rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0670-journald-free-cmdline-buffers-owned-by-iovec.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   c7
  2.   SOURCES
  3.   0670-journald-free-cmdline-buffers-owned-by-iovec.patch
Blob History Raw
c62b8e 
From 4b0ebd414553f9ccab85dfd708bf808127da505f Mon Sep 17 00:00:00 2001
eb47ff 
From: Michal Sekletar <msekleta@redhat.com>
eb47ff 
Date: Wed, 16 Jan 2019 10:24:56 +0100
eb47ff 
Subject: [PATCH] journald: free cmdline buffers owned by iovec
eb47ff
eb47ff 
Resolves: #1666646
eb47ff
eb47ff 
[msekleta: this is a followup for the fix of CVE-2018-16864. While
eb47ff 
backporting upstream changes I've accidentally dropped the automatic
eb47ff 
cleanup of the cmdline buffers. Technically speaking similar issue is in
eb47ff 
coredump.c too, but after we dispatch iovec buffer in coredump.c we
eb47ff 
immediately exit so allocated memory is reclaimed by the kernel.]
eb47ff 
---
eb47ff 
 src/journal/journald-server.c | 5 +++--
eb47ff 
 1 file changed, 3 insertions(+), 2 deletions(-)
eb47ff
eb47ff 
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
c62b8e 
index c35858247b..88d8f3e41d 100644
eb47ff 
--- a/src/journal/journald-server.c
eb47ff 
+++ b/src/journal/journald-server.c
eb47ff 
@@ -738,6 +738,7 @@ static void dispatch_message_real(
eb47ff 
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
eb47ff 
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
eb47ff 
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
eb47ff 
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
eb47ff 
         uid_t object_uid;
eb47ff 
         gid_t object_gid;
eb47ff 
         char *x;
eb47ff 
@@ -790,7 +791,7 @@ static void dispatch_message_real(
eb47ff 
                 if (r >= 0) {
eb47ff 
                         /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
eb47ff 
                          * Let's use a heap allocation for this one. */
eb47ff 
-                        set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
eb47ff 
+                        cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
eb47ff 
                 }
eb47ff
eb47ff 
                 r = get_process_capeff(ucred->pid, &t);
eb47ff 
@@ -916,7 +917,7 @@ static void dispatch_message_real(
eb47ff
eb47ff 
                 r = get_process_cmdline(object_pid, 0, false, &t);
eb47ff 
                 if (r >= 0)
eb47ff 
-                        set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
eb47ff 
+                        cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
eb47ff
eb47ff 
 #ifdef HAVE_AUDIT
eb47ff 
                 r = audit_session_from_pid(object_pid, &audit);

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation