|
Pablo Greco |
48fc63 |
From 4b0ebd414553f9ccab85dfd708bf808127da505f Mon Sep 17 00:00:00 2001
|
|
Pablo Greco |
48fc63 |
From: Michal Sekletar <msekleta@redhat.com>
|
|
Pablo Greco |
48fc63 |
Date: Wed, 16 Jan 2019 10:24:56 +0100
|
|
Pablo Greco |
48fc63 |
Subject: [PATCH] journald: free cmdline buffers owned by iovec
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
Resolves: #1666646
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
[msekleta: this is a followup for the fix of CVE-2018-16864. While
|
|
Pablo Greco |
48fc63 |
backporting upstream changes I've accidentally dropped the automatic
|
|
Pablo Greco |
48fc63 |
cleanup of the cmdline buffers. Technically speaking similar issue is in
|
|
Pablo Greco |
48fc63 |
coredump.c too, but after we dispatch iovec buffer in coredump.c we
|
|
Pablo Greco |
48fc63 |
immediately exit so allocated memory is reclaimed by the kernel.]
|
|
Pablo Greco |
48fc63 |
---
|
|
Pablo Greco |
48fc63 |
src/journal/journald-server.c | 5 +++--
|
|
Pablo Greco |
48fc63 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
|
Pablo Greco |
48fc63 |
index c35858247b..88d8f3e41d 100644
|
|
Pablo Greco |
48fc63 |
--- a/src/journal/journald-server.c
|
|
Pablo Greco |
48fc63 |
+++ b/src/journal/journald-server.c
|
|
Pablo Greco |
48fc63 |
@@ -738,6 +738,7 @@ static void dispatch_message_real(
|
|
Pablo Greco |
48fc63 |
o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
|
|
Pablo Greco |
48fc63 |
o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
|
|
Pablo Greco |
48fc63 |
o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
|
|
Pablo Greco |
48fc63 |
+ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
|
|
Pablo Greco |
48fc63 |
uid_t object_uid;
|
|
Pablo Greco |
48fc63 |
gid_t object_gid;
|
|
Pablo Greco |
48fc63 |
char *x;
|
|
Pablo Greco |
48fc63 |
@@ -790,7 +791,7 @@ static void dispatch_message_real(
|
|
Pablo Greco |
48fc63 |
if (r >= 0) {
|
|
Pablo Greco |
48fc63 |
/* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
|
|
Pablo Greco |
48fc63 |
* Let's use a heap allocation for this one. */
|
|
Pablo Greco |
48fc63 |
- set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
|
Pablo Greco |
48fc63 |
+ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
|
Pablo Greco |
48fc63 |
}
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
r = get_process_capeff(ucred->pid, &t);
|
|
Pablo Greco |
48fc63 |
@@ -916,7 +917,7 @@ static void dispatch_message_real(
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
r = get_process_cmdline(object_pid, 0, false, &t);
|
|
Pablo Greco |
48fc63 |
if (r >= 0)
|
|
Pablo Greco |
48fc63 |
- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
|
Pablo Greco |
48fc63 |
+ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
|
Pablo Greco |
48fc63 |
|
|
Pablo Greco |
48fc63 |
#ifdef HAVE_AUDIT
|
|
Pablo Greco |
48fc63 |
r = audit_session_from_pid(object_pid, &audit);
|