anitazha / rpms / systemd

Forked from rpms/systemd 3 years ago
Clone

Blame SOURCES/0670-journald-free-cmdline-buffers-owned-by-iovec.patch

923a60
From 4b0ebd414553f9ccab85dfd708bf808127da505f Mon Sep 17 00:00:00 2001
923a60
From: Michal Sekletar <msekleta@redhat.com>
923a60
Date: Wed, 16 Jan 2019 10:24:56 +0100
923a60
Subject: [PATCH] journald: free cmdline buffers owned by iovec
923a60
923a60
Resolves: #1666646
923a60
923a60
[msekleta: this is a followup for the fix of CVE-2018-16864. While
923a60
backporting upstream changes I've accidentally dropped the automatic
923a60
cleanup of the cmdline buffers. Technically speaking similar issue is in
923a60
coredump.c too, but after we dispatch iovec buffer in coredump.c we
923a60
immediately exit so allocated memory is reclaimed by the kernel.]
923a60
---
923a60
 src/journal/journald-server.c | 5 +++--
923a60
 1 file changed, 3 insertions(+), 2 deletions(-)
923a60
923a60
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
923a60
index c35858247b..88d8f3e41d 100644
923a60
--- a/src/journal/journald-server.c
923a60
+++ b/src/journal/journald-server.c
923a60
@@ -738,6 +738,7 @@ static void dispatch_message_real(
923a60
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
923a60
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
923a60
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
923a60
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
923a60
         uid_t object_uid;
923a60
         gid_t object_gid;
923a60
         char *x;
923a60
@@ -790,7 +791,7 @@ static void dispatch_message_real(
923a60
                 if (r >= 0) {
923a60
                         /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
923a60
                          * Let's use a heap allocation for this one. */
923a60
-                        set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
923a60
+                        cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
923a60
                 }
923a60
 
923a60
                 r = get_process_capeff(ucred->pid, &t);
923a60
@@ -916,7 +917,7 @@ static void dispatch_message_real(
923a60
 
923a60
                 r = get_process_cmdline(object_pid, 0, false, &t);
923a60
                 if (r >= 0)
923a60
-                        set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
923a60
+                        cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
923a60
 
923a60
 #ifdef HAVE_AUDIT
923a60
                 r = audit_session_from_pid(object_pid, &audit);