systemd: CVE-2016-7795
The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. The patch is a backport from the latest git repo. Please see the link below for more information. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795 (From OE-Core rev: 543570cafa8d7f595b489d03d05f0aa4478f8539) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
d31d1ad4e5
commit
92d604ca28
|
@ -0,0 +1,69 @@
|
|||
Subject: Fix CVE-2016-7795
|
||||
|
||||
This undoes 531ac2b. I acked that patch without looking at the code
|
||||
carefully enough. There are two problems:
|
||||
- we want to process the fds anyway
|
||||
- in principle empty notification messages are valid, and we should
|
||||
process them as usual, including logging using log_unit_debug().
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-7795
|
||||
|
||||
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
||||
---
|
||||
src/core/manager.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/core/manager.c b/src/core/manager.c
|
||||
index 7838f56..f165d08e 100644
|
||||
--- a/src/core/manager.c
|
||||
+++ b/src/core/manager.c
|
||||
@@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) {
|
||||
+static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
|
||||
_cleanup_strv_free_ char **tags = NULL;
|
||||
|
||||
assert(m);
|
||||
assert(u);
|
||||
assert(buf);
|
||||
- assert(n > 0);
|
||||
|
||||
tags = strv_split(buf, "\n\r");
|
||||
if (!tags) {
|
||||
@@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /* The message should be a string. Here we make sure it's NUL-terminated,
|
||||
+ * but only the part until first NUL will be used anyway. */
|
||||
buf[n] = 0;
|
||||
|
||||
/* Notify every unit that might be interested, but try
|
||||
* to avoid notifying the same one multiple times. */
|
||||
u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
|
||||
if (u1) {
|
||||
- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds);
|
||||
+ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
|
||||
found = true;
|
||||
}
|
||||
|
||||
u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid));
|
||||
if (u2 && u2 != u1) {
|
||||
- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds);
|
||||
+ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
|
||||
found = true;
|
||||
}
|
||||
|
||||
u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid));
|
||||
if (u3 && u3 != u2 && u3 != u1) {
|
||||
- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds);
|
||||
+ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
|
||||
found = true;
|
||||
}
|
||||
|
||||
--
|
||||
2.8.3
|
||||
|
|
@ -36,6 +36,7 @@ SRC_URI += " \
|
|||
file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
|
||||
file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
|
||||
file://udev-re-enable-mount-propagation-for-udevd.patch \
|
||||
file://CVE-2016-7795.patch \
|
||||
"
|
||||
SRC_URI_append_libc-uclibc = "\
|
||||
file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
|
||||
|
|
Loading…
Reference in New Issue