer overrun when urlifying
+
 * Thu Jun 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-25
 - Type:enhancement
 - ID:NA