From 84cad080b4785781b35bb6b52fa2df52a6309904 Mon Sep 17 00:00:00 2001 From: George McCollister Date: Mon, 25 Feb 2019 10:37:10 -0600 Subject: systemd: Security fix CVE-2018-16865 Affects < v240 Based on thud commit d5d2b821fc85b8cf39f683061ac2a45bddd2139f The second patch in the thud commit doesn't apply against 237. Use the version of the second patch CVE-2018-16865_2.patch from systemd_237-3ubuntu10.13.debian. Signed-off-by: George McCollister --- ...ld-set-a-limit-on-the-number-of-fields-1k.patch | 60 ++++++++++++++++ ...ote-set-a-limit-on-the-number-of-fields-i.patch | 79 ++++++++++++++++++++++ meta/recipes-core/systemd/systemd_237.bb | 2 + 3 files changed, 141 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch create mode 100644 meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch (limited to 'meta/recipes-core/systemd') diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch new file mode 100644 index 0000000000..e8a6f2b986 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch @@ -0,0 +1,60 @@ +From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Dec 2018 22:45:02 +0100 +Subject: [PATCH] journald: set a limit on the number of fields (1k) + +We allocate a iovec entry for each field, so with many short entries, +our memory usage and processing time can be large, even with a relatively +small message size. Let's refuse overly long entries. + +CVE-2018-16865 +https://bugzilla.redhat.com/show_bug.cgi?id=1653861 + +What from I can see, the problem is not from an alloca, despite what the CVE +description says, but from the attack multiplication that comes from creating +many very small iovecs: (void* + size_t) for each three bytes of input message. + +Patch backported from systemd master at +052c57f132f04a3cf4148f87561618da1a6908b4. + +CVE: CVE-2018-16865 +Upstream-Status: Backport + +--- + src/basic/journal-importer.h | 3 +++ + src/journal/journald-native.c | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h +index f49ce734a1..c4ae45d32d 100644 +--- a/src/basic/journal-importer.h ++++ b/src/basic/journal-importer.h +@@ -16,6 +16,9 @@ + #define DATA_SIZE_MAX (1024*1024*768u) + #define LINE_CHUNK 8*1024u + ++/* The maximum number of fields in an entry */ ++#define ENTRY_FIELD_COUNT_MAX 1024 ++ + struct iovec_wrapper { + struct iovec *iovec; + size_t size_bytes; +diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c +index 5ff22a10af..951d092053 100644 +--- a/src/journal/journald-native.c ++++ b/src/journal/journald-native.c +@@ -140,6 +140,11 @@ static int server_process_entry( + } + + /* A property follows */ ++ if (n > ENTRY_FIELD_COUNT_MAX) { ++ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); ++ r = 1; ++ goto finish; ++ } + + /* n existing properties, 1 new, +1 for _TRANSPORT */ + if (!GREEDY_REALLOC(iovec, m, +-- +2.11.0 + diff --git a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch new file mode 100644 index 0000000000..f297333e72 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch @@ -0,0 +1,79 @@ +From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 7 Dec 2018 10:48:10 +0100 +Subject: [PATCH] journal-remote: set a limit on the number of fields in a + message + +Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is +reused for the new error condition (too many fields). + +This matches the change done for systemd-journald, hence forming the second +part of the fix for CVE-2018-16865 +(https://bugzilla.redhat.com/show_bug.cgi?id=1653861). + +Patch backported from systemd master at +ef4d6abe7c7fab6cbff975b32e76b09feee56074. + +Patch for 237 from: +systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch + +CVE: CVE-2018-16865 +Upstream-Status: Backport + +--- + src/journal-remote/journal-remote-main.c | 7 +++++-- + src/journal-remote/journal-remote.c | 3 +++ + src/shared/journal-importer.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +--- a/src/basic/journal-importer.c ++++ b/src/basic/journal-importer.c +@@ -38,6 +38,9 @@ + }; + + static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { ++ if (iovw->count >= ENTRY_FIELD_COUNT_MAX) ++ return -E2BIG; ++ + if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1)) + return log_oom(); + +@@ -113,7 +116,7 @@ + imp->scanned = imp->filled; + if (imp->scanned >= DATA_SIZE_MAX) { + log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX); +- return -E2BIG; ++ return -ENOBUFS; + } + + if (imp->passive_fd) +--- a/src/journal-remote/journal-remote.c ++++ b/src/journal-remote/journal-remote.c +@@ -517,10 +517,16 @@ + break; + else if (r < 0) { + log_warning("Failed to process data for connection %p", connection); +- if (r == -E2BIG) ++ if (r == -ENOBUFS) + return mhd_respondf(connection, + r, MHD_HTTP_PAYLOAD_TOO_LARGE, + "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes."); ++ ++ else if (r == -E2BIG) ++ return mhd_respondf(connection, ++ r, MHD_HTTP_REQUEST_ENTITY_TOO_LARGE, ++ "Entry with more fields than the maximum of " STRINGIFY(ENTRY_FIELD_COUNT_MAX) "."); ++ + else + return mhd_respondf(connection, + r, MHD_HTTP_UNPROCESSABLE_ENTITY, +@@ -1090,6 +1096,9 @@ + log_debug("%zu active sources remaining", s->active); + return 0; + } else if (r == -E2BIG) { ++ log_notice("Entry with too many fields, skipped"); ++ return 1; ++ } else if (r == -ENOBUFS) { + log_notice_errno(E2BIG, "Entry too big, skipped"); + return 1; + } else if (r == -EAGAIN) { diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index 61d25e5135..fd110a8340 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb @@ -58,6 +58,8 @@ SRC_URI += "file://touchscreen.rules \ file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \ file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ + file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ + file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ " SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" -- cgit 1.2.3-korg