Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15
systemd-mini.20337
1003-basic-unit-name-do-not-use-strdupa-on-a-pa...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1003-basic-unit-name-do-not-use-strdupa-on-a-path.patch of Package systemd-mini.20337
From 1aec2138e3dc99cca4820561f3918c41d4b37a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> Date: Wed, 23 Jun 2021 11:46:41 +0200 Subject: [PATCH 1003/1004] basic/unit-name: do not use strdupa() on a path The path may have unbounded length, for example through a fuse mount. CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo and each mountpoint is passed to mount_setup_unit(), which calls unit_name_path_escape() underneath. A local attacker who is able to mount a filesystem with a very long path can crash systemd and the whole system. https://bugzilla.redhat.com/show_bug.cgi?id=1970887 The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we can't easily check the length after simplification before doing the simplification, which in turns uses a copy of the string we can write to. So we can't reject paths that are too long before doing the duplication. Hence the most obvious solution is to switch back to strdup(), as before 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. [fbui: adjust context] [fbui: fixes bsc#1188063] [fbui: fixes CVE-2021-33910] --- src/basic/unit-name.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c index ffdbd8c393..b8a1773c99 100644 --- a/src/basic/unit-name.c +++ b/src/basic/unit-name.c @@ -400,12 +400,13 @@ int unit_name_unescape(const char *f, char **ret) { } int unit_name_path_escape(const char *f, char **ret) { - char *p, *s; + _cleanup_free_ char *p = NULL; + char *s; assert(f); assert(ret); - p = strdupa(f); + p = strdup(f); if (!p) return -ENOMEM; @@ -424,11 +425,8 @@ int unit_name_path_escape(const char *f, char **ret) { if (e) *e = 0; - /* Truncate leading slashes */ - if (p[0] == '/') - p++; - - s = unit_name_escape(p); + /* Skip leading slashes */ + s = unit_name_escape(p[0] == '/' ? p + 1 : p); } if (!s) return -ENOMEM; -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor