ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
eb47ff
From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001
eb47ff
From: Michal Sekletar <msekleta@redhat.com>
eb47ff
Date: Wed, 16 Jan 2019 10:24:56 +0100
eb47ff
Subject: [PATCH] journald: free cmdline buffers owned by iovec
eb47ff
eb47ff
Resolves: #1666646
eb47ff
eb47ff
[msekleta: this is a followup for the fix of CVE-2018-16864. While
eb47ff
backporting upstream changes I've accidentally dropped the automatic
eb47ff
cleanup of the cmdline buffers. Technically speaking similar issue is in
eb47ff
coredump.c too, but after we dispatch iovec buffer in coredump.c we
eb47ff
immediately exit so allocated memory is reclaimed by the kernel.]
eb47ff
---
eb47ff
 src/journal/journald-server.c | 5 +++--
eb47ff
 1 file changed, 3 insertions(+), 2 deletions(-)
eb47ff
eb47ff
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
eb47ff
index c35858247..88d8f3e41 100644
eb47ff
--- a/src/journal/journald-server.c
eb47ff
+++ b/src/journal/journald-server.c
eb47ff
@@ -738,6 +738,7 @@ static void dispatch_message_real(
eb47ff
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
eb47ff
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
eb47ff
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
eb47ff
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
eb47ff
         uid_t object_uid;
eb47ff
         gid_t object_gid;
eb47ff
         char *x;
eb47ff
@@ -790,7 +791,7 @@ static void dispatch_message_real(
eb47ff
                 if (r >= 0) {
eb47ff
                         /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
eb47ff
                          * Let's use a heap allocation for this one. */
eb47ff
-                        set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
eb47ff
+                        cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
eb47ff
                 }
eb47ff
 
eb47ff
                 r = get_process_capeff(ucred->pid, &t);
eb47ff
@@ -916,7 +917,7 @@ static void dispatch_message_real(
eb47ff
 
eb47ff
                 r = get_process_cmdline(object_pid, 0, false, &t);
eb47ff
                 if (r >= 0)
eb47ff
-                        set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
eb47ff
+                        cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
eb47ff
 
eb47ff
 #ifdef HAVE_AUDIT
eb47ff
                 r = audit_session_from_pid(object_pid, &audit);