diff --git a/SOURCES/0666-journald-do-not-store-the-iovec-entry-for-process-co.patch b/SOURCES/0666-journald-do-not-store-the-iovec-entry-for-process-co.patch deleted file mode 100644 index 026974c..0000000 --- a/SOURCES/0666-journald-do-not-store-the-iovec-entry-for-process-co.patch +++ /dev/null @@ -1,376 +0,0 @@ -From 38081a6ddf876345a15b92dc7d5e655b1f28976f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Jan 2019 11:35:22 +0100 -Subject: [PATCH] journald: do not store the iovec entry for process - commandline on stack - -This fixes a crash where we would read the commandline, whose length is under -control of the sending program, and then crash when trying to create a stack -allocation for it. - -CVE-2018-16864 -https://bugzilla.redhat.com/show_bug.cgi?id=1653855 - -The message actually doesn't get written to disk, because -journal_file_append_entry() returns -E2BIG. - -Resolves: #1657788 ---- - src/journal/coredump.c | 189 +++++++++++++--------------------- - src/journal/journald-server.c | 13 +-- - src/shared/util.c | 17 +++ - src/shared/util.h | 7 ++ - 4 files changed, 98 insertions(+), 128 deletions(-) - -diff --git a/src/journal/coredump.c b/src/journal/coredump.c -index 59ccd46bb..40de86f05 100644 ---- a/src/journal/coredump.c -+++ b/src/journal/coredump.c -@@ -526,14 +526,6 @@ static int compose_open_fds(pid_t pid, char **open_fds) { - } - - int main(int argc, char* argv[]) { -- -- /* The small core field we allocate on the stack, to keep things simple */ -- char -- *core_pid = NULL, *core_uid = NULL, *core_gid = NULL, *core_signal = NULL, -- *core_session = NULL, *core_exe = NULL, *core_comm = NULL, *core_cmdline = NULL, -- *core_cgroup = NULL, *core_cwd = NULL, *core_root = NULL, *core_unit = NULL, -- *core_slice = NULL; -- - /* The larger ones we allocate on the heap */ - _cleanup_free_ char - *core_timestamp = NULL, *core_message = NULL, *coredump_data = NULL, *core_owner_uid = NULL, -@@ -547,7 +539,8 @@ int main(int argc, char* argv[]) { - - struct iovec iovec[26]; - off_t coredump_size; -- int r, j = 0; -+ int r; -+ unsigned int n_iovec = 0; - uid_t uid, owner_uid; - gid_t gid; - pid_t pid; -@@ -634,151 +627,107 @@ int main(int argc, char* argv[]) { - goto finish; - } - -- core_unit = strjoina("COREDUMP_UNIT=", t); -- free(t); -- -- } else if (cg_pid_get_user_unit(pid, &t) >= 0) { -- core_unit = strjoina("COREDUMP_USER_UNIT=", t); -- free(t); -+ if (!set_iovec_field_free(iovec, &n_iovec, "COREDUMP_UNIT=", t)) { -+ r = log_oom(); -+ goto finish; -+ } - } - -- if (core_unit) -- IOVEC_SET_STRING(iovec[j++], core_unit); -+ if (cg_pid_get_user_unit(pid, &t) >= 0) { -+ if (!set_iovec_field_free(iovec, &n_iovec, "COREDUMP_USER_UNIT=", t)) { -+ r = log_oom(); -+ goto finish; -+ } -+ } - - /* OK, now we know it's not the journal, hence we can make use - * of it now. */ - log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); - log_open(); - -- core_pid = strjoina("COREDUMP_PID=", info[INFO_PID]); -- IOVEC_SET_STRING(iovec[j++], core_pid); -- -- core_uid = strjoina("COREDUMP_UID=", info[INFO_UID]); -- IOVEC_SET_STRING(iovec[j++], core_uid); -- -- core_gid = strjoina("COREDUMP_GID=", info[INFO_GID]); -- IOVEC_SET_STRING(iovec[j++], core_gid); -- -- core_signal = strjoina("COREDUMP_SIGNAL=", info[INFO_SIGNAL]); -- IOVEC_SET_STRING(iovec[j++], core_signal); -- -- if (sd_pid_get_session(pid, &t) >= 0) { -- core_session = strjoina("COREDUMP_SESSION=", t); -- free(t); -- -- IOVEC_SET_STRING(iovec[j++], core_session); -+ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_PID=", info[INFO_PID])) { -+ r = log_oom(); -+ goto finish; - } - -- if (sd_pid_get_owner_uid(pid, &owner_uid) >= 0) { -- r = asprintf(&core_owner_uid, -- "COREDUMP_OWNER_UID=" UID_FMT, owner_uid); -- if (r > 0) -- IOVEC_SET_STRING(iovec[j++], core_owner_uid); -+ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_UID=", info[INFO_UID])) { -+ r = log_oom(); -+ goto finish; - } - -- if (sd_pid_get_slice(pid, &t) >= 0) { -- core_slice = strjoina("COREDUMP_SLICE=", t); -- free(t); -+ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_GID=", info[INFO_GID])) { -+ r = log_oom(); -+ goto finish; -+ } - -- IOVEC_SET_STRING(iovec[j++], core_slice); -+ if (!set_iovec_string_field(iovec, &n_iovec, "COREDUMP_SIGNAL=", info[INFO_SIGNAL])) { -+ r = log_oom(); -+ goto finish; - } - -- if (comm) { -- core_comm = strjoina("COREDUMP_COMM=", comm); -- IOVEC_SET_STRING(iovec[j++], core_comm); -+ if (comm && !set_iovec_string_field(iovec, &n_iovec, "COREDUMP_COMM=", comm)) { -+ r = log_oom(); -+ goto finish; - } - -- if (exe) { -- core_exe = strjoina("COREDUMP_EXE=", exe); -- IOVEC_SET_STRING(iovec[j++], core_exe); -+ if (exe && !set_iovec_string_field(iovec, &n_iovec, "COREDUMP_EXE=", exe)) { -+ r = log_oom(); -+ goto finish; - } - -- if (get_process_cmdline(pid, 0, false, &t) >= 0) { -- core_cmdline = strjoina("COREDUMP_CMDLINE=", t); -- free(t); -+ if (sd_pid_get_session(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_SESSION=", t); - -- IOVEC_SET_STRING(iovec[j++], core_cmdline); -+ if (sd_pid_get_owner_uid(pid, &owner_uid) >= 0) { -+ r = asprintf(&core_owner_uid, -+ "COREDUMP_OWNER_UID=" UID_FMT, owner_uid); -+ if (r > 0) -+ IOVEC_SET_STRING(iovec[n_iovec++], core_owner_uid); - } - -- if (cg_pid_get_path_shifted(pid, NULL, &t) >= 0) { -- core_cgroup = strjoina("COREDUMP_CGROUP=", t); -- free(t); -+ if (sd_pid_get_slice(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_SLICE=", t); - -- IOVEC_SET_STRING(iovec[j++], core_cgroup); -- } -+ if (get_process_cmdline(pid, 0, false, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CMDLINE=", t); - -- if (compose_open_fds(pid, &t) >= 0) { -- core_open_fds = strappend("COREDUMP_OPEN_FDS=", t); -- free(t); -+ if (cg_pid_get_path_shifted(pid, NULL, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CGROUP=", t); - -- if (core_open_fds) -- IOVEC_SET_STRING(iovec[j++], core_open_fds); -- } -+ if (compose_open_fds(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_OPEN_FDS=", t); - - p = procfs_file_alloca(pid, "status"); -- if (read_full_file(p, &t, NULL) >= 0) { -- core_proc_status = strappend("COREDUMP_PROC_STATUS=", t); -- free(t); -- -- if (core_proc_status) -- IOVEC_SET_STRING(iovec[j++], core_proc_status); -- } -+ if (read_full_file(p, &t, NULL) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_STATUS=", t); - - p = procfs_file_alloca(pid, "maps"); -- if (read_full_file(p, &t, NULL) >= 0) { -- core_proc_maps = strappend("COREDUMP_PROC_MAPS=", t); -- free(t); -- -- if (core_proc_maps) -- IOVEC_SET_STRING(iovec[j++], core_proc_maps); -- } -+ if (read_full_file(p, &t, NULL) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_MAPS=", t); - - p = procfs_file_alloca(pid, "limits"); -- if (read_full_file(p, &t, NULL) >= 0) { -- core_proc_limits = strappend("COREDUMP_PROC_LIMITS=", t); -- free(t); -- -- if (core_proc_limits) -- IOVEC_SET_STRING(iovec[j++], core_proc_limits); -- } -+ if (read_full_file(p, &t, NULL) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_LIMITS=", t); - - p = procfs_file_alloca(pid, "cgroup"); -- if (read_full_file(p, &t, NULL) >=0) { -- core_proc_cgroup = strappend("COREDUMP_PROC_CGROUP=", t); -- free(t); -+ if (read_full_file(p, &t, NULL) >=0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_PROC_CGROUP=", t); - -- if (core_proc_cgroup) -- IOVEC_SET_STRING(iovec[j++], core_proc_cgroup); -- } -- -- if (get_process_cwd(pid, &t) >= 0) { -- core_cwd = strjoina("COREDUMP_CWD=", t); -- free(t); -+ if (get_process_cwd(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_CWD=", t); - -- IOVEC_SET_STRING(iovec[j++], core_cwd); -- } -+ if (get_process_root(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_ROOT=", t); - -- if (get_process_root(pid, &t) >= 0) { -- core_root = strjoina("COREDUMP_ROOT=", t); -- free(t); -- -- IOVEC_SET_STRING(iovec[j++], core_root); -- } -- -- if (get_process_environ(pid, &t) >= 0) { -- core_environ = strappend("COREDUMP_ENVIRON=", t); -- free(t); -- -- if (core_environ) -- IOVEC_SET_STRING(iovec[j++], core_environ); -- } -+ if (get_process_environ(pid, &t) >= 0) -+ set_iovec_field_free(iovec, &n_iovec, "COREDUMP_ENVIRON=", t); - - core_timestamp = strjoin("COREDUMP_TIMESTAMP=", info[INFO_TIMESTAMP], "000000", NULL); - if (core_timestamp) -- IOVEC_SET_STRING(iovec[j++], core_timestamp); -+ IOVEC_SET_STRING(iovec[n_iovec++], core_timestamp); - -- IOVEC_SET_STRING(iovec[j++], "MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1"); -- IOVEC_SET_STRING(iovec[j++], "PRIORITY=2"); -+ IOVEC_SET_STRING(iovec[n_iovec++], "MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1"); -+ IOVEC_SET_STRING(iovec[n_iovec++], "PRIORITY=2"); - - /* Vacuum before we write anything again */ - coredump_vacuum(-1, arg_keep_free, arg_max_use); -@@ -800,7 +749,7 @@ int main(int argc, char* argv[]) { - const char *coredump_filename; - - coredump_filename = strjoina("COREDUMP_FILENAME=", filename); -- IOVEC_SET_STRING(iovec[j++], coredump_filename); -+ IOVEC_SET_STRING(iovec[n_iovec++], coredump_filename); - } - - /* Vacuum again, but exclude the coredump we just created */ -@@ -838,7 +787,7 @@ int main(int argc, char* argv[]) { - log: - core_message = strjoin("MESSAGE=Process ", info[INFO_PID], " (", comm, ") of user ", info[INFO_UID], " dumped core.", NULL); - if (core_message) -- IOVEC_SET_STRING(iovec[j++], core_message); -+ IOVEC_SET_STRING(iovec[n_iovec++], core_message); - - /* Optionally store the entire coredump in the journal */ - if (IN_SET(arg_storage, COREDUMP_STORAGE_JOURNAL, COREDUMP_STORAGE_BOTH) && -@@ -849,13 +798,13 @@ log: - - r = allocate_journal_field(coredump_fd, (size_t) coredump_size, &coredump_data, &sz); - if (r >= 0) { -- iovec[j].iov_base = coredump_data; -- iovec[j].iov_len = sz; -- j++; -+ iovec[n_iovec].iov_base = coredump_data; -+ iovec[n_iovec].iov_len = sz; -+ n_iovec++; - } - } - -- r = sd_journal_sendv(iovec, j); -+ r = sd_journal_sendv(iovec, n_iovec); - if (r < 0) - log_error_errno(r, "Failed to log coredump: %m"); - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index 7e67e055e..c35858247 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -788,9 +788,9 @@ static void dispatch_message_real( - - r = get_process_cmdline(ucred->pid, 0, false, &t); - if (r >= 0) { -- x = strjoina("_CMDLINE=", t); -- free(t); -- IOVEC_SET_STRING(iovec[n++], x); -+ /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. -+ * Let's use a heap allocation for this one. */ -+ set_iovec_field_free(iovec, &n, "_CMDLINE=", t); - } - - r = get_process_capeff(ucred->pid, &t); -@@ -915,11 +915,8 @@ static void dispatch_message_real( - } - - r = get_process_cmdline(object_pid, 0, false, &t); -- if (r >= 0) { -- x = strjoina("OBJECT_CMDLINE=", t); -- free(t); -- IOVEC_SET_STRING(iovec[n++], x); -- } -+ if (r >= 0) -+ set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); - - #ifdef HAVE_AUDIT - r = audit_session_from_pid(object_pid, &audit); -diff --git a/src/shared/util.c b/src/shared/util.c -index 78967103a..c71e021cd 100644 ---- a/src/shared/util.c -+++ b/src/shared/util.c -@@ -2275,6 +2275,23 @@ int flush_fd(int fd) { - } - } - -+char* set_iovec_string_field(struct iovec *iovec, unsigned int *n_iovec, const char *field, const char *value) { -+ char *x; -+ -+ x = strappend(field, value); -+ if (x) -+ iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x); -+ return x; -+} -+ -+char* set_iovec_field_free(struct iovec *iovec, unsigned int *n_iovec, const char *field, char *value) { -+ char *x; -+ -+ x = set_iovec_string_field(iovec, n_iovec, field, value); -+ free(value); -+ return x; -+} -+ - int acquire_terminal( - const char *name, - bool fail, -diff --git a/src/shared/util.h b/src/shared/util.h -index cf096aa07..8fc237495 100644 ---- a/src/shared/util.h -+++ b/src/shared/util.h -@@ -1140,3 +1140,10 @@ static inline void block_signals_reset(sigset_t *ss) { - _t; \ - }) - -+#define IOVEC_INIT(base, len) { .iov_base = (base), .iov_len = (len) } -+#define IOVEC_MAKE(base, len) (struct iovec) IOVEC_INIT(base, len) -+#define IOVEC_INIT_STRING(string) IOVEC_INIT((char*) string, strlen(string)) -+#define IOVEC_MAKE_STRING(string) (struct iovec) IOVEC_INIT_STRING(string) -+ -+char* set_iovec_string_field(struct iovec *iovec, unsigned int *n_iovec, const char *field, const char *value); -+char* set_iovec_field_free(struct iovec *iovec, unsigned int *n_iovec, const char *field, char *value); diff --git a/SOURCES/0667-journald-set-a-limit-on-the-number-of-fields-1k.patch b/SOURCES/0667-journald-set-a-limit-on-the-number-of-fields-1k.patch deleted file mode 100644 index 15d1413..0000000 --- a/SOURCES/0667-journald-set-a-limit-on-the-number-of-fields-1k.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94809b687fbb1c43b07ed8aa966070079cdcb063 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Jan 2019 16:09:05 +0100 -Subject: [PATCH] journald: set a limit on the number of fields (1k) - -We allocate a iovec entry for each field, so with many short entries, -our memory usage and processing time can be large, even with a relatively -small message size. Let's refuse overly long entries. - -CVE-2018-16865 -https://bugzilla.redhat.com/show_bug.cgi?id=1653861 - -What from I can see, the problem is not from an alloca, despite what the CVE -description says, but from the attack multiplication that comes from creating -many very small iovecs: (void* + size_t) for each three bytes of input -message. - -Resolves: #1657792 ---- - src/journal/journal-file.h | 3 +++ - src/journal/journald-native.c | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h -index dd8ef52d2..37749c445 100644 ---- a/src/journal/journal-file.h -+++ b/src/journal/journal-file.h -@@ -158,6 +158,9 @@ int journal_file_open_reliably( - * files without adding too many zeros. */ - #define OFSfmt "%06"PRIx64 - -+/* The maximum number of fields in an entry */ -+#define ENTRY_FIELD_COUNT_MAX 1024 -+ - static inline bool VALID_REALTIME(uint64_t u) { - /* This considers timestamps until the year 3112 valid. That should be plenty room... */ - return u > 0 && u < (1ULL << 55); -diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c -index cf3349393..0c451274f 100644 ---- a/src/journal/journald-native.c -+++ b/src/journal/journald-native.c -@@ -134,6 +134,10 @@ void server_process_native_message( - } - - /* A property follows */ -+ if (n > ENTRY_FIELD_COUNT_MAX) { -+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); -+ goto finish; -+ } - - /* n existing properties, 1 new, +1 for _TRANSPORT */ - if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) { diff --git a/SOURCES/0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/SOURCES/0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch deleted file mode 100644 index ccad9d5..0000000 --- a/SOURCES/0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 95ec0c76b4ee758012bc6c282c5299baee5ae451 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Jan 2019 16:28:30 +0100 -Subject: [PATCH] journal-remote: set a limit on the number of fields in a - message - -Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is -reused for the new error condition (too many fields). - -This matches the change done for systemd-journald, hence forming the second -part of the fix for CVE-2018-16865 -(https://bugzilla.redhat.com/show_bug.cgi?id=1653861). - -Resolves: #1657792 ---- - src/journal-remote/journal-remote-parse.c | 2 +- - src/journal-remote/journal-remote-write.c | 3 +++ - src/journal-remote/journal-remote.c | 14 ++++++++++++-- - 3 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/src/journal-remote/journal-remote-parse.c b/src/journal-remote/journal-remote-parse.c -index 64089da19..53f4e3612 100644 ---- a/src/journal-remote/journal-remote-parse.c -+++ b/src/journal-remote/journal-remote-parse.c -@@ -107,7 +107,7 @@ static int get_line(RemoteSource *source, char **line, size_t *size) { - source->scanned = source->filled; - if (source->scanned >= DATA_SIZE_MAX) { - log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX); -- return -E2BIG; -+ return -ENOBUFS; - } - - if (source->passive_fd) -diff --git a/src/journal-remote/journal-remote-write.c b/src/journal-remote/journal-remote-write.c -index 99820fa7b..99920e62c 100644 ---- a/src/journal-remote/journal-remote-write.c -+++ b/src/journal-remote/journal-remote-write.c -@@ -22,6 +22,9 @@ - #include "journal-remote.h" - - int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { -+ if (iovw->count >= ENTRY_FIELD_COUNT_MAX) -+ return -E2BIG; -+ - if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) - return log_oom(); - -diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c -index a455fb6bd..e65daf6a0 100644 ---- a/src/journal-remote/journal-remote.c -+++ b/src/journal-remote/journal-remote.c -@@ -524,11 +524,18 @@ static int process_http_upload( - break; - else if (r < 0) { - log_warning("Failed to process data for connection %p", connection); -- if (r == -E2BIG) -+ if (r == -ENOBUFS) - return mhd_respondf(connection, - MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, - "Entry is too large, maximum is %u bytes.\n", - DATA_SIZE_MAX); -+ -+ else if (r == -E2BIG) -+ return mhd_respondf(connection, -+ MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, -+ "Entry with more fields than the maximum of %u\n", -+ ENTRY_FIELD_COUNT_MAX); -+ - else - return mhd_respondf(connection, - MHD_HTTP_UNPROCESSABLE_ENTITY, -@@ -1043,7 +1050,10 @@ static int handle_raw_source(sd_event_source *event, - log_debug("%zu active sources remaining", s->active); - return 0; - } else if (r == -E2BIG) { -- log_notice_errno(E2BIG, "Entry too big, skipped"); -+ log_notice_errno(E2BIG, "Entry with too many fields, skipped"); -+ return 1; -+ } else if (r == -ENOBUFS) { -+ log_notice_errno(ENOBUFS, "Entry too big, skipped"); - return 1; - } else if (r == -EAGAIN) { - return 0; diff --git a/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch b/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch deleted file mode 100644 index 180d29f..0000000 --- a/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 16 Jan 2019 10:24:56 +0100 -Subject: [PATCH] journald: free cmdline buffers owned by iovec - -Resolves: #1666646 - -[msekleta: this is a followup for the fix of CVE-2018-16864. While -backporting upstream changes I've accidentally dropped the automatic -cleanup of the cmdline buffers. Technically speaking similar issue is in -coredump.c too, but after we dispatch iovec buffer in coredump.c we -immediately exit so allocated memory is reclaimed by the kernel.] ---- - src/journal/journald-server.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index c35858247..88d8f3e41 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -738,6 +738,7 @@ static void dispatch_message_real( - o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)], - o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)], - o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)]; -+ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; - uid_t object_uid; - gid_t object_gid; - char *x; -@@ -790,7 +791,7 @@ static void dispatch_message_real( - if (r >= 0) { - /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack. - * Let's use a heap allocation for this one. */ -- set_iovec_field_free(iovec, &n, "_CMDLINE=", t); -+ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t); - } - - r = get_process_capeff(ucred->pid, &t); -@@ -916,7 +917,7 @@ static void dispatch_message_real( - - r = get_process_cmdline(object_pid, 0, false, &t); - if (r >= 0) -- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); -+ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t); - - #ifdef HAVE_AUDIT - r = audit_session_from_pid(object_pid, &audit); diff --git a/SOURCES/0670-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/SOURCES/0670-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch deleted file mode 100644 index 0053542..0000000 --- a/SOURCES/0670-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch +++ /dev/null @@ -1,47 +0,0 @@ -From dfb87e5916ce13e75af2cefd62bbbafaef143d8c Mon Sep 17 00:00:00 2001 -From: Riccardo Schirone -Date: Mon, 4 Feb 2019 14:29:09 +0100 -Subject: [PATCH] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX - limit. - -Even though the dbus specification does not enforce any length limit on the -path of a dbus message, having to analyze too long strings in PID1 may be -time-consuming and it may have security impacts. - -In any case, the limit is set so high that real-life applications should not -have a problem with it. - -Related: #1667870 ---- - src/libsystemd/sd-bus/bus-internal.c | 2 +- - src/libsystemd/sd-bus/bus-internal.h | 4 ++++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c -index 91b288cd2..c952d63e1 100644 ---- a/src/libsystemd/sd-bus/bus-internal.c -+++ b/src/libsystemd/sd-bus/bus-internal.c -@@ -58,7 +58,7 @@ bool object_path_is_valid(const char *p) { - if (slash) - return false; - -- return true; -+ return (q - p) <= BUS_PATH_SIZE_MAX; - } - - char* object_path_startswith(const char *a, const char *b) { -diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h -index 9c1e5a35b..1c5fbeac2 100644 ---- a/src/libsystemd/sd-bus/bus-internal.h -+++ b/src/libsystemd/sd-bus/bus-internal.h -@@ -331,6 +331,10 @@ struct sd_bus { - - #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) - #define BUS_AUTH_SIZE_MAX (64*1024) -+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one -+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, -+ * to not clash unnecessarily with real-life applications. */ -+#define BUS_PATH_SIZE_MAX (64*1024) - - #define BUS_CONTAINER_DEPTH 128 - diff --git a/SOURCES/0671-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch b/SOURCES/0671-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch deleted file mode 100644 index 8cbe0fb..0000000 --- a/SOURCES/0671-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch +++ /dev/null @@ -1,170 +0,0 @@ -From f0ee84481e7dd822fb5864de3e46c8d85400ee8e Mon Sep 17 00:00:00 2001 -From: Riccardo Schirone -Date: Mon, 4 Feb 2019 14:29:28 +0100 -Subject: [PATCH] Allocate temporary strings to hold dbus paths on the heap - -Paths are limited to BUS_PATH_SIZE_MAX but the maximum size is anyway too big -to be allocated on the stack, so let's switch to the heap where there is a -clear way to understand if the allocation fails. - -Resolves: #1667870 ---- - src/libsystemd/sd-bus/bus-objects.c | 58 +++++++++++++++++++++++------ - 1 file changed, 46 insertions(+), 12 deletions(-) - -diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c -index fc6c22328..8df73bdf4 100644 ---- a/src/libsystemd/sd-bus/bus-objects.c -+++ b/src/libsystemd/sd-bus/bus-objects.c -@@ -1104,7 +1104,8 @@ static int object_manager_serialize_path_and_fallbacks( - const char *path, - sd_bus_error *error) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -1120,7 +1121,12 @@ static int object_manager_serialize_path_and_fallbacks( - return 0; - - /* Second, add fallback vtables registered for any of the prefixes */ -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_manager_serialize_path(bus, reply, prefix, path, true, error); - if (r < 0) -@@ -1316,6 +1322,7 @@ static int object_find_and_run( - } - - int bus_process_object(sd_bus *bus, sd_bus_message *m) { -+ _cleanup_free_ char *prefix = NULL; - int r; - size_t pl; - bool found_object = false; -@@ -1340,9 +1347,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) { - assert(m->member); - - pl = strlen(m->path); -- do { -- char prefix[pl+1]; -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; - -+ do { - bus->nodes_modified = false; - - r = object_find_and_run(bus, m, m->path, false, &found_object); -@@ -2044,9 +2054,10 @@ _public_ int sd_bus_emit_properties_changed_strv( - const char *interface, - char **names) { - -+ _cleanup_free_ char *prefix = NULL; - BUS_DONT_DESTROY(bus); - bool found_interface = false; -- char *prefix; -+ size_t pl; - int r; - - assert_return(bus, -EINVAL); -@@ -2064,6 +2075,12 @@ _public_ int sd_bus_emit_properties_changed_strv( - if (names && names[0] == NULL) - return 0; - -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - do { - bus->nodes_modified = false; - -@@ -2073,7 +2090,6 @@ _public_ int sd_bus_emit_properties_changed_strv( - if (bus->nodes_modified) - continue; - -- prefix = alloca(strlen(path) + 1); - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); - if (r != 0) -@@ -2204,7 +2220,8 @@ static int object_added_append_all_prefix( - - static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2249,7 +2266,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_added_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2380,7 +2402,8 @@ static int object_removed_append_all_prefix( - - static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2412,7 +2435,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2554,7 +2582,8 @@ static int interfaces_added_append_one( - const char *path, - const char *interface) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2568,7 +2597,12 @@ static int interfaces_added_append_one( - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); - if (r != 0) diff --git a/SOURCES/0672-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/SOURCES/0672-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch deleted file mode 100644 index b2d2bbc..0000000 --- a/SOURCES/0672-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f2126dbc1dcaca92250427e76e7a87e61b10f540 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 13 Feb 2019 16:51:22 +0100 -Subject: [PATCH] sd-bus: if we receive an invalid dbus message, ignore and - proceeed - -dbus-daemon might have a slightly different idea of what a valid msg is -than us (for example regarding valid msg and field sizes). Let's hence -try to proceed if we can and thus drop messages rather than fail the -connection if we fail to validate a message. - -Hopefully the differences in what is considered valid are not visible -for real-life usecases, but are specific to exploit attempts only. - -(cherry-picked from commit 6d586a13717ae057aa1b4127400c3de61cd5b9e7) - -Related: #1667871 ---- - src/libsystemd/sd-bus/bus-socket.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c -index ab56ef4f3..4437024bb 100644 ---- a/src/libsystemd/sd-bus/bus-socket.c -+++ b/src/libsystemd/sd-bus/bus-socket.c -@@ -879,7 +879,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) { - } - - static int bus_socket_make_message(sd_bus *bus, size_t size) { -- sd_bus_message *t; -+ sd_bus_message *t = NULL; - void *b; - int r; - -@@ -905,7 +905,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { - NULL, - NULL, - &t); -- if (r < 0) { -+ if (r == -EBADMSG) -+ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description)); -+ else if (r < 0) { - free(b); - return r; - } -@@ -916,7 +918,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { - bus->fds = NULL; - bus->n_fds = 0; - -- bus->rqueue[bus->rqueue_size++] = t; -+ if (t) -+ bus->rqueue[bus->rqueue_size++] = t; - - return 1; - } diff --git a/SOURCES/0673-Revert-bus-when-dumping-string-property-values-escap.patch b/SOURCES/0673-Revert-bus-when-dumping-string-property-values-escap.patch deleted file mode 100644 index 9e0352c..0000000 --- a/SOURCES/0673-Revert-bus-when-dumping-string-property-values-escap.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 8e5cb71473f8392a69eee0acea11e198ce7cd4c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 1 Jul 2017 16:17:12 -0400 -Subject: [PATCH] Revert "bus: when dumping string property values escape the - chars we use as end-of-line and end-of-item marks" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This reverts commit 27e9c5af817147ea1c678769e45e83f2e4b4ae96. - -Property values already use escaping, so escaping them a second time is -confusing. It also should be mostly unnecessary: we take care to make property -values only contains strings which (after the initial escaping) are printable -and parseable without any futher escaping. - -Before revert: -$ systemctl list-dependencies 'dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device' -dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device -● ├─dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.swap -● └─systemd-cryptsetup@luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.service -$ systemctl show -p Wants,Requires 'dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device' -Requires=systemd-cryptsetup@luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.service -Wants=dev-mapper-luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.swap - -Difference between systemctl show before revert and now: --Slice=system-systemd\x5cx2dcryptsetup.slice -+Slice=system-systemd\x2dcryptsetup.slice - --Id=systemd-cryptsetup@luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.service -+Id=systemd-cryptsetup@luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.service - --Names=systemd-cryptsetup@luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.service -+Names=systemd-cryptsetup@luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.service - --Requires=system-systemd\x5cx2dcryptsetup.slice -+Requires=system-systemd\x2dcryptsetup.slice - --BindsTo=dev-mapper-luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.device dev-disk-by\x5cx2duuid-8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.device -+BindsTo=dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device dev-disk-by\x2duuid-8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device - --RequiredBy=dev-mapper-luks\x5cx2d8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.device cryptsetup.target -+RequiredBy=dev-mapper-luks\x2d8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device cryptsetup.target - --WantedBy=dev-disk-by\x5cx2duuid-8db85dcf\x5cx2d6230\x5cx2d4e88\x5cx2d940d\x5cx2dba176d062b31.device -+WantedBy=dev-disk-by\x2duuid-8db85dcf\x2d6230\x2d4e88\x2d940d\x2dba176d062b31.device - -(cherry picked from commit 3dfbc968e8343172faf754a3c81e27f0dbd8f157) - -Resolves: #1643172 ---- - src/libsystemd/sd-bus/bus-util.c | 19 +++---------------- - 1 file changed, 3 insertions(+), 16 deletions(-) - -diff --git a/src/libsystemd/sd-bus/bus-util.c b/src/libsystemd/sd-bus/bus-util.c -index b1bdbad2d..9b77059a9 100644 ---- a/src/libsystemd/sd-bus/bus-util.c -+++ b/src/libsystemd/sd-bus/bus-util.c -@@ -643,15 +643,8 @@ int bus_print_property(const char *name, sd_bus_message *property, bool all) { - if (r < 0) - return r; - -- if (all || !isempty(s)) { -- _cleanup_free_ char *escaped = NULL; -- -- escaped = xescape(s, "\n"); -- if (!escaped) -- return -ENOMEM; -- -- printf("%s=%s\n", name, escaped); -- } -+ if (all || !isempty(s)) -+ printf("%s=%s\n", name, s); - - return 1; - } -@@ -742,16 +735,10 @@ int bus_print_property(const char *name, sd_bus_message *property, bool all) { - return r; - - while((r = sd_bus_message_read_basic(property, SD_BUS_TYPE_STRING, &str)) > 0) { -- _cleanup_free_ char *escaped = NULL; -- - if (first) - printf("%s=", name); - -- escaped = xescape(str, "\n "); -- if (!escaped) -- return -ENOMEM; -- -- printf("%s%s", first ? "" : " ", escaped); -+ printf("%s%s", first ? "" : " ", str); - - first = false; - } diff --git a/SOURCES/0674-rules-fix-memory-hotplug-rule-so-systemd-detect-virt.patch b/SOURCES/0674-rules-fix-memory-hotplug-rule-so-systemd-detect-virt.patch deleted file mode 100644 index dd280fd..0000000 --- a/SOURCES/0674-rules-fix-memory-hotplug-rule-so-systemd-detect-virt.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8ed83533ae34ad1836fa82f70c08eb075aa8578f Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Wed, 30 Jan 2019 10:20:57 +0100 -Subject: [PATCH] rules: fix memory hotplug rule so systemd-detect-virt does - not run too often - -Fixes a bug introduced in commit c50b7bcbebcfebfce3a7e7fb77f88f4b590fb2b5. - -Resolves: #1701230 ---- - rules/40-redhat.rules | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules -index 1b10e173d..2c690e522 100644 ---- a/rules/40-redhat.rules -+++ b/rules/40-redhat.rules -@@ -4,7 +4,8 @@ - SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" - - # Memory hotadd request --SUBSYSTEM!="memory", ACTION!="add", GOTO="memory_hotplug_end" -+SUBSYSTEM!="memory", GOTO="memory_hotplug_end" -+ACTION!="add", GOTO="memory_hotplug_end" - PROGRAM="/bin/uname -p", RESULT=="s390*", GOTO="memory_hotplug_end" - - ENV{.state}="online" diff --git a/SOURCES/0675-sd-bus-deal-with-cookie-overruns.patch b/SOURCES/0675-sd-bus-deal-with-cookie-overruns.patch deleted file mode 100644 index 7c1c194..0000000 --- a/SOURCES/0675-sd-bus-deal-with-cookie-overruns.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 28f73a10df367721b30a95df5d729f6c56d318e5 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Tue, 2 Apr 2019 10:23:30 +0200 -Subject: [PATCH] sd-bus: deal with cookie overruns - -Apparently this happens IRL. Let's carefully deal with issues like this: -when we overrun, let's not go back to zero but instead leave the highest -cookie bit set. We use that as indication that we are in "overrun -territory", and then are particularly careful with checking cookies, -i.e. that they haven't been used for still outstanding replies yet. This -should retain the quick cookie generation behaviour we used to have, but -permits dealing with overruns. - -Replaces: #11804 -Fixes: #11809 - -(cherry picked from commit 1f82f5bb4237ed5f015daf93f818e9db95e764b8) -(cherry picked from commit ac46d01c5f6a211bbbbb43e20f63ecae2549da20) - -Resolves: #1720699 ---- - src/libsystemd/sd-bus/sd-bus.c | 49 +++++++++++++++++++++++++++++++++- - src/shared/macro.h | 2 ++ - 2 files changed, 50 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index b0a3237..44ed2c7 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -1495,7 +1495,50 @@ _public_ int sd_bus_get_bus_id(sd_bus *bus, sd_id128_t *id) { - return 0; - } - -+#define COOKIE_CYCLED (UINT32_C(1) << 31) -+ -+static uint64_t cookie_inc(uint64_t cookie) { -+ -+ /* Stay within the 32bit range, since classic D-Bus can't deal with more */ -+ if (cookie >= UINT32_MAX) -+ return COOKIE_CYCLED; /* Don't go back to zero, but use the highest bit for checking -+ * whether we are looping. */ -+ -+ return cookie + 1; -+} -+ -+static int next_cookie(sd_bus *b) { -+ uint64_t new_cookie; -+ -+ assert(b); -+ -+ new_cookie = cookie_inc(b->cookie); -+ -+ /* Small optimization: don't bother with checking for cookie reuse until we overran cookiespace at -+ * least once, but then do it thorougly. */ -+ if (FLAGS_SET(new_cookie, COOKIE_CYCLED)) { -+ uint32_t i; -+ -+ /* Check if the cookie is currently in use. If so, pick the next one */ -+ for (i = 0; i < COOKIE_CYCLED; i++) { -+ if (!ordered_hashmap_contains(b->reply_callbacks, &new_cookie)) -+ goto good; -+ -+ new_cookie = cookie_inc(new_cookie); -+ } -+ -+ /* Can't fulfill request */ -+ return -EBUSY; -+ } -+ -+good: -+ b->cookie = new_cookie; -+ return 0; -+} -+ - static int bus_seal_message(sd_bus *b, sd_bus_message *m, usec_t timeout) { -+ int r; -+ - assert(b); - assert(m); - -@@ -1510,7 +1553,11 @@ static int bus_seal_message(sd_bus *b, sd_bus_message *m, usec_t timeout) { - if (timeout == 0) - timeout = BUS_DEFAULT_TIMEOUT; - -- return bus_message_seal(m, ++b->cookie, timeout); -+ r = next_cookie(b); -+ if (r < 0) -+ return r; -+ -+ return bus_message_seal(m, b->cookie, timeout); - } - - static int bus_remarshal_message(sd_bus *b, sd_bus_message **m) { -diff --git a/src/shared/macro.h b/src/shared/macro.h -index 7a57f4e..08567d2 100644 ---- a/src/shared/macro.h -+++ b/src/shared/macro.h -@@ -394,6 +394,8 @@ do { \ - - #define SET_FLAG(v, flag, b) \ - (v) = (b) ? ((v) | (flag)) : ((v) & ~(flag)) -+#define FLAGS_SET(v, flags) \ -+ ((~(v) & (flags)) == 0) - - #define IN_SET(x, y, ...) \ - ({ \ --- -2.21.0 - diff --git a/SOURCES/0676-core-Fix-edge-case-when-processing-proc-self-mountin.patch b/SOURCES/0676-core-Fix-edge-case-when-processing-proc-self-mountin.patch deleted file mode 100644 index f2de7c6..0000000 --- a/SOURCES/0676-core-Fix-edge-case-when-processing-proc-self-mountin.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 403580d6e23991f414526a5fd90fb253210c07ba Mon Sep 17 00:00:00 2001 -From: Kyle Walker -Date: Thu, 21 Mar 2019 15:09:06 -0400 -Subject: [PATCH] core: Fix edge case when processing /proc/self/mountinfo - -Currently, if there are two /proc/self/mountinfo entries with the same -mount point path, the mount setup flags computed for the second of -these two entries will overwrite the mount setup flags computed for -the first of these two entries. This is the root cause of issue #7798. -This patch changes mount_setup_existing_unit to prevent the -just_mounted mount setup flag from being overwritten if it is set to -true. This will allow all mount units created from /proc/self/mountinfo -entries to be initialized properly. - -(cherry picked from commit 65d36b49508a53e56bae9609ff00fdc3de340608) -(cherry picked from commit 1c9add7cc78fc65b043f9e87ab63bb2158d2ddf0) - -Resolves: #1722576 ---- - src/core/mount.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/mount.c b/src/core/mount.c -index 5fd7a86..c7aed23 100644 ---- a/src/core/mount.c -+++ b/src/core/mount.c -@@ -1527,7 +1527,7 @@ static int mount_setup_unit( - - if (set_flags) { - MOUNT(u)->is_mounted = true; -- MOUNT(u)->just_mounted = !MOUNT(u)->from_proc_self_mountinfo; -+ MOUNT(u)->just_mounted = !MOUNT(u)->from_proc_self_mountinfo || MOUNT(u)->just_mounted; - MOUNT(u)->just_changed = changed; - } - --- -2.21.0 - diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 88f2331..b424f9e 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -7,7 +7,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 219 -Release: 62%{?dist}.9.0.1 +Release: 67%{?dist}.1 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -704,17 +704,99 @@ Patch0662: 0662-cryptsetup-generator-don-t-return-error-if-target-di.patch Patch0663: 0663-cryptsetup-generator-allow-whitespace-characters-in-.patch Patch0664: 0664-Make-sure-the-mount-units-pulled-by-RequiresMountsFo.patch Patch0665: 0665-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch -Patch0666: 0666-journald-do-not-store-the-iovec-entry-for-process-co.patch -Patch0667: 0667-journald-set-a-limit-on-the-number-of-fields-1k.patch -Patch0668: 0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch -Patch0669: 0669-journald-free-cmdline-buffers-owned-by-iovec.patch -Patch0670: 0670-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch -Patch0671: 0671-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch -Patch0672: 0672-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch -Patch0673: 0673-Revert-bus-when-dumping-string-property-values-escap.patch -Patch0674: 0674-rules-fix-memory-hotplug-rule-so-systemd-detect-virt.patch -Patch0675: 0675-sd-bus-deal-with-cookie-overruns.patch -Patch0676: 0676-core-Fix-edge-case-when-processing-proc-self-mountin.patch +Patch0666: 0666-test-functions-fix-dbus-1-installation.patch +Patch0667: 0667-journald-do-not-store-the-iovec-entry-for-process-co.patch +Patch0668: 0668-journald-set-a-limit-on-the-number-of-fields-1k.patch +Patch0669: 0669-journal-remote-set-a-limit-on-the-number-of-fields-i.patch +Patch0670: 0670-journald-free-cmdline-buffers-owned-by-iovec.patch +Patch0671: 0671-test-01-basic-mask-some-services-that-currently-don-.patch +Patch0672: 0672-tests-drop-the-precondition-check-for-inherited-flag.patch +Patch0673: 0673-mount-point-honour-AT_SYMLINK_FOLLOW-correctly.patch +Patch0674: 0674-copy-only-check-for-traversing-mount-points-on-direc.patch +Patch0675: 0675-travis-enable-Travis-CI-on-CentOS-7.patch +Patch0676: 0676-travis-RHEL8-support.patch +Patch0677: 0677-travis-drop-the-SELinux-Fedora-workaround.patch +Patch0678: 0678-travis-fix-syntax-error-in-.travis.yml.patch +Patch0679: 0679-travis-temporarily-skip-test_path_changed.patch +Patch0680: 0680-travis-reboot-the-container-before-running-tests.patch +Patch0681: 0681-travis-drop-the-test_path_changed-workaround.patch +Patch0682: 0682-detect-virt-do-not-try-to-read-all-of-proc-cpuinfo.patch +Patch0683: 0683-core-disable-the-effect-of-Restart-if-there-s-a-stop.patch +Patch0684: 0684-networkd-respect-DHCP-UseRoutes-option.patch +Patch0685: 0685-networkd-fix-dhcp4-link-without-routes-not-being-con.patch +Patch0686: 0686-networkd-dont-crash-when-mtu-changes-6594.patch +Patch0687: 0687-tmpfiles-e-takes-globs.patch +Patch0688: 0688-tmpfiles-e-is-supposed-to-operate-on-directory-only.patch +Patch0689: 0689-tmpfiles-e-is-supposed-to-accept-shell-style-globs.patch +Patch0690: 0690-bus-message-do-not-crash-on-message-with-a-string-of.patch +Patch0691: 0691-Revert-bus-when-dumping-string-property-values-escap.patch +Patch0692: 0692-set-automount-state-to-waiting-when-the-mount-is-sto.patch +Patch0693: 0693-core-when-deserializing-state-always-use-read_line-L.patch +Patch0694: 0694-core-enforce-a-limit-on-STATUS-texts-recvd-from-serv.patch +Patch0695: 0695-shorten-hostname-before-checking-for-trailing-dot.patch +Patch0696: 0696-journald-fixed-assertion-failure-when-system-journal.patch +Patch0697: 0697-local-addresses-handle-gracefully-if-routes-lack-an-.patch +Patch0698: 0698-rules-fix-memory-hotplug-rule-so-systemd-detect-virt.patch +Patch0699: 0699-6647-use-path_startswith-dev-in-cryptsetup-6732.patch +Patch0700: 0700-core-mount-setup-handle-non-existing-mountpoints-gra.patch +Patch0701: 0701-units-rescue.service.in-fix-announcement-message.patch +Patch0702: 0702-systemctl-Allow-edit-and-cat-on-unloaded-units.patch +Patch0703: 0703-main-improve-RLIMIT_NOFILE-handling-5795.patch +Patch0704: 0704-shared-sleep-config-exclude-zram-devices-from-hibern.patch +Patch0705: 0705-journalctl-allow-file-directory-with-boot-or-list-bo.patch +Patch0706: 0706-journalct-allow-boot-0-to-DTRT-with-file-directory.patch +Patch0707: 0707-journal-remote-show-error-message-if-output-file-nam.patch +Patch0708: 0708-artificially-serialize-building-of-.policy-files.patch +Patch0709: 0709-tests-run-udevadm-settle-after-fdisk.patch +Patch0710: 0710-cryptsetup-add-support-for-sector-size-option-9936.patch +Patch0711: 0711-cryptsetup-do-not-define-arg_sector_size-if-libgcryp.patch +Patch0712: 0712-journal-fix-syslog_parse_identifier.patch +Patch0713: 0713-journal-do-not-remove-multiple-spaces-after-identifi.patch +Patch0714: 0714-build-sys-add-check-for-gperf-lookup-function-signat.patch +Patch0715: 0715-lgtm-add-explicit-configuration-for-C-extraction.patch +Patch0716: 0716-tmpfiles-change-ownership-of-symlinks-too.patch +Patch0717: 0717-tmpfiles-fix-check-for-figuring-out-whether-to-call-.patch +Patch0718: 0718-travis-drop-the-RHEL-8-manager-from-the-RHEL-7-branc.patch +Patch0719: 0719-travis-support-SMP-if-available.patch +Patch0720: 0720-shared-install-allow-enable-on-linked-unit-files.patch +Patch0721: 0721-backport-fd_is_fs_type.patch +Patch0722: 0722-backport-chase_symlinks.patch +Patch0723: 0723-fs-util-add-new-CHASE_SAFE-flag-to-chase_symlinks.patch +Patch0724: 0724-fs-util-add-new-chase_symlinks-flag-CHASE_OPEN.patch +Patch0725: 0725-sd-dameon-also-sent-ucred-when-our-UID-differs-from-.patch +Patch0726: 0726-notify-add-new-uid-command.patch +Patch0727: 0727-core-be-stricter-when-handling-PID-files-and-MAINPID.patch +Patch0728: 0728-journald-respect-KeepFree-as-well-as-MaxUse-values.patch +Patch0729: 0729-shutdown-in_container-was-used-before-its-definition.patch +Patch0730: 0730-core-Fix-edge-case-when-processing-proc-self-mountin.patch +Patch0731: 0731-sd-bus-deal-with-cookie-overruns.patch +Patch0732: 0732-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch +Patch0733: 0733-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch +Patch0734: 0734-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch +Patch0735: 0735-udev-check-if-the-spawned-PID-didn-t-exit-after-reap.patch +Patch0736: 0736-udev-call-poll-again-after-killing-the-spawned-proce.patch +Patch0737: 0737-udev-check-age-against-both-timeouts-to-prevent-inte.patch +Patch0738: 0738-avoid-possible-hang-if-our-child-process-hangs.patch +Patch0739: 0739-missing-when-adding-syscall-replacements-use-differe.patch +Patch0740: 0740-include-sys-sysmacros.h-in-more-places.patch +Patch0741: 0741-sd-bus-unify-three-code-paths-which-free-struct-bus_.patch +Patch0742: 0742-hashmap-don-t-use-mempool.patch +Patch0743: 0743-man-be-more-explicit-about-thread-safety-of-sd_journ.patch +Patch0744: 0744-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch +Patch0745: 0745-fix-mis-merge.patch +Patch0746: 0746-fs-util-chase_symlinks-prevent-double-free.patch +Patch0747: 0747-return-error-value-on-failure.patch +Patch0748: 0748-revert-local-changes-made-during-backport-of-the-tes.patch +Patch0749: 0749-core-timer-Prevent-timer-looping-when-unit-cannot-st.patch +Patch0750: 0750-core-add-a-Requires-dependency-between-units-and-the.patch +Patch0751: 0751-core-rerun-GC-logic-for-a-unit-that-loses-a-referenc.patch +Patch0752: 0752-pid1-rename-unit_check_gc-to-unit_may_gc.patch +Patch0753: 0753-pid1-include-the-source-unit-in-UnitRef.patch +Patch0754: 0754-pid1-fix-collection-of-cycles-of-units-which-referen.patch +Patch0755: 0755-pid1-free-basic-unit-information-at-the-very-end-bef.patch +Patch0756: 0756-pid1-properly-remove-references-to-the-unit-from-gc-.patch +Patch0757: 0757-service-relax-PID-file-symlink-chain-checks-a-bit-81.patch +Patch0758: 0758-path-util-fix-more-path_is_mount-e792e890f-fallout.patch Patch9999: 9999-Update-kernel-install-script-by-backporting-fedora-p.patch @@ -1693,38 +1775,93 @@ fi %{_mandir}/man8/systemd-resolved.* %changelog -* Tue Jul 30 2019 Pablo Greco - 219-62.9.0.1 -- Update kernel-install script for fedora-like kernels - -* Mon Jun 24 2019 Michal Sekletár - 219-62.9 -- core: Fix edge case when processing /proc/self/mountinfo (#1722576) - -* Wed Jun 19 2019 Michal Sekletár - 219-62.8 -- sd-bus: deal with cookie overruns (#1720699) - -* Wed Apr 24 2019 Lukas Nykryn - 219-62.7 -- rules: fix memory hotplug rule so systemd-detect-virt does not run too often (#1701230) - -* Thu Mar 21 2019 Lukas Nykryn - 219-62.6 -- Revert "bus: when dumping string property values escape the chars we use as end-of-line and end-of-item marks" (#1643172) - -* Thu Feb 14 2019 Lukas Nykryn - 219-62.5 +* Fri Jul 12 2019 Lukas Nykryn - 219-67.1 +- return error value on failure (#1729226) +- revert local changes made during backport of the test (#1729226) +- core/timer: Prevent timer looping when unit cannot start (#1729230) +- core: add a "Requires=" dependency between units and the slices they are located in (#1729228) +- core: rerun GC logic for a unit that loses a reference (#1729228) +- pid1: rename unit_check_gc to unit_may_gc (#1729228) +- pid1: include the source unit in UnitRef (#1729228) +- pid1: fix collection of cycles of units which reference one another (#1729228) +- pid1: free basic unit information at the very end, before freeing the unit (#1729228) +- pid1: properly remove references to the unit from gc queue during final cleanup (#1729228) +- service: relax PID file symlink chain checks a bit (#8133) (#1729414) +- path-util: fix more path_is_mount e792e890f fallout (#1279231) + +* Wed Jun 19 2019 Michal Sekletár - 219-67 +- fix mis-merge (#1714503) +- fs-util: chase_symlinks(): prevent double fre (#1714782) + +* Tue May 14 2019 Lukas Nykryn - 219-66 +- sd-bus: unify three code-paths which free struct bus_container (#1643394) +- hashmap: don't use mempool (#1609349) +- man: be more explicit about thread safety of sd_journal (#1609349) +- selinux: don't log SELINUX_INFO and SELINUX_WARNING messages to audit (#1240730) + +* Thu May 02 2019 Lukas Nykryn - 219-65 +- backport fd_is_fs_type (#1663143) +- backport chase_symlinks (#1663143) +- fs-util: add new CHASE_SAFE flag to chase_symlinks() (#1663143) +- fs-util: add new chase_symlinks() flag CHASE_OPEN (#1663143) +- sd-dameon: also sent ucred when our UID differs from EUID (#1663143) +- notify: add new --uid= command (#1663143) +- core: be stricter when handling PID files and MAINPID sd_notify() messages (#1663143) +- journald: respect KeepFree= as well as MaxUse= values (#1361893) +- shutdown: in_container was used before its definition (#1693716) +- core: Fix edge case when processing /proc/self/mountinfo (#1691511) +- sd-bus: deal with cookie overruns (#1693559) +- Refuse dbus message paths longer than BUS_PATH_SIZE_MAX limit. (#1667871) +- Allocate temporary strings to hold dbus paths on the heap (#1667871) - sd-bus: if we receive an invalid dbus message, ignore and proceeed (#1667871) - -* Thu Feb 07 2019 Lukas Nykryn - 219-62.4 -- Refuse dbus message paths longer than BUS_PATH_SIZE_MAX limit. (#1667870) -- Allocate temporary strings to hold dbus paths on the heap (#1667870) - -* Wed Jan 16 2019 Lukas Nykryn - 219-62.3 -- journald: free cmdline buffers owned by iovec (#1666646) - -* Mon Jan 07 2019 Lukas Nykryn - 219-62.2 +- udev: check if the spawned PID didn't exit after reaping unexpected PID (#1697909) +- udev: call poll() again after killing the spawned process (#1697909) +- udev: check age against both timeouts to prevent integer wraparound (#1697909) +- avoid possible hang if our child process hangs (#1697909) +- missing: when adding syscall replacements, use different names (#1694605) +- include sys/sysmacros.h in more places (#1694605) + +* Wed Mar 27 2019 Lukas Nykryn - 219-64 +- detect-virt: do not try to read all of /proc/cpuinfo (#1631531) +- core: disable the effect of Restart= if there's a stop job pending for a service (#6581) (#1626382) +- networkd: respect DHCP UseRoutes option (#1663365) +- networkd: fix dhcp4 link without routes not being considered ready (#8728) (#1663365) +- networkd: dont crash when mtu changes (#6594) (#1663365) +- tmpfiles: "e" takes globs (#1641764) +- tmpfiles: 'e' is supposed to operate on directory only (#1641764) +- tmpfiles: 'e' is supposed to accept shell-style globs (#1641764) +- bus-message: do not crash on message with a string of zero length (#1643396) +- Revert "bus: when dumping string property values escape the chars we use as end-of-line and end-of-item marks" (#1643172) +- set automount state to waiting when the mount is stopped (#1651257) +- core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) (CVE-2018-15686) +- shorten hostname before checking for trailing dot (#1631625) +- journald: fixed assertion failure when system journal rotation fails (#9893) (#1619543) +- local-addresses: handle gracefully if routes lack an RTA_OIF attribute (#1627750) +- rules: fix memory hotplug rule so systemd-detect-virt does not run too often (#1666612) +- 6647 - use path_startswith("/dev") in cryptsetup (#6732) (#1664695) +- core: mount-setup: handle non-existing mountpoints gracefully (#1585411) +- units/rescue.service.in: fix announcement message (#1660422) +- systemctl: Allow 'edit' and 'cat' on unloaded units (#1649518) +- main: improve RLIMIT_NOFILE handling (#5795) (#1585913) +- shared/sleep-config: exclude zram devices from hibernation candidates (#1609816) +- journalctl: allow --file/--directory with --boot or --list-boots (#1463678) +- journalct: allow --boot=0 to DTRT with --file/--directory (#1463678) +- journal-remote: show error message if output file name does not end with .journal (bz#1267552) +- artificially serialize building of .policy files (#1272485) +- cryptsetup: add support for sector-size= option (#9936) (#1571801) +- cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) (#1571801) +- journal: fix syslog_parse_identifier() (#1657794) +- journal: do not remove multiple spaces after identifier in syslog message (#1657794) +- tmpfiles: change ownership of symlinks too (#1620110) +- tmpfiles: fix check for figuring out whether to call chmod() (#1620110) +- shared/install: allow "enable" on linked unit files (#1628575) + +* Thu Jan 17 2019 Lukas Nykryn - 219-63 +- dhcp6: make sure we have enough space for the DHCP6 option header (CVE-2018-15688) - journald: do not store the iovec entry for process commandline on stack (#1657788) - journald: set a limit on the number of fields (1k) (#1657792) - journal-remote: set a limit on the number of fields in a message (#1657792) - -* Mon Nov 26 2018 Lukas Nykryn - 219-62.1 -- dhcp6: make sure we have enough space for the DHCP6 option header (CVE-2018-15688) +- journald: free cmdline buffers owned by iovec (#1666646) * Fri Sep 07 2018 Lukas Nykryn - 219-62 - cryptsetup-generator: introduce basic keydev support (#1619743)