Pablo Greco 48fc63
From 4b0ebd414553f9ccab85dfd708bf808127da505f Mon Sep 17 00:00:00 2001
Pablo Greco 48fc63
From: Michal Sekletar <msekleta@redhat.com>
Pablo Greco 48fc63
Date: Wed, 16 Jan 2019 10:24:56 +0100
Pablo Greco 48fc63
Subject: [PATCH] journald: free cmdline buffers owned by iovec
Pablo Greco 48fc63
Pablo Greco 48fc63
Resolves: #1666646
Pablo Greco 48fc63
Pablo Greco 48fc63
[msekleta: this is a followup for the fix of CVE-2018-16864. While
Pablo Greco 48fc63
backporting upstream changes I've accidentally dropped the automatic
Pablo Greco 48fc63
cleanup of the cmdline buffers. Technically speaking similar issue is in
Pablo Greco 48fc63
coredump.c too, but after we dispatch iovec buffer in coredump.c we
Pablo Greco 48fc63
immediately exit so allocated memory is reclaimed by the kernel.]
Pablo Greco 48fc63
---
Pablo Greco 48fc63
 src/journal/journald-server.c | 5 +++--
Pablo Greco 48fc63
 1 file changed, 3 insertions(+), 2 deletions(-)
Pablo Greco 48fc63
Pablo Greco 48fc63
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
Pablo Greco 48fc63
index c35858247b..88d8f3e41d 100644
Pablo Greco 48fc63
--- a/src/journal/journald-server.c
Pablo Greco 48fc63
+++ b/src/journal/journald-server.c
Pablo Greco 48fc63
@@ -738,6 +738,7 @@ static void dispatch_message_real(
Pablo Greco 48fc63
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
Pablo Greco 48fc63
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
Pablo Greco 48fc63
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
Pablo Greco 48fc63
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
Pablo Greco 48fc63
         uid_t object_uid;
Pablo Greco 48fc63
         gid_t object_gid;
Pablo Greco 48fc63
         char *x;
Pablo Greco 48fc63
@@ -790,7 +791,7 @@ static void dispatch_message_real(
Pablo Greco 48fc63
                 if (r >= 0) {
Pablo Greco 48fc63
                         /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
Pablo Greco 48fc63
                          * Let's use a heap allocation for this one. */
Pablo Greco 48fc63
-                        set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
Pablo Greco 48fc63
+                        cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
Pablo Greco 48fc63
                 }
Pablo Greco 48fc63
 
Pablo Greco 48fc63
                 r = get_process_capeff(ucred->pid, &t);
Pablo Greco 48fc63
@@ -916,7 +917,7 @@ static void dispatch_message_real(
Pablo Greco 48fc63
 
Pablo Greco 48fc63
                 r = get_process_cmdline(object_pid, 0, false, &t);
Pablo Greco 48fc63
                 if (r >= 0)
Pablo Greco 48fc63
-                        set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
Pablo Greco 48fc63
+                        cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
Pablo Greco 48fc63
 
Pablo Greco 48fc63
 #ifdef HAVE_AUDIT
Pablo Greco 48fc63
                 r = audit_session_from_pid(object_pid, &audit);