From 31ac43875ffac7eef39036a611267fd907ab4ea7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 20 2021 20:16:27 +0000 Subject: import systemd-239-45.el8_4.2 --- diff --git a/SOURCES/9000-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/SOURCES/9000-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 0000000..398a4bd --- /dev/null +++ b/SOURCES/9000-basic-unit-name-do-not-use-strdupa-on-a-path.patch @@ -0,0 +1,64 @@ +From df7a2c629e700a510ce59b8745d240d2a43a12aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 1b81fe2..614eb86 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; +-- +2.31.1 + diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index b9879ee..ccc28be 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 45%{?dist}.1 +Release: 45%{?dist}.2 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -618,6 +618,9 @@ Patch0565: 0565-Revert-udev-make-algorithm-that-selects-highest-prio.patch Patch0566: 0566-test-udev-test.pl-drop-test-cases-that-add-mutliple-.patch +# Security patches +Patch9000: 9000-basic-unit-name-do-not-use-strdupa-on-a-path.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -1244,6 +1247,9 @@ fi %files tests -f .file-list-tests %changelog +* Mon Jun 28 2021 Jan Macku - 239-45.2 +- basic/unit-name: do not use strdupa() on a path (CVE-2021-33910, #1974699) + * Tue May 25 2021 systemd maintenance team - 239-45.1 - Revert "udev: run link_update() with increased retry count in second invocation" (#1963980) - Revert "udev: make algorithm that selects highest priority devlink less susceptible to race conditions" (#1963980)