From 15abaf4113d9510b2ed06212b04f2613c2f46d70 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 14 2022 12:15:06 +0000 Subject: import systemd-239-58.el8_6.1 --- diff --git a/.systemd.metadata b/.systemd.metadata index 8ab9fd3..a883c33 100644 --- a/.systemd.metadata +++ b/.systemd.metadata @@ -1 +1 @@ -249634e3d6b3532f15465719f0437ce04c3eb377 SOURCES/systemd-239.tar.gz +8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz diff --git a/SOURCES/0744-acpi-fpdt-mark-structures-as-packed.patch b/SOURCES/0744-acpi-fpdt-mark-structures-as-packed.patch new file mode 100644 index 0000000..da3fe56 --- /dev/null +++ b/SOURCES/0744-acpi-fpdt-mark-structures-as-packed.patch @@ -0,0 +1,51 @@ +From 96bc9caf3216b391a1da88b92ca507fa617177f7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 23 Apr 2020 08:49:10 +0200 +Subject: [PATCH] acpi-fpdt: mark structures as packed + +Let's make sure the alignment doesn't matter. + +(cherry picked from commit 49490c1d353bc920cbf73f4c71e9c35d2e3eb8b1) + +Related: #2084052 +--- + src/shared/acpi-fpdt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/shared/acpi-fpdt.c b/src/shared/acpi-fpdt.c +index d565ebd43e..38c464c912 100644 +--- a/src/shared/acpi-fpdt.c ++++ b/src/shared/acpi-fpdt.c +@@ -23,7 +23,7 @@ struct acpi_table_header { + uint32_t oem_revision; + char asl_compiler_id[4]; + uint32_t asl_compiler_revision; +-}; ++} _packed_; + + enum { + ACPI_FPDT_TYPE_BOOT = 0, +@@ -36,12 +36,12 @@ struct acpi_fpdt_header { + uint8_t revision; + uint8_t reserved[4]; + uint64_t ptr; +-}; ++} _packed_; + + struct acpi_fpdt_boot_header { + char signature[4]; + uint32_t length; +-}; ++} _packed_; + + enum { + ACPI_FPDT_S3PERF_RESUME_REC = 0, +@@ -59,7 +59,7 @@ struct acpi_fpdt_boot { + uint64_t startup_start; + uint64_t exit_services_entry; + uint64_t exit_services_exit; +-}; ++} _packed; + + int acpi_get_boot_usec(usec_t *loader_start, usec_t *loader_exit) { + _cleanup_free_ char *buf = NULL; diff --git a/SOURCES/0745-core-slice-make-slice_freezer_action-return-0-if-fre.patch b/SOURCES/0745-core-slice-make-slice_freezer_action-return-0-if-fre.patch new file mode 100644 index 0000000..1d1fa6b --- /dev/null +++ b/SOURCES/0745-core-slice-make-slice_freezer_action-return-0-if-fre.patch @@ -0,0 +1,46 @@ +From 9e3aefa21a631e7f47a8121097384a8b08ae8502 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 6 May 2022 14:01:22 +0900 +Subject: [PATCH] core/slice: make slice_freezer_action() return 0 if freezing + state is unchanged + +Fixes #23278. + +(cherry picked from commit d171e72e7afa11b238ba20758384d223b0c76e39) + +Related: #2084052 +--- + src/core/slice.c | 6 +----- + src/core/unit.c | 2 ++ + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/src/core/slice.c b/src/core/slice.c +index c10e830917..34f3c84bf9 100644 +--- a/src/core/slice.c ++++ b/src/core/slice.c +@@ -395,11 +395,7 @@ static int slice_freezer_action(Unit *s, FreezerAction action) { + return r; + } + +- r = unit_cgroup_freezer_action(s, action); +- if (r < 0) +- return r; +- +- return 1; ++ return unit_cgroup_freezer_action(s, action); + } + + static int slice_freeze(Unit *s) { +diff --git a/src/core/unit.c b/src/core/unit.c +index e2c61ce866..bd79578255 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -5622,6 +5622,8 @@ static int unit_freezer_action(Unit *u, FreezerAction action) { + if (r <= 0) + return r; + ++ assert(IN_SET(u->freezer_state, FREEZER_FREEZING, FREEZER_THAWING)); ++ + return 1; + } + diff --git a/SOURCES/0746-core-unit-fix-use-after-free.patch b/SOURCES/0746-core-unit-fix-use-after-free.patch new file mode 100644 index 0000000..ecd57f2 --- /dev/null +++ b/SOURCES/0746-core-unit-fix-use-after-free.patch @@ -0,0 +1,29 @@ +From 330e0ea2859db6107fae65bce982c0f2e2ababf5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 9 May 2022 00:56:05 +0900 +Subject: [PATCH] core/unit: fix use-after-free + +Fixes #23312. + +(cherry picked from commit 734582830b58e000a26e18807ea277c18778573c) + +Related: #2084052 +--- + src/core/unit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index bd79578255..68affa2c0e 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -580,8 +580,8 @@ void unit_free(Unit *u) { + + unit_dequeue_rewatch_pids(u); + +- sd_bus_slot_unref(u->match_bus_slot); +- sd_bus_track_unref(u->bus_track); ++ u->match_bus_slot = sd_bus_slot_unref(u->match_bus_slot); ++ u->bus_track = sd_bus_track_unref(u->bus_track); + u->deserialized_refs = strv_free(u->deserialized_refs); + u->pending_freezer_message = sd_bus_message_unref(u->pending_freezer_message); + diff --git a/SOURCES/0747-sd-bus-fix-reference-counter-to-be-incremented.patch b/SOURCES/0747-sd-bus-fix-reference-counter-to-be-incremented.patch new file mode 100644 index 0000000..dde33df --- /dev/null +++ b/SOURCES/0747-sd-bus-fix-reference-counter-to-be-incremented.patch @@ -0,0 +1,58 @@ +From d3d0969d7c366d6bb2f66501e61cbcd11a60face Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 17 Apr 2022 07:05:07 +0900 +Subject: [PATCH] sd-bus: fix reference counter to be incremented + +Fixes #23097. + +(cherry picked from commit b21f237d996c8c18991a68e1204f060d07dc4745) + +[msekleta: This commit also contains the hunk from c2d7dd35d2 +(in sd_bus_track_remove_name). I've decided to not backport that commit +fully because of conflicts and because its was made largely irrelevant +by 7f40cb7c86] + +Related: #2084052 +--- + src/libsystemd/sd-bus/bus-track.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-track.c b/src/libsystemd/sd-bus/bus-track.c +index 16bf615f50..b1ec5ecbbb 100644 +--- a/src/libsystemd/sd-bus/bus-track.c ++++ b/src/libsystemd/sd-bus/bus-track.c +@@ -208,12 +208,12 @@ _public_ int sd_bus_track_add_name(sd_bus_track *track, const char *name) { + i = hashmap_get(track->names, name); + if (i) { + if (track->recursive) { +- unsigned k = track->n_ref + 1; ++ unsigned k = i->n_ref + 1; + +- if (k < track->n_ref) /* Check for overflow */ ++ if (k < i->n_ref) /* Check for overflow */ + return -EOVERFLOW; + +- track->n_ref = k; ++ i->n_ref = k; + } + + bus_track_remove_from_queue(track); +@@ -281,14 +281,13 @@ _public_ int sd_bus_track_remove_name(sd_bus_track *track, const char *name) { + i = hashmap_get(track->names, name); + if (!i) + return -EUNATCH; +- if (i->n_ref <= 0) +- return -EUNATCH; +- +- i->n_ref--; + +- if (i->n_ref <= 0) ++ assert(i->n_ref >=1); ++ if (i->n_ref <= 1) + return bus_track_remove_name_fully(track, name); + ++ i->n_ref--; ++ + return 1; + } + diff --git a/SOURCES/0748-sd-bus-do-not-read-unused-value.patch b/SOURCES/0748-sd-bus-do-not-read-unused-value.patch new file mode 100644 index 0000000..c3daafc --- /dev/null +++ b/SOURCES/0748-sd-bus-do-not-read-unused-value.patch @@ -0,0 +1,32 @@ +From 6f8278097070d77e39d15e5f5d11e1c8b83871c2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 17 Apr 2022 07:25:09 +0900 +Subject: [PATCH] sd-bus: do not read unused value + +(cherry picked from commit 6a7ca27740be4229b4c9f540cd610b205ca5752c) + +Related: #2084052 +--- + src/libsystemd/sd-bus/bus-track.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-track.c b/src/libsystemd/sd-bus/bus-track.c +index b1ec5ecbbb..b9965d9d64 100644 +--- a/src/libsystemd/sd-bus/bus-track.c ++++ b/src/libsystemd/sd-bus/bus-track.c +@@ -182,13 +182,13 @@ _public_ sd_bus_track* sd_bus_track_unref(sd_bus_track *track) { + + static int on_name_owner_changed(sd_bus_message *message, void *userdata, sd_bus_error *error) { + sd_bus_track *track = userdata; +- const char *name, *old, *new; ++ const char *name; + int r; + + assert(message); + assert(track); + +- r = sd_bus_message_read(message, "sss", &name, &old, &new); ++ r = sd_bus_message_read(message, "sss", &name, NULL, NULL); + if (r < 0) + return 0; + diff --git a/SOURCES/0749-sd-bus-do-not-return-negative-errno-when-unknown-nam.patch b/SOURCES/0749-sd-bus-do-not-return-negative-errno-when-unknown-nam.patch new file mode 100644 index 0000000..5fb3f8c --- /dev/null +++ b/SOURCES/0749-sd-bus-do-not-return-negative-errno-when-unknown-nam.patch @@ -0,0 +1,35 @@ +From 3005733945670cc4a77920bb55e5cdda331cff4d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 17 Apr 2022 07:29:24 +0900 +Subject: [PATCH] sd-bus: do not return negative errno when unknown name is + specified + +When 'recursive' is false, then sd_bus_track_remove_name() does not +return negative errno when unknown name is specified. Let's follow the +same pattern for the case that 'recursive' is true. + +(cherry picked from commit 55bfacc6c33eaf3475762e71172b2ef504be5af8) + +Related: #2084052 +--- + src/libsystemd/sd-bus/bus-track.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-track.c b/src/libsystemd/sd-bus/bus-track.c +index b9965d9d64..8893f190a1 100644 +--- a/src/libsystemd/sd-bus/bus-track.c ++++ b/src/libsystemd/sd-bus/bus-track.c +@@ -275,12 +275,9 @@ _public_ int sd_bus_track_remove_name(sd_bus_track *track, const char *name) { + if (!track) /* Treat a NULL track object as an empty track object */ + return 0; + +- if (!track->recursive) +- return bus_track_remove_name_fully(track, name); +- + i = hashmap_get(track->names, name); + if (!i) +- return -EUNATCH; ++ return 0; + + assert(i->n_ref >=1); + if (i->n_ref <= 1) diff --git a/SOURCES/0750-sd-bus-switch-to-a-manual-overflow-check-in-sd_bus_t.patch b/SOURCES/0750-sd-bus-switch-to-a-manual-overflow-check-in-sd_bus_t.patch new file mode 100644 index 0000000..a280a40 --- /dev/null +++ b/SOURCES/0750-sd-bus-switch-to-a-manual-overflow-check-in-sd_bus_t.patch @@ -0,0 +1,48 @@ +From 78b5b6dbd0bb4e5644e798748d186cca88fc523d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 20 Apr 2022 22:30:22 +0200 +Subject: [PATCH] sd-bus: switch to a manual overflow check in + sd_bus_track_add_name() + +This is generally used in a directly client controllable way, hence we +should handle ref count overflow gracefully, instead of hitting an +assert(). + +As discussed: + +https://github.com/systemd/systemd/pull/23099#discussion_r854341850 +(cherry picked from commit 7f40cb7c86b0fff3a82096a9499570bad9c19fd2) + +[msekleta: We've never switched to using track_item_ref/unref introduced +in c2d7dd35d2 hence we still had potential undefined behavior related to +overflow check and this commit fixes that.] + +Related: #2084052 +--- + src/libsystemd/sd-bus/bus-track.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-track.c b/src/libsystemd/sd-bus/bus-track.c +index 8893f190a1..b818e93bec 100644 +--- a/src/libsystemd/sd-bus/bus-track.c ++++ b/src/libsystemd/sd-bus/bus-track.c +@@ -208,12 +208,16 @@ _public_ int sd_bus_track_add_name(sd_bus_track *track, const char *name) { + i = hashmap_get(track->names, name); + if (i) { + if (track->recursive) { +- unsigned k = i->n_ref + 1; ++ assert(i->n_ref > 0); + +- if (k < i->n_ref) /* Check for overflow */ ++ /* Manual oveflow check (instead of a DEFINE_TRIVIAL_REF_FUNC() helper or so), so ++ * that we can return a proper error, given this is almost always called in a ++ * directly client controllable way, and thus better should never hit an assertion ++ * here. */ ++ if (i->n_ref >= UINT_MAX) + return -EOVERFLOW; + +- i->n_ref = k; ++ i->n_ref++; + } + + bus_track_remove_from_queue(track); diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 4aee86b..cd79db9 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 58%{?dist} +Release: 58%{?dist}.1 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -793,6 +793,13 @@ Patch0740: 0740-sysctl-fix-segfault.patch Patch0741: 0741-ci-drop-CentOS-8-CI.patch Patch0742: 0742-test-adapt-to-the-new-capsh-format.patch Patch0743: 0743-test-ignore-IAB-capabilities-in-test-execute.patch +Patch0744: 0744-acpi-fpdt-mark-structures-as-packed.patch +Patch0745: 0745-core-slice-make-slice_freezer_action-return-0-if-fre.patch +Patch0746: 0746-core-unit-fix-use-after-free.patch +Patch0747: 0747-sd-bus-fix-reference-counter-to-be-incremented.patch +Patch0748: 0748-sd-bus-do-not-read-unused-value.patch +Patch0749: 0749-sd-bus-do-not-return-negative-errno-when-unknown-nam.patch +Patch0750: 0750-sd-bus-switch-to-a-manual-overflow-check-in-sd_bus_t.patch %ifarch %{ix86} x86_64 aarch64 @@ -1423,6 +1430,15 @@ fi %files tests -f .file-list-tests %changelog +* Wed May 11 2022 systemd maintenance team - 239-58.1 +- acpi-fpdt: mark structures as packed (#2084052) +- core/slice: make slice_freezer_action() return 0 if freezing state is unchanged (#2084052) +- core/unit: fix use-after-free (#2084052) +- sd-bus: fix reference counter to be incremented (#2084052) +- sd-bus: do not read unused value (#2084052) +- sd-bus: do not return negative errno when unknown name is specified (#2084052) +- sd-bus: switch to a manual overflow check in sd_bus_track_add_name() (#2084052) + * Tue Feb 08 2022 systemd maintenance team - 239-58 - ci: drop CentOS 8 CI (#2017033) - test: adapt to the new capsh format (#2017033)