From 866a880c4fb58dea1e8460acea8152658376cd12 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Tue, 28 Sep 2021 20:29:17 -0700 Subject: systemd: fix CVE-2021-33910 Backport patch to fix CVE-2021-33910. Signed-off-by: Chen Qi Signed-off-by: Anuj Mittal --- ...ic-unit-name-do-not-use-strdupa-on-a-path.patch | 72 ++++++++++++++++++++++ meta/recipes-core/systemd/systemd_247.6.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 0000000000..0ab8174441 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch @@ -0,0 +1,72 @@ +From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. + +(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) +(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce) +(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b) + +CVE: CVE-2021-33910 +Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538] +Signed-off-by: Chen Qi +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 5f595af944..9b6cacde87 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; +-- +2.33.0 + diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb index f1db1e922b..e79c79a7fd 100644 --- a/meta/recipes-core/systemd/systemd_247.6.bb +++ b/meta/recipes-core/systemd/systemd_247.6.bb @@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \ file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ + file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \ " # patches needed by musl -- cgit 1.2.3-korg