From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Dec 2018 22:45:02 +0100 Subject: [PATCH] journald: set a limit on the number of fields (1k) We allocate a iovec entry for each field, so with many short entries, our memory usage and processing time can be large, even with a relatively small message size. Let's refuse overly long entries. CVE-2018-16865 https://bugzilla.redhat.com/show_bug.cgi?id=1653861 What from I can see, the problem is not from an alloca, despite what the CVE description says, but from the attack multiplication that comes from creating many very small iovecs: (void* + size_t) for each three bytes of input message. Patch backported from systemd master at 052c57f132f04a3cf4148f87561618da1a6908b4. CVE: CVE-2018-16865 Upstream-Status: Backport --- src/basic/journal-importer.h | 3 +++ src/journal/journald-native.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h index f49ce734a1..c4ae45d32d 100644 --- a/src/basic/journal-importer.h +++ b/src/basic/journal-importer.h @@ -16,6 +16,9 @@ #define DATA_SIZE_MAX (1024*1024*768u) #define LINE_CHUNK 8*1024u +/* The maximum number of fields in an entry */ +#define ENTRY_FIELD_COUNT_MAX 1024 + struct iovec_wrapper { struct iovec *iovec; size_t size_bytes; diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index 5ff22a10af..951d092053 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -140,6 +140,11 @@ static int server_process_entry( } /* A property follows */ + if (n > ENTRY_FIELD_COUNT_MAX) { + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); + r = 1; + goto finish; + } /* n existing properties, 1 new, +1 for _TRANSPORT */ if (!GREEDY_REALLOC(iovec, m, -- 2.11.0