systemd: fix CVE-2020-13529

Backport patches to fix CVE-2020-13529.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

1 files changed, 69 insertions, 0 deletions

diff --git a/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
new file mode 100644
index 0000000000..07c7da8c21
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
@@ -0,0 +1,69 @@
+From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:14:12 +0900
+Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a
+ new lease
+
+Previously, such situation is handled silently.
+
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index ef3a7d2c6b..04a75c6966 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
+ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) {
+         DHCP_CLIENT_DONT_DESTROY(client);
+         char time_string[FORMAT_TIMESPAN_MAX];
+-        int r, notify_event = 0;
++        int r, notify_event;
+ 
+         assert(client);
+         assert(client->event);
+@@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                 if (r < 0)
+                         goto error;
+ 
++                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
++                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
++                else
++                        notify_event = r;
++
+                 client->start_delay = 0;
+                 (void) event_source_disable(client->timeout_resend);
+                 client->receive_message = sd_event_source_unref(client->receive_message);
+                 client->fd = safe_close(client->fd);
+ 
+-                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
+-                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+-                else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+-                        notify_event = r;
+-
+                 client->state = DHCP_STATE_BOUND;
+                 client->attempt = 0;
+ 
+@@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+ 
+                 client_initialize_io_events(client, client_receive_message_udp);
+ 
+-                if (notify_event) {
++                if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) &&
++                    notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
++                        /* FIXME: hmm, maybe this is a bug... */
++                        log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.",
++                                        client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding");
++                else
+                         client_notify(client, notify_event);
+-                        if (client->state == DHCP_STATE_STOPPED)
+-                                return 0;
+-                }
+-
+                 break;
+ 
+         case DHCP_STATE_BOUND: