[PATCH 0/1] systemd: CVE-2016-7795

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH 0/1] systemd: CVE-2016-7795
@ 2016-10-25  7:40 Chen Qi
  2016-10-25  7:40 ` [PATCH 1/1] " Chen Qi
  2016-10-26  2:09 ` [PATCH 0/1] " ChenQi
  0 siblings, 2 replies; 3+ messages in thread
From: Chen Qi @ 2016-10-25  7:40 UTC (permalink / raw)
  To: openembedded-core

The following changes since commit 6e96deb024e4c41d911f590ff2b92b402f672661:

  local.conf.sample.extended: remove RM_OLD_IMAGE (2016-10-19 17:07:14 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib ChenQi/CVE-2016-7795
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=ChenQi/CVE-2016-7795

Chen Qi (1):
  systemd: CVE-2016-7795

 ...s-zero-length-notification-messages-again.patch | 68 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_230.bb           |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch

-- 
1.9.1



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/1] systemd: CVE-2016-7795
  2016-10-25  7:40 [PATCH 0/1] systemd: CVE-2016-7795 Chen Qi
@ 2016-10-25  7:40 ` Chen Qi
  2016-10-26  2:09 ` [PATCH 0/1] " ChenQi
  1 sibling, 0 replies; 3+ messages in thread
From: Chen Qi @ 2016-10-25  7:40 UTC (permalink / raw)
  To: openembedded-core

The manager_invoke_notify_message function in systemd 231 and earlier allows
local users to cause a denial of service (assertion failure and PID 1 hang)
via a zero-length message received over a notify socket.

The patch is a backport from the latest git repo.

Please see the link below for more information.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 ...s-zero-length-notification-messages-again.patch | 68 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_230.bb           |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch

diff --git a/meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch b/meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch
new file mode 100644
index 0000000..0332593
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch
@@ -0,0 +1,68 @@
+Subject: pid1: process zero-length notification messages again
+
+This undoes 531ac2b. I acked that patch without looking at the code
+carefully enough. There are two problems:
+- we want to process the fds anyway
+- in principle empty notification messages are valid, and we should
+  process them as usual, including logging using log_unit_debug().
+
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/core/manager.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 7838f56..f165d08e 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
+         return 0;
+ }
+ 
+-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) {
++static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
+         _cleanup_strv_free_ char **tags = NULL;
+ 
+         assert(m);
+         assert(u);
+         assert(buf);
+-        assert(n > 0);
+ 
+         tags = strv_split(buf, "\n\r");
+         if (!tags) {
+@@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
+                 return 0;
+         }
+ 
++        /* The message should be a string. Here we make sure it's NUL-terminated,
++         * but only the part until first NUL will be used anyway. */
+         buf[n] = 0;
+ 
+         /* Notify every unit that might be interested, but try
+          * to avoid notifying the same one multiple times. */
+         u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
+         if (u1) {
+-                manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds);
++                manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
+                 found = true;
+         }
+ 
+         u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid));
+         if (u2 && u2 != u1) {
+-                manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds);
++                manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
+                 found = true;
+         }
+ 
+         u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid));
+         if (u3 && u3 != u2 && u3 != u1) {
+-                manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds);
++                manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
+                 found = true;
+         }
+ 
+-- 
+2.8.3
+
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index a949fe8..1a266c8 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -36,6 +36,7 @@ SRC_URI += " \
            file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
            file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
            file://udev-re-enable-mount-propagation-for-udevd.patch \
+           file://0001-pid1-process-zero-length-notification-messages-again.patch \
 "
 SRC_URI_append_libc-uclibc = "\
            file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 0/1] systemd: CVE-2016-7795
  2016-10-25  7:40 [PATCH 0/1] systemd: CVE-2016-7795 Chen Qi
  2016-10-25  7:40 ` [PATCH 1/1] " Chen Qi
@ 2016-10-26  2:09 ` ChenQi
  1 sibling, 0 replies; 3+ messages in thread
From: ChenQi @ 2016-10-26  2:09 UTC (permalink / raw)
  To: openembedded-core

Hi All,

I just realized that my patch does not conform to the CVE patch 
requirement in the link below.
I'll send out V2.

http://openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header

Best Regards,
Chen Qi

On 10/25/2016 03:40 PM, Chen Qi wrote:
> The following changes since commit 6e96deb024e4c41d911f590ff2b92b402f672661:
>
>    local.conf.sample.extended: remove RM_OLD_IMAGE (2016-10-19 17:07:14 +0100)
>
> are available in the git repository at:
>
>    git://git.openembedded.org/openembedded-core-contrib ChenQi/CVE-2016-7795
>    http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=ChenQi/CVE-2016-7795
>
> Chen Qi (1):
>    systemd: CVE-2016-7795
>
>   ...s-zero-length-notification-messages-again.patch | 68 ++++++++++++++++++++++
>   meta/recipes-core/systemd/systemd_230.bb           |  1 +
>   2 files changed, 69 insertions(+)
>   create mode 100644 meta/recipes-core/systemd/systemd/0001-pid1-process-zero-length-notification-messages-again.patch
>



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-10-26  2:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-25  7:40 [PATCH 0/1] systemd: CVE-2016-7795 Chen Qi
2016-10-25  7:40 ` [PATCH 1/1] " Chen Qi
2016-10-26  2:09 ` [PATCH 0/1] " ChenQi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox