|
|
eb47ff |
From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001
|
|
|
eb47ff |
From: Michal Sekletar <msekleta@redhat.com>
|
|
|
eb47ff |
Date: Wed, 16 Jan 2019 10:24:56 +0100
|
|
|
eb47ff |
Subject: [PATCH] journald: free cmdline buffers owned by iovec
|
|
|
eb47ff |
|
|
|
eb47ff |
Resolves: #1666646
|
|
|
eb47ff |
|
|
|
eb47ff |
[msekleta: this is a followup for the fix of CVE-2018-16864. While
|
|
|
eb47ff |
backporting upstream changes I've accidentally dropped the automatic
|
|
|
eb47ff |
cleanup of the cmdline buffers. Technically speaking similar issue is in
|
|
|
eb47ff |
coredump.c too, but after we dispatch iovec buffer in coredump.c we
|
|
|
eb47ff |
immediately exit so allocated memory is reclaimed by the kernel.]
|
|
|
eb47ff |
---
|
|
|
eb47ff |
src/journal/journald-server.c | 5 +++--
|
|
|
eb47ff |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
eb47ff |
|
|
|
eb47ff |
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
|
|
eb47ff |
index c35858247..88d8f3e41 100644
|
|
|
eb47ff |
--- a/src/journal/journald-server.c
|
|
|
eb47ff |
+++ b/src/journal/journald-server.c
|
|
|
eb47ff |
@@ -738,6 +738,7 @@ static void dispatch_message_real(
|
|
|
eb47ff |
o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
|
|
|
eb47ff |
o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
|
|
|
eb47ff |
o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
|
|
|
eb47ff |
+ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
|
|
|
eb47ff |
uid_t object_uid;
|
|
|
eb47ff |
gid_t object_gid;
|
|
|
eb47ff |
char *x;
|
|
|
eb47ff |
@@ -790,7 +791,7 @@ static void dispatch_message_real(
|
|
|
eb47ff |
if (r >= 0) {
|
|
|
eb47ff |
/* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
|
|
|
eb47ff |
* Let's use a heap allocation for this one. */
|
|
|
eb47ff |
- set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
|
|
eb47ff |
+ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
|
|
eb47ff |
}
|
|
|
eb47ff |
|
|
|
eb47ff |
r = get_process_capeff(ucred->pid, &t);
|
|
|
eb47ff |
@@ -916,7 +917,7 @@ static void dispatch_message_real(
|
|
|
eb47ff |
|
|
|
eb47ff |
r = get_process_cmdline(object_pid, 0, false, &t);
|
|
|
eb47ff |
if (r >= 0)
|
|
|
eb47ff |
- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
|
|
eb47ff |
+ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
|
|
eb47ff |
|
|
|
eb47ff |
#ifdef HAVE_AUDIT
|
|
|
eb47ff |
r = audit_session_from_pid(object_pid, &audit);
|