fix CVE-2021-33910

2021-07-22 20:26:01 +08:00 · 2021-07-22 20:26:01 +08:00 · 62e83cce68
commit 62e83cce68
parent c80eb3ce8a
2 changed files with 72 additions and 2 deletions
--- a/0022-fix-CVE-2021-33910.patch
+++ b/0022-fix-CVE-2021-33910.patch
@ -0,0 +1,66 @@
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
+index 532f8fa..024b8a5 100644
+--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
+@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+ 
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
+        _cleanup_free_ char *p = NULL;
+        char *s;
+ 
+         assert(f);
+         assert(ret);
+ 
+-        p = strdupa(f);
+        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+ 
+@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+ 
+-                /* Truncate trailing slashes */
+                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
+                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
+-- 
+2.23.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -20,7 +20,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        248
-Release:        6
+Release:        7
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -67,6 +67,7 @@ Patch0016:      0016-systemd-change-time-log-level.patch
 #Patch0019:      0019-core-serialize-u-pids-until-the-processes-have-been-.patch 
 #Patch0020:      0020-scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch
 Patch0021:      0021-journald-enforce-longer-line-length-limit-during-set.patch
+Patch0022:	0022-fix-CVE-2021-33910.patch


 BuildRequires:  gcc, gcc-c++
@ -1530,7 +1531,10 @@ fi
 %exclude /usr/share/man/man3/*

 %changelog
-* Thu Jun 03 2021 shenyangyang <shenyangyang4@huawei.com> - 248-6
+* Thu Jun 03 2021 yangmingtai <yangmingtai@huawei.com> - 248-7
+- fix CVE-2021-33910
+
+* Thu Jul 22 2021 shenyangyang <shenyangyang4@huawei.com> - 248-6
 - change requires to openssl-libs as post scripts systemctl requires libssl.so.1.1

 * Mon May 31 2021 hexiaowen<hexiaowen@huawei.com> - 248-5