Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
systemd-mini.9886
0001-journald-do-not-store-the-iovec-entry-for-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-journald-do-not-store-the-iovec-entry-for-process-co.patch of Package systemd-mini.9886
From cbf4d0c470ef739125fe0f905cc3d66787adb24c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> Date: Wed, 5 Dec 2018 18:38:39 +0100 Subject: [PATCH 1/1] journald: do not store the iovec entry for process commandline on stack This fixes a crash where we would read the commandline, whose length is under control of the sending program, and then crash when trying to create a stack allocation for it. CVE-2018-16864 https://bugzilla.redhat.com/show_bug.cgi?id=1653855 The message actually doesn't get written to disk, because journal_file_append_entry() returns -E2BIG. [fbui: stripped the original fix to its minimal form while backporting to v210] [fbui: fixes bsc#1120323] [fbui: fixes CVE-2018-16864] --- src/journal/journald-server.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index 4b1e0056eb..247448131a 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -558,6 +558,7 @@ static void dispatch_message_real( o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)], o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)], o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)]; + _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; uid_t object_uid; gid_t object_gid; char *x; @@ -608,9 +609,12 @@ static void dispatch_message_real( r = get_process_cmdline(ucred->pid, 0, false, &t); if (r >= 0) { - x = strappenda("_CMDLINE=", t); + /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. + * Let's use a heap allocation for this one. */ + cmdline1 = strappend("_CMDLINE=", t); free(t); - IOVEC_SET_STRING(iovec[n++], x); + if (cmdline1) + IOVEC_SET_STRING(iovec[n++], cmdline1); } r = get_process_capeff(ucred->pid, &t); @@ -736,9 +740,12 @@ static void dispatch_message_real( r = get_process_cmdline(object_pid, 0, false, &t); if (r >= 0) { - x = strappenda("OBJECT_CMDLINE=", t); + /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. + * Let's use a heap allocation for this one. */ + cmdline2 = strappend("OBJECT_CMDLINE=", t); free(t); - IOVEC_SET_STRING(iovec[n++], x); + if (cmdline2) + IOVEC_SET_STRING(iovec[n++], cmdline2); } #ifdef HAVE_AUDIT -- 2.19.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor