summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorge McCollister <george.mccollister@gmail.com>2019-02-25 10:37:07 -0600
committerArmin Kuster <akuster808@gmail.com>2019-03-17 12:07:56 -0700
commitb6f87a16ed7b73aec5b56f3f565fdadc169f1957 (patch)
treef5e3b5831e5724dd6e87bea86c66a32825e8ed23
parentccb1215772d04bc80e557193764ea7f7a16a6909 (diff)
downloadopenembedded-core-contrib-b6f87a16ed7b73aec5b56f3f565fdadc169f1957.tar.gz
openembedded-core-contrib-b6f87a16ed7b73aec5b56f3f565fdadc169f1957.tar.bz2
openembedded-core-contrib-b6f87a16ed7b73aec5b56f3f565fdadc169f1957.zip
systemd: fix CVE-2018-15687
Backport patch to fix the following CVE. CVE: CVE-2018-15687 Based on thud commit eeb621aa19f690971caf862290a172a115578ba1 The patch in the thud commit doesn't compile against 237. Use the version of this patch, CVE-2018-15687.patch from systemd_237-3ubuntu10.13.debian. Signed-off-by: George McCollister <george.mccollister@gmail.com>
-rw-r--r--meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch252
-rw-r--r--meta/recipes-core/systemd/systemd_237.bb1
2 files changed, 253 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
new file mode 100644
index 0000000000..9a0b55f97d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
@@ -0,0 +1,252 @@
+From 2da8ba3f507345d0401ea9d7191fa16ffa560ebc Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 19 Oct 2018 11:26:59 +0200
+Subject: [PATCH] chown-recursive: let's rework the recursive logic to use
+ O_PATH
+
+That way we can pin a specific inode and analyze it and manipulate it
+without it being swapped out beneath our hands.
+
+Fixes a vulnerability originally found by Jann Horn from Google.
+
+CVE-2018-15687
+LP: #1796692
+https://bugzilla.redhat.com/show_bug.cgi?id=1639076
+
+Origin: upstream, https://github.com/poettering/systemd/commit/5de6cce58b3e8b79239b6e83653459d91af6e57c
+Bug-Ubuntu: https://launchpad.net/bugs/1796692
+
+Patch for 237 from:
+systemd_237-3ubuntu10.13.debian CVE-2018-15687.patch
+
+CVE: CVE-2018-15687
+Upstream-Status: Backport
+
+---
+ src/core/chown-recursive.c | 146 ++++++++++++++++++++++-----------------------
+ 1 file changed, 70 insertions(+), 76 deletions(-)
+
+diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
+index c479450..27c6448 100644
+--- a/src/core/chown-recursive.c
++++ b/src/core/chown-recursive.c
+@@ -18,18 +18,20 @@
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ ***/
+
+-#include <sys/types.h>
+-#include <sys/stat.h>
+ #include <fcntl.h>
++#include <sys/stat.h>
++#include <sys/types.h>
+
+-#include "user-util.h"
+-#include "macro.h"
+-#include "fd-util.h"
+-#include "dirent-util.h"
+ #include "chown-recursive.h"
++#include "dirent-util.h"
++#include "fd-util.h"
++#include "macro.h"
++#include "stdio-util.h"
++#include "strv.h"
++#include "user-util.h"
+
+-static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid, gid_t gid) {
+- int r;
++static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
+
+ assert(fd >= 0);
+ assert(st);
+@@ -38,90 +40,82 @@
+ (!gid_is_valid(gid) || st->st_gid == gid))
+ return 0;
+
+- if (name)
+- r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
+- else
+- r = fchown(fd, uid, gid);
+- if (r < 0)
+- return -errno;
++ /* We change ownership through the /proc/self/fd/%i path, so that we have a stable reference that works with
++ * O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */
++ xsprintf(procfs_path, "/proc/self/fd/%i", fd);
+
+- /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */
+- if (name) {
+- if (!S_ISLNK(st->st_mode))
+- r = fchmodat(fd, name, st->st_mode, 0);
+- else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */
+- r = 0;
+- } else
+- r = fchmod(fd, st->st_mode);
+- if (r < 0)
++ if (chown(procfs_path, uid, gid) < 0)
+ return -errno;
+
++ /* The linux kernel alters the mode in some cases of chown(). Let's undo this. We do this only for non-symlinks
++ * however. That's because for symlinks the access mode is ignored anyway and because on some kernels/file
++ * systems trying to change the access mode will succeed but has no effect while on others it actively
++ * fails. */
++ if (!S_ISLNK(st->st_mode))
++ if (chmod(procfs_path, st->st_mode & 07777) < 0)
++ return -errno;
++
+ return 1;
+ }
+
+ static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gid_t gid) {
++ _cleanup_closedir_ DIR *d = NULL;
+ bool changed = false;
++ struct dirent *de;
+ int r;
+
+ assert(fd >= 0);
+ assert(st);
+
+- if (S_ISDIR(st->st_mode)) {
+- _cleanup_closedir_ DIR *d = NULL;
+- struct dirent *de;
+-
+- d = fdopendir(fd);
+- if (!d) {
+- r = -errno;
+- goto finish;
+- }
+- fd = -1;
+-
+- FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
+- struct stat fst;
+-
+- if (dot_or_dot_dot(de->d_name))
+- continue;
++ d = fdopendir(fd);
++ if (!d) {
++ safe_close(fd);
++ return -errno;
++ }
+
+- if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
+- r = -errno;
+- goto finish;
+- }
+-
+- if (S_ISDIR(fst.st_mode)) {
+- int subdir_fd;
+-
+- subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+- if (subdir_fd < 0) {
+- r = -errno;
+- goto finish;
+- }
+-
+- r = chown_recursive_internal(subdir_fd, &fst, uid, gid);
+- if (r < 0)
+- goto finish;
+- if (r > 0)
+- changed = true;
+- } else {
+- r = chown_one(dirfd(d), de->d_name, &fst, uid, gid);
+- if (r < 0)
+- goto finish;
+- if (r > 0)
+- changed = true;
+- }
++ FOREACH_DIRENT_ALL(de, d, return -errno) {
++ _cleanup_close_ int path_fd = -1;
++ struct stat fst;
++
++ if (dot_or_dot_dot(de->d_name))
++ continue;
++
++ /* Let's pin the child inode we want to fix now with an O_PATH fd, so that it cannot be swapped out
++ * while we manipulate it. */
++ path_fd = openat(dirfd(d), de->d_name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
++ if (path_fd < 0)
++ return -errno;
++
++ if (fstat(path_fd, &fst) < 0)
++ return -errno;
++
++ if (S_ISDIR(fst.st_mode)) {
++ int subdir_fd;
++
++ /* Convert it to a "real" (i.e. non-O_PATH) fd now */
++ subdir_fd = fd_reopen(path_fd, O_RDONLY|O_CLOEXEC|O_NOATIME);
++ if (subdir_fd < 0)
++ return subdir_fd;
++
++ r = chown_recursive_internal(subdir_fd, &fst, uid, gid); /* takes possession of subdir_fd even on failure */
++ if (r < 0)
++ return r;
++ if (r > 0)
++ changed = true;
++ } else {
++ r = chown_one(path_fd, &fst, uid, gid);
++ if (r < 0)
++ return r;
++ if (r > 0)
++ changed = true;
+ }
++ }
+
+- r = chown_one(dirfd(d), NULL, st, uid, gid);
+- } else
+- r = chown_one(fd, NULL, st, uid, gid);
++ r = chown_one(dirfd(d), st, uid, gid);
+ if (r < 0)
+- goto finish;
+-
+- r = r > 0 || changed;
++ return r;
+
+-finish:
+- safe_close(fd);
+- return r;
++ return r > 0 || changed;
+ }
+
+ int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
+@@ -129,7 +123,7 @@
+ struct stat st;
+ int r;
+
+- fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
++ fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ if (fd < 0)
+ return -errno;
+
+--- a/src/basic/fd-util.c
++++ b/src/basic/fd-util.c
+@@ -578,3 +578,22 @@
+
+ return -EOPNOTSUPP;
+ }
++
++int fd_reopen(int fd, int flags) {
++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
++ int new_fd;
++
++ /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
++ * turn O_RDWR fds into O_RDONLY fds.
++ *
++ * This doesn't work on sockets (since they cannot be open()ed, ever).
++ *
++ * This implicitly resets the file read index to 0. */
++
++ xsprintf(procfs_path, "/proc/self/fd/%i", fd);
++ new_fd = open(procfs_path, flags);
++ if (new_fd < 0)
++ return -errno;
++
++ return new_fd;
++}
+--- a/src/basic/fd-util.h
++++ b/src/basic/fd-util.h
+@@ -91,3 +91,5 @@
+ /* Hint: ENETUNREACH happens if we try to connect to "non-existing" special IP addresses, such as ::5 */
+ #define ERRNO_IS_DISCONNECT(r) \
+ IN_SET(r, ENOTCONN, ECONNRESET, ECONNREFUSED, ECONNABORTED, EPIPE, ENETUNREACH)
++
++int fd_reopen(int fd, int flags);
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb
index a75fae2e15..244776f0b6 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -55,6 +55,7 @@ SRC_URI += "file://touchscreen.rules \
file://0034-Fix-format-truncation-compile-failure-by-typecasting.patch \
file://0035-Define-glibc-compatible-basename-for-non-glibc-syste.patch \
file://0001-core-when-deserializing-state-always-use-read_line-L.patch \
+ file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \
"
SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"