36e8a3
From 9f53d3cded6cf7eccb40c810dfb8fd6e101c7a3b Mon Sep 17 00:00:00 2001
36e8a3
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
36e8a3
Date: Wed, 5 Dec 2018 22:45:02 +0100
36e8a3
Subject: [PATCH] journald: set a limit on the number of fields (1k)
36e8a3
36e8a3
We allocate a iovec entry for each field, so with many short entries,
36e8a3
our memory usage and processing time can be large, even with a relatively
36e8a3
small message size. Let's refuse overly long entries.
36e8a3
36e8a3
CVE-2018-16865
36e8a3
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
36e8a3
36e8a3
What from I can see, the problem is not from an alloca, despite what the CVE
36e8a3
description says, but from the attack multiplication that comes from creating
36e8a3
many very small iovecs: (void* + size_t) for each three bytes of input message.
36e8a3
36e8a3
(cherry-picked from commit 052c57f132f04a3cf4148f87561618da1a6908b4)
36e8a3
36e8a3
Resolves: #1664977
36e8a3
---
36e8a3
 src/journal/journal-file.h    | 3 +++
36e8a3
 src/journal/journald-native.c | 5 +++++
36e8a3
 2 files changed, 8 insertions(+)
36e8a3
36e8a3
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
4bff0a
index c8114ee2d0..cd8a48a364 100644
36e8a3
--- a/src/journal/journal-file.h
36e8a3
+++ b/src/journal/journal-file.h
36e8a3
@@ -165,6 +165,9 @@ int journal_file_open_reliably(
36e8a3
  * files without adding too many zeros. */
36e8a3
 #define OFSfmt "%06"PRIx64
36e8a3
 
36e8a3
+/* The maximum number of fields in an entry */
36e8a3
+#define ENTRY_FIELD_COUNT_MAX 1024
36e8a3
+
36e8a3
 static inline bool VALID_REALTIME(uint64_t u) {
36e8a3
         /* This considers timestamps until the year 3112 valid. That should be plenty room... */
36e8a3
         return u > 0 && u < (1ULL << 55);
36e8a3
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
4bff0a
index 5ff22a10af..951d092053 100644
36e8a3
--- a/src/journal/journald-native.c
36e8a3
+++ b/src/journal/journald-native.c
36e8a3
@@ -140,6 +140,11 @@ static int server_process_entry(
36e8a3
                 }
36e8a3
 
36e8a3
                 /* A property follows */
36e8a3
+                if (n > ENTRY_FIELD_COUNT_MAX) {
36e8a3
+                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
36e8a3
+                        r = 1;
36e8a3
+                        goto finish;
36e8a3
+                }
36e8a3
 
36e8a3
                 /* n existing properties, 1 new, +1 for _TRANSPORT */
36e8a3
                 if (!GREEDY_REALLOC(iovec, m,