naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
Pablo Greco 48fc63
From 9dbac61cf123a57c1f39a2f134389f1a5877dc29 Mon Sep 17 00:00:00 2001
Pablo Greco 48fc63
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Pablo Greco 48fc63
Date: Thu, 3 Jan 2019 16:09:05 +0100
Pablo Greco 48fc63
Subject: [PATCH] journald: set a limit on the number of fields (1k)
Pablo Greco 48fc63
Pablo Greco 48fc63
We allocate a iovec entry for each field, so with many short entries,
Pablo Greco 48fc63
our memory usage and processing time can be large, even with a relatively
Pablo Greco 48fc63
small message size. Let's refuse overly long entries.
Pablo Greco 48fc63
Pablo Greco 48fc63
CVE-2018-16865
Pablo Greco 48fc63
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
Pablo Greco 48fc63
Pablo Greco 48fc63
What from I can see, the problem is not from an alloca, despite what the CVE
Pablo Greco 48fc63
description says, but from the attack multiplication that comes from creating
Pablo Greco 48fc63
many very small iovecs: (void* + size_t) for each three bytes of input
Pablo Greco 48fc63
message.
Pablo Greco 48fc63
Pablo Greco 48fc63
Resolves: #1657792
Pablo Greco 48fc63
---
Pablo Greco 48fc63
 src/journal/journal-file.h    | 3 +++
Pablo Greco 48fc63
 src/journal/journald-native.c | 4 ++++
Pablo Greco 48fc63
 2 files changed, 7 insertions(+)
Pablo Greco 48fc63
Pablo Greco 48fc63
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
Pablo Greco 48fc63
index dd8ef52d2a..37749c4459 100644
Pablo Greco 48fc63
--- a/src/journal/journal-file.h
Pablo Greco 48fc63
+++ b/src/journal/journal-file.h
Pablo Greco 48fc63
@@ -158,6 +158,9 @@ int journal_file_open_reliably(
Pablo Greco 48fc63
  * files without adding too many zeros. */
Pablo Greco 48fc63
 #define OFSfmt "%06"PRIx64
Pablo Greco 48fc63
 
Pablo Greco 48fc63
+/* The maximum number of fields in an entry */
Pablo Greco 48fc63
+#define ENTRY_FIELD_COUNT_MAX 1024
Pablo Greco 48fc63
+
Pablo Greco 48fc63
 static inline bool VALID_REALTIME(uint64_t u) {
Pablo Greco 48fc63
         /* This considers timestamps until the year 3112 valid. That should be plenty room... */
Pablo Greco 48fc63
         return u > 0 && u < (1ULL << 55);
Pablo Greco 48fc63
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
Pablo Greco 48fc63
index cf3349393f..0c451274f7 100644
Pablo Greco 48fc63
--- a/src/journal/journald-native.c
Pablo Greco 48fc63
+++ b/src/journal/journald-native.c
Pablo Greco 48fc63
@@ -134,6 +134,10 @@ void server_process_native_message(
Pablo Greco 48fc63
                 }
Pablo Greco 48fc63
 
Pablo Greco 48fc63
                 /* A property follows */
Pablo Greco 48fc63
+                if (n > ENTRY_FIELD_COUNT_MAX) {
Pablo Greco 48fc63
+                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
Pablo Greco 48fc63
+                        goto finish;
Pablo Greco 48fc63
+                }
Pablo Greco 48fc63
 
Pablo Greco 48fc63
                 /* n existing properties, 1 new, +1 for _TRANSPORT */
Pablo Greco 48fc63
                 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {