mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-19 15:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

systemd: Security fix CVE-2018-16865

Browse Source 
Affects < v240

Based on thud commit d5d2b821fc85b8cf39f683061ac2a45bddd2139f
The second patch in the thud commit doesn't apply against 237. Use the
version of the second patch CVE-2018-16865_2.patch from
systemd_237-3ubuntu10.13.debian.

(From OE-Core rev: da41e48567eb21a47426a6fbe23ea07ce780cd3c)

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
George McCollister
2019-02-25 10:37:10 -06:00
committed by Richard Purdie
parent c3890467ff
commit 7be61780af
3 changed files with 141 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch Normal file
View File

@@ -0,0 +1,60 @@
From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 22:45:02 +0100
Subject: [PATCH] journald: set a limit on the number of fields (1k)
We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.
CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.
Patch backported from systemd master at
052c57f132f04a3cf4148f87561618da1a6908b4.
CVE: CVE-2018-16865
Upstream-Status: Backport
---
src/basic/journal-importer.h | 3 +++
src/journal/journald-native.c | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
index f49ce734a1..c4ae45d32d 100644
--- a/src/basic/journal-importer.h
+++ b/src/basic/journal-importer.h
@@ -16,6 +16,9 @@
#define DATA_SIZE_MAX (1024*1024*768u)
#define LINE_CHUNK 8*1024u
+/* The maximum number of fields in an entry */
+#define ENTRY_FIELD_COUNT_MAX 1024
+
struct iovec_wrapper {
struct iovec *iovec;
size_t size_bytes;
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index 5ff22a10af..951d092053 100644
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -140,6 +140,11 @@ static int server_process_entry(
}
/* A property follows */
+ if (n > ENTRY_FIELD_COUNT_MAX) {
+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
+ r = 1;
+ goto finish;
+ }
/* n existing properties, 1 new, +1 for _TRANSPORT */
if (!GREEDY_REALLOC(iovec, m,
--
2.11.0

79
meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch Normal file
View File

@@ -0,0 +1,79 @@
From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 7 Dec 2018 10:48:10 +0100
Subject: [PATCH] journal-remote: set a limit on the number of fields in a
message
Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).
This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
Patch backported from systemd master at
ef4d6abe7c7fab6cbff975b32e76b09feee56074.
Patch for 237 from:
systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch
CVE: CVE-2018-16865
Upstream-Status: Backport
---
src/journal-remote/journal-remote-main.c | 7 +++++--
src/journal-remote/journal-remote.c | 3 +++
src/shared/journal-importer.c | 5 ++++-
3 files changed, 12 insertions(+), 3 deletions(-)
--- a/src/basic/journal-importer.c
+++ b/src/basic/journal-importer.c
@@ -38,6 +38,9 @@
};
static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
+ if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
+ return -E2BIG;
+
if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
return log_oom();
@@ -113,7 +116,7 @@
imp->scanned = imp->filled;
if (imp->scanned >= DATA_SIZE_MAX) {
log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
- return -E2BIG;
+ return -ENOBUFS;
}
if (imp->passive_fd)
--- a/src/journal-remote/journal-remote.c
+++ b/src/journal-remote/journal-remote.c
@@ -517,10 +517,16 @@
break;
else if (r < 0) {
log_warning("Failed to process data for connection %p", connection);
- if (r == -E2BIG)
+ if (r == -ENOBUFS)
return mhd_respondf(connection,
r, MHD_HTTP_PAYLOAD_TOO_LARGE,
"Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes.");
+
+ else if (r == -E2BIG)
+ return mhd_respondf(connection,
+ r, MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
+ "Entry with more fields than the maximum of " STRINGIFY(ENTRY_FIELD_COUNT_MAX) ".");
+
else
return mhd_respondf(connection,
r, MHD_HTTP_UNPROCESSABLE_ENTITY,
@@ -1090,6 +1096,9 @@
log_debug("%zu active sources remaining", s->active);
return 0;
} else if (r == -E2BIG) {
+ log_notice("Entry with too many fields, skipped");
+ return 1;
+ } else if (r == -ENOBUFS) {
log_notice_errno(E2BIG, "Entry too big, skipped");
return 1;
} else if (r == -EAGAIN) {

2
meta/recipes-core/systemd/systemd_237.bb
View File

@@ -58,6 +58,8 @@ SRC_URI += "file://touchscreen.rules \
file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \
file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \
file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
"
SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"