packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!119 fix CVE-2021-33910

Browse Source 
From: @yangmingtaip
Reviewed-by: @openeuler-basic
Signed-off-by: @openeuler-basic
This commit is contained in:
openeuler-ci-bot 2021-07-26 06:11:59 +00:00 committed by Gitee
commit 357a3532a0
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
0086-fix-CVE-2021-33910.patch Normal file
View File

@ -0,0 +1,72 @@
From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Jun 2021 11:46:41 +0200
Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
The path may have unbounded length, for example through a fuse mount.
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd
and
ultimately a kernel panic. Systemd parses the content of
/proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to
mount a
filesystem with a very long path can crash systemd and the whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
The resulting string length is bounded by UNIT_NAME_MAX, which is 256.
But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write
to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9
---
src/basic/unit-name.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 4226f30..1b01af6 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -370,12 +370,13 @@ int unit_name_unescape(const char *f, char **ret) {
}
int unit_name_path_escape(const char *f, char **ret) {
- char *p, *s;
+ _cleanup_free_ char *p = NULL;
+ char *s;
assert(f);
assert(ret);
- p = strdupa(f);
+ p = strdup(f);
if (!p)
return -ENOMEM;
@@ -387,13 +388,9 @@ int unit_name_path_escape(const char *f, char **ret) {
if (!path_is_normalized(p))
return -EINVAL;
- /* Truncate trailing slashes */
+ /* Truncate trailing slashes and skip leading slashes */
delete_trailing_chars(p, "/");
-
- /* Truncate leading slashes */
- p = skip_leading_chars(p, "/");
-
- s = unit_name_escape(p);
+ s = unit_name_escape(skip_leading_chars(p, "/"));
}
if (!s)
return -ENOMEM;
--
2.23.0

6
systemd.spec
View File

@ -16,7 +16,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 243
Release: 38
Release: 39
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -130,6 +130,7 @@ Patch0082: 0082-journald-rework-end-of-line-marker-handling-to-use-a.patch
Patch0083: 0083-journald-rework-pid-change-handling.patch
Patch0084: 0084-journald-enforce-longer-line-length-limit-during-set.patch
Patch0085: backport-execute-Fix-migration-from-DynamicUser-yes-to-no.patch
Patch0086: 0086-fix-CVE-2021-33910.patch
#openEuler
Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch
@ -1515,6 +1516,9 @@ fi
%exclude /usr/share/man/man3/*
%changelog
* Thu Jul 22 2021 yangmingtai <yangmingtai@huawei.com> - 243-39
- fix CVE-2021-33910
* Thu Jun 3 2021 extinctfire <shenyining_00@126.com> - 243-38
- fix migration from DynamicUser=yes to no.