From 03fe8f1085b1f9ab381e69f1735ba8b1c049d4b8 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Tue, 25 Oct 2016 14:23:08 +0800 Subject: systemd: CVE-2016-7795 The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. The patch is a backport from the latest git repo. Please see the link below for more information. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795 Signed-off-by: Chen Qi --- .../systemd/systemd/CVE-2016-7795.patch | 69 ++++++++++++++++++++++ meta/recipes-core/systemd/systemd_230.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2016-7795.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch new file mode 100644 index 0000000000..5ecb9c32de --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch @@ -0,0 +1,69 @@ +Subject: Fix CVE-2016-7795 + +This undoes 531ac2b. I acked that patch without looking at the code +carefully enough. There are two problems: +- we want to process the fds anyway +- in principle empty notification messages are valid, and we should + process them as usual, including logging using log_unit_debug(). + +Upstream-Status: Backport +CVE: CVE-2016-7795 + +Signed-off-by: Chen Qi +--- + src/core/manager.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 7838f56..f165d08e 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui + return 0; + } + +-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) { ++static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) { + _cleanup_strv_free_ char **tags = NULL; + + assert(m); + assert(u); + assert(buf); +- assert(n > 0); + + tags = strv_split(buf, "\n\r"); + if (!tags) { +@@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + return 0; + } + ++ /* The message should be a string. Here we make sure it's NUL-terminated, ++ * but only the part until first NUL will be used anyway. */ + buf[n] = 0; + + /* Notify every unit that might be interested, but try + * to avoid notifying the same one multiple times. */ + u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid); + if (u1) { +- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds); + found = true; + } + + u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid)); + if (u2 && u2 != u1) { +- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds); + found = true; + } + + u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid)); + if (u3 && u3 != u2 && u3 != u1) { +- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds); + found = true; + } + +-- +2.8.3 + diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb index a949fe8dbf..19d144d3fa 100644 --- a/meta/recipes-core/systemd/systemd_230.bb +++ b/meta/recipes-core/systemd/systemd_230.bb @@ -36,6 +36,7 @@ SRC_URI += " \ file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \ file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \ file://udev-re-enable-mount-propagation-for-udevd.patch \ + file://CVE-2016-7795.patch \ " SRC_URI_append_libc-uclibc = "\ file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \ -- cgit 1.2.3-korg