valeriyvdovin / rpms / systemd

Forked from rpms/systemd 4 years ago
Clone

Blame SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch

27ab04
From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001
27ab04
From: Michal Sekletar <msekleta@redhat.com>
27ab04
Date: Wed, 16 Jan 2019 10:24:56 +0100
27ab04
Subject: [PATCH] journald: free cmdline buffers owned by iovec
27ab04
27ab04
Resolves: #1666646
27ab04
27ab04
[msekleta: this is a followup for the fix of CVE-2018-16864. While
27ab04
backporting upstream changes I've accidentally dropped the automatic
27ab04
cleanup of the cmdline buffers. Technically speaking similar issue is in
27ab04
coredump.c too, but after we dispatch iovec buffer in coredump.c we
27ab04
immediately exit so allocated memory is reclaimed by the kernel.]
27ab04
---
27ab04
 src/journal/journald-server.c | 5 +++--
27ab04
 1 file changed, 3 insertions(+), 2 deletions(-)
27ab04
27ab04
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
27ab04
index c35858247..88d8f3e41 100644
27ab04
--- a/src/journal/journald-server.c
27ab04
+++ b/src/journal/journald-server.c
27ab04
@@ -738,6 +738,7 @@ static void dispatch_message_real(
27ab04
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
27ab04
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
27ab04
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
27ab04
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
27ab04
         uid_t object_uid;
27ab04
         gid_t object_gid;
27ab04
         char *x;
27ab04
@@ -790,7 +791,7 @@ static void dispatch_message_real(
27ab04
                 if (r >= 0) {
27ab04
                         /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
27ab04
                          * Let's use a heap allocation for this one. */
27ab04
-                        set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
27ab04
+                        cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
27ab04
                 }
27ab04
 
27ab04
                 r = get_process_capeff(ucred->pid, &t);
27ab04
@@ -916,7 +917,7 @@ static void dispatch_message_real(
27ab04
 
27ab04
                 r = get_process_cmdline(object_pid, 0, false, &t);
27ab04
                 if (r >= 0)
27ab04
-                        set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
27ab04
+                        cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
27ab04
 
27ab04
 #ifdef HAVE_AUDIT
27ab04
                 r = audit_session_from_pid(object_pid, &audit);