anitazha / rpms / systemd

Forked from rpms/systemd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0260-journald-check-whether-sscanf-has-changed-the-value-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale
  1.   b9a53a403bf644109f10895336a4b0b990274914
  2.   SOURCES
  3.   0260-journald-check-whether-sscanf-has-changed-the-value-.patch
Blob History Raw
b9a53a 
From bef599d1a0e41afe4b6f1d6dfb6fbc86896ab8c5 Mon Sep 17 00:00:00 2001
b9a53a 
From: Evgeny Vereshchagin <evvers@ya.ru>
b9a53a 
Date: Fri, 16 Nov 2018 23:32:31 +0100
b9a53a 
Subject: [PATCH] journald: check whether sscanf has changed the value
b9a53a 
 corresponding to %n
b9a53a
b9a53a 
It's possible for sscanf to receive strings containing all three fields
b9a53a 
and not matching the template at the same time. When this happens the
b9a53a 
value of k doesn't change, which basically means that process_audit_string
b9a53a 
tries to access memory randomly. Sometimes it works and sometimes it doesn't :-)
b9a53a
b9a53a 
See also https://bugzilla.redhat.com/show_bug.cgi?id=1059314.
b9a53a
b9a53a 
(cherry picked from commit 1dab14aba749b9c5ab8176c5730107b70834240b)
b9a53a
b9a53a 
Resolves: #1764560
b9a53a 
---
b9a53a 
 src/journal/journald-audit.c        | 3 ++-
b9a53a 
 test/fuzz/fuzz-journald-audit/crash | 1 +
b9a53a 
 2 files changed, 3 insertions(+), 1 deletion(-)
b9a53a 
 create mode 100644 test/fuzz/fuzz-journald-audit/crash
b9a53a
b9a53a 
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
b9a53a 
index 7810a0139a..0fd6ab2a84 100644
b9a53a 
--- a/src/journal/journald-audit.c
b9a53a 
+++ b/src/journal/journald-audit.c
b9a53a 
@@ -341,11 +341,12 @@ void process_audit_string(Server *s, int type, const char *data, size_t size) {
b9a53a 
         if (!p)
b9a53a 
                 return;
b9a53a
b9a53a 
+        k = 0;
b9a53a 
         if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
b9a53a 
                    &seconds,
b9a53a 
                    &msec,
b9a53a 
                    &id,
b9a53a 
-                   &k) != 3)
b9a53a 
+                   &k) != 3 || k == 0)
b9a53a 
                 return;
b9a53a
b9a53a 
         p += k;
b9a53a 
diff --git a/test/fuzz/fuzz-journald-audit/crash b/test/fuzz/fuzz-journald-audit/crash
b9a53a 
new file mode 100644
b9a53a 
index 0000000000..91bd85ca6e
b9a53a 
--- /dev/null
b9a53a 
+++ b/test/fuzz/fuzz-journald-audit/crash
b9a53a 
@@ -0,0 +1 @@
b9a53a 
+audit(1542398162.211:744) pid=7376 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="vagrant" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation