|
Pablo Greco |
48fc63 |
From 9dbac61cf123a57c1f39a2f134389f1a5877dc29 Mon Sep 17 00:00:00 2001
|
|
Pablo Greco |
48fc63 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
Pablo Greco |
48fc63 |
Date: Thu, 3 Jan 2019 16:09:05 +0100
|
|
Pablo Greco |
48fc63 |
Subject: [PATCH] journald: set a limit on the number of fields (1k)
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
We allocate a iovec entry for each field, so with many short entries,
|
|
Pablo Greco |
48fc63 |
our memory usage and processing time can be large, even with a relatively
|
|
Pablo Greco |
48fc63 |
small message size. Let's refuse overly long entries.
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
CVE-2018-16865
|
|
Pablo Greco |
48fc63 |
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
What from I can see, the problem is not from an alloca, despite what the CVE
|
|
Pablo Greco |
48fc63 |
description says, but from the attack multiplication that comes from creating
|
|
Pablo Greco |
48fc63 |
many very small iovecs: (void* + size_t) for each three bytes of input
|
|
Pablo Greco |
48fc63 |
message.
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
Resolves: #1657792
|
|
Pablo Greco |
48fc63 |
---
|
|
Pablo Greco |
48fc63 |
src/journal/journal-file.h | 3 +++
|
|
Pablo Greco |
48fc63 |
src/journal/journald-native.c | 4 ++++
|
|
Pablo Greco |
48fc63 |
2 files changed, 7 insertions(+)
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
|
|
Pablo Greco |
48fc63 |
index dd8ef52d2a..37749c4459 100644
|
|
Pablo Greco |
48fc63 |
--- a/src/journal/journal-file.h
|
|
Pablo Greco |
48fc63 |
+++ b/src/journal/journal-file.h
|
|
Pablo Greco |
48fc63 |
@@ -158,6 +158,9 @@ int journal_file_open_reliably(
|
|
Pablo Greco |
48fc63 |
* files without adding too many zeros. */
|
|
Pablo Greco |
48fc63 |
#define OFSfmt "%06"PRIx64
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
+/* The maximum number of fields in an entry */
|
|
Pablo Greco |
48fc63 |
+#define ENTRY_FIELD_COUNT_MAX 1024
|
|
Pablo Greco |
48fc63 |
+
|
|
Pablo Greco |
48fc63 |
static inline bool VALID_REALTIME(uint64_t u) {
|
|
Pablo Greco |
48fc63 |
/* This considers timestamps until the year 3112 valid. That should be plenty room... */
|
|
Pablo Greco |
48fc63 |
return u > 0 && u < (1ULL << 55);
|
|
Pablo Greco |
48fc63 |
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
|
|
Pablo Greco |
48fc63 |
index cf3349393f..0c451274f7 100644
|
|
Pablo Greco |
48fc63 |
--- a/src/journal/journald-native.c
|
|
Pablo Greco |
48fc63 |
+++ b/src/journal/journald-native.c
|
|
Pablo Greco |
48fc63 |
@@ -134,6 +134,10 @@ void server_process_native_message(
|
|
Pablo Greco |
48fc63 |
}
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
/* A property follows */
|
|
Pablo Greco |
48fc63 |
+ if (n > ENTRY_FIELD_COUNT_MAX) {
|
|
Pablo Greco |
48fc63 |
+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
|
|
Pablo Greco |
48fc63 |
+ goto finish;
|
|
Pablo Greco |
48fc63 |
+ }
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
/* n existing properties, 1 new, +1 for _TRANSPORT */
|
|
Pablo Greco |
48fc63 |
if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
|