teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0260-journald-check-whether-sscanf-has-changed-the-value-.patch

Brian Stinson 2593d8
From bef599d1a0e41afe4b6f1d6dfb6fbc86896ab8c5 Mon Sep 17 00:00:00 2001
Brian Stinson 2593d8
From: Evgeny Vereshchagin <evvers@ya.ru>
Brian Stinson 2593d8
Date: Fri, 16 Nov 2018 23:32:31 +0100
Brian Stinson 2593d8
Subject: [PATCH] journald: check whether sscanf has changed the value
Brian Stinson 2593d8
 corresponding to %n
Brian Stinson 2593d8
Brian Stinson 2593d8
It's possible for sscanf to receive strings containing all three fields
Brian Stinson 2593d8
and not matching the template at the same time. When this happens the
Brian Stinson 2593d8
value of k doesn't change, which basically means that process_audit_string
Brian Stinson 2593d8
tries to access memory randomly. Sometimes it works and sometimes it doesn't :-)
Brian Stinson 2593d8
Brian Stinson 2593d8
See also https://bugzilla.redhat.com/show_bug.cgi?id=1059314.
Brian Stinson 2593d8
Brian Stinson 2593d8
(cherry picked from commit 1dab14aba749b9c5ab8176c5730107b70834240b)
Brian Stinson 2593d8
Brian Stinson 2593d8
Resolves: #1764560
Brian Stinson 2593d8
---
Brian Stinson 2593d8
 src/journal/journald-audit.c        | 3 ++-
Brian Stinson 2593d8
 test/fuzz/fuzz-journald-audit/crash | 1 +
Brian Stinson 2593d8
 2 files changed, 3 insertions(+), 1 deletion(-)
Brian Stinson 2593d8
 create mode 100644 test/fuzz/fuzz-journald-audit/crash
Brian Stinson 2593d8
Brian Stinson 2593d8
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
Brian Stinson 2593d8
index 7810a0139a..0fd6ab2a84 100644
Brian Stinson 2593d8
--- a/src/journal/journald-audit.c
Brian Stinson 2593d8
+++ b/src/journal/journald-audit.c
Brian Stinson 2593d8
@@ -341,11 +341,12 @@ void process_audit_string(Server *s, int type, const char *data, size_t size) {
Brian Stinson 2593d8
         if (!p)
Brian Stinson 2593d8
                 return;
Brian Stinson 2593d8
 
Brian Stinson 2593d8
+        k = 0;
Brian Stinson 2593d8
         if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
Brian Stinson 2593d8
                    &seconds,
Brian Stinson 2593d8
                    &msec,
Brian Stinson 2593d8
                    &id,
Brian Stinson 2593d8
-                   &k) != 3)
Brian Stinson 2593d8
+                   &k) != 3 || k == 0)
Brian Stinson 2593d8
                 return;
Brian Stinson 2593d8
 
Brian Stinson 2593d8
         p += k;
Brian Stinson 2593d8
diff --git a/test/fuzz/fuzz-journald-audit/crash b/test/fuzz/fuzz-journald-audit/crash
Brian Stinson 2593d8
new file mode 100644
Brian Stinson 2593d8
index 0000000000..91bd85ca6e
Brian Stinson 2593d8
--- /dev/null
Brian Stinson 2593d8
+++ b/test/fuzz/fuzz-journald-audit/crash
Brian Stinson 2593d8
@@ -0,0 +1 @@
Brian Stinson 2593d8
+audit(1542398162.211:744) pid=7376 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="vagrant" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'