* Re: [OE-core][PATCH] systemd: fix CVE-2021-33910
[not found] <16A92D4CE6134AD1.7073@lists.openembedded.org>
@ 2021-09-29 3:43 ` ChenQi
0 siblings, 0 replies; 2+ messages in thread
From: ChenQi @ 2021-09-29 3:43 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4904 bytes --]
Please ignore this one, this patch is for hardknott.
On 09/29/2021 11:29 AM, Chen Qi wrote:
> Backport patch to fix CVE-2021-33910.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> ...it-name-do-not-use-strdupa-on-a-path.patch | 72 +++++++++++++++++++
> meta/recipes-core/systemd/systemd_247.6.bb | 1 +
> 2 files changed, 73 insertions(+)
> create mode 100644 meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
> new file mode 100644
> index 0000000000..0ab8174441
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
> @@ -0,0 +1,72 @@
> +From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
> +Date: Wed, 23 Jun 2021 11:46:41 +0200
> +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
> +
> +The path may have unbounded length, for example through a fuse mount.
> +
> +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
> +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
> +and each mountpoint is passed to mount_setup_unit(), which calls
> +unit_name_path_escape() underneath. A local attacker who is able to mount a
> +filesystem with a very long path can crash systemd and the whole system.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=1970887
> +
> +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
> +can't easily check the length after simplification before doing the
> +simplification, which in turns uses a copy of the string we can write to.
> +So we can't reject paths that are too long before doing the duplication.
> +Hence the most obvious solution is to switch back to strdup(), as before
> +7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
> +
> +(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
> +(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)
> +(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b)
> +
> +CVE: CVE-2021-33910
> +Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538]
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + src/basic/unit-name.c | 13 +++++--------
> + 1 file changed, 5 insertions(+), 8 deletions(-)
> +
> +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
> +index 5f595af944..9b6cacde87 100644
> +--- a/src/basic/unit-name.c
> ++++ b/src/basic/unit-name.c
> +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
> + }
> +
> + int unit_name_path_escape(const char *f, char **ret) {
> +- char *p, *s;
> ++ _cleanup_free_ char *p = NULL;
> ++ char *s;
> +
> + assert(f);
> + assert(ret);
> +
> +- p = strdupa(f);
> ++ p = strdup(f);
> + if (!p)
> + return -ENOMEM;
> +
> +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
> + if (!path_is_normalized(p))
> + return -EINVAL;
> +
> +- /* Truncate trailing slashes */
> ++ /* Truncate trailing slashes and skip leading slashes */
> + delete_trailing_chars(p, "/");
> +-
> +- /* Truncate leading slashes */
> +- p = skip_leading_chars(p, "/");
> +-
> +- s = unit_name_escape(p);
> ++ s = unit_name_escape(skip_leading_chars(p, "/"));
> + }
> + if (!s)
> + return -ENOMEM;
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb
> index eb31dabca0..571a1efe8b 100644
> --- a/meta/recipes-core/systemd/systemd_247.6.bb
> +++ b/meta/recipes-core/systemd/systemd_247.6.bb
> @@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
> file://0002-sd-dhcp-client-shorten-code-a-bit.patch \
> file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \
> file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \
> + file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \
> "
>
> # patches needed by musl
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#156438): https://lists.openembedded.org/g/openembedded-core/message/156438
> Mute This Topic: https://lists.openembedded.org/mt/85941233/3618072
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 6249 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [OE-core][PATCH] systemd: fix CVE-2021-33910
@ 2021-09-29 3:29 Chen Qi
0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2021-09-29 3:29 UTC (permalink / raw)
To: openembedded-core
Backport patch to fix CVE-2021-33910.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...it-name-do-not-use-strdupa-on-a-path.patch | 72 +++++++++++++++++++
meta/recipes-core/systemd/systemd_247.6.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
new file mode 100644
index 0000000000..0ab8174441
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
@@ -0,0 +1,72 @@
+From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
+(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)
+(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b)
+
+CVE: CVE-2021-33910
+Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
+index 5f595af944..9b6cacde87 100644
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+
+ int unit_name_path_escape(const char *f, char **ret) {
+- char *p, *s;
++ _cleanup_free_ char *p = NULL;
++ char *s;
+
+ assert(f);
+ assert(ret);
+
+- p = strdupa(f);
++ p = strdup(f);
+ if (!p)
+ return -ENOMEM;
+
+@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+ if (!path_is_normalized(p))
+ return -EINVAL;
+
+- /* Truncate trailing slashes */
++ /* Truncate trailing slashes and skip leading slashes */
+ delete_trailing_chars(p, "/");
+-
+- /* Truncate leading slashes */
+- p = skip_leading_chars(p, "/");
+-
+- s = unit_name_escape(p);
++ s = unit_name_escape(skip_leading_chars(p, "/"));
+ }
+ if (!s)
+ return -ENOMEM;
+--
+2.33.0
+
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb
index eb31dabca0..571a1efe8b 100644
--- a/meta/recipes-core/systemd/systemd_247.6.bb
+++ b/meta/recipes-core/systemd/systemd_247.6.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
file://0002-sd-dhcp-client-shorten-code-a-bit.patch \
file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \
file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \
+ file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \
"
# patches needed by musl
--
2.33.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-29 3:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <16A92D4CE6134AD1.7073@lists.openembedded.org>
2021-09-29 3:43 ` [OE-core][PATCH] systemd: fix CVE-2021-33910 ChenQi
2021-09-29 3:29 Chen Qi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.