ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
c62b8e
From 9dbac61cf123a57c1f39a2f134389f1a5877dc29 Mon Sep 17 00:00:00 2001
23b3cf
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
23b3cf
Date: Thu, 3 Jan 2019 16:09:05 +0100
23b3cf
Subject: [PATCH] journald: set a limit on the number of fields (1k)
23b3cf
23b3cf
We allocate a iovec entry for each field, so with many short entries,
23b3cf
our memory usage and processing time can be large, even with a relatively
23b3cf
small message size. Let's refuse overly long entries.
23b3cf
23b3cf
CVE-2018-16865
23b3cf
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
23b3cf
23b3cf
What from I can see, the problem is not from an alloca, despite what the CVE
23b3cf
description says, but from the attack multiplication that comes from creating
23b3cf
many very small iovecs: (void* + size_t) for each three bytes of input
23b3cf
message.
23b3cf
23b3cf
Resolves: #1657792
23b3cf
---
23b3cf
 src/journal/journal-file.h    | 3 +++
23b3cf
 src/journal/journald-native.c | 4 ++++
23b3cf
 2 files changed, 7 insertions(+)
23b3cf
23b3cf
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
c62b8e
index dd8ef52d2a..37749c4459 100644
23b3cf
--- a/src/journal/journal-file.h
23b3cf
+++ b/src/journal/journal-file.h
23b3cf
@@ -158,6 +158,9 @@ int journal_file_open_reliably(
23b3cf
  * files without adding too many zeros. */
23b3cf
 #define OFSfmt "%06"PRIx64
23b3cf
 
23b3cf
+/* The maximum number of fields in an entry */
23b3cf
+#define ENTRY_FIELD_COUNT_MAX 1024
23b3cf
+
23b3cf
 static inline bool VALID_REALTIME(uint64_t u) {
23b3cf
         /* This considers timestamps until the year 3112 valid. That should be plenty room... */
23b3cf
         return u > 0 && u < (1ULL << 55);
23b3cf
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
c62b8e
index cf3349393f..0c451274f7 100644
23b3cf
--- a/src/journal/journald-native.c
23b3cf
+++ b/src/journal/journald-native.c
23b3cf
@@ -134,6 +134,10 @@ void server_process_native_message(
23b3cf
                 }
23b3cf
 
23b3cf
                 /* A property follows */
23b3cf
+                if (n > ENTRY_FIELD_COUNT_MAX) {
23b3cf
+                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
23b3cf
+                        goto finish;
23b3cf
+                }
23b3cf
 
23b3cf
                 /* n existing properties, 1 new, +1 for _TRANSPORT */
23b3cf
                 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {