From eb47ff1b9652dcb7aab067068148e0fd20a9e82d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 29 2019 15:26:43 +0000 Subject: import systemd-219-62.el7_6.3 --- diff --git a/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch b/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch new file mode 100644 index 0000000..180d29f --- /dev/null +++ b/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch @@ -0,0 +1,46 @@ +From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 16 Jan 2019 10:24:56 +0100 +Subject: [PATCH] journald: free cmdline buffers owned by iovec + +Resolves: #1666646 + +[msekleta: this is a followup for the fix of CVE-2018-16864. While +backporting upstream changes I've accidentally dropped the automatic +cleanup of the cmdline buffers. Technically speaking similar issue is in +coredump.c too, but after we dispatch iovec buffer in coredump.c we +immediately exit so allocated memory is reclaimed by the kernel.] +--- + src/journal/journald-server.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index c35858247..88d8f3e41 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -738,6 +738,7 @@ static void dispatch_message_real( + o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)], + o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)], + o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)]; ++ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; + uid_t object_uid; + gid_t object_gid; + char *x; +@@ -790,7 +791,7 @@ static void dispatch_message_real( + if (r >= 0) { + /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. + * Let's use a heap allocation for this one. */ +- set_iovec_field_free(iovec, &n, "_CMDLINE=", t); ++ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t); + } + + r = get_process_capeff(ucred->pid, &t); +@@ -916,7 +917,7 @@ static void dispatch_message_real( + + r = get_process_cmdline(object_pid, 0, false, &t); + if (r >= 0) +- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); ++ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); + + #ifdef HAVE_AUDIT + r = audit_session_from_pid(object_pid, &audit); diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 4245b61..c8953f6 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -7,7 +7,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 219 -Release: 62%{?dist}.2 +Release: 62%{?dist}.3 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -707,6 +707,7 @@ Patch0665: 0665-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch Patch0666: 0666-journald-do-not-store-the-iovec-entry-for-process-co.patch Patch0667: 0667-journald-set-a-limit-on-the-number-of-fields-1k.patch Patch0668: 0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch +Patch0669: 0669-journald-free-cmdline-buffers-owned-by-iovec.patch %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);} @@ -1683,6 +1684,9 @@ fi %{_mandir}/man8/systemd-resolved.* %changelog +* Wed Jan 16 2019 Lukas Nykryn - 219-62.3 +- journald: free cmdline buffers owned by iovec (#1666646) + * Mon Jan 07 2019 Lukas Nykryn - 219-62.2 - journald: do not store the iovec entry for process commandline on stack (#1657788) - journald: set a limit on the number of fields (1k) (#1657792)