add CVE-2020-1712-5

2020-03-25 15:57:44 +08:00 · 2020-03-25 15:57:44 +08:00 · 8a6937552c
commit 8a6937552c
parent 4dea31c893
2 changed files with 175 additions and 4 deletions
--- a/CVE-2020-1712-5.patch
+++ b/CVE-2020-1712-5.patch
@ -0,0 +1,164 @@
 From 637486261528e8aa3da9f26a4487dc254f4b7abb Mon Sep 17 00:00:00 2001
 From: Lennart Poettering <lennart@poettering.net>
 Date: Wed, 22 Jan 2020 17:07:47 +0100
 Subject: [PATCH 1613/1760] polkit: when authorizing via PK let's re-resolve
 callback/userdata instead of caching it
 Previously, when doing an async PK query we'd store the original
 callback/userdata pair and call it again after the PK request is
 complete. This is problematic, since PK queries might be slow and in the
 meantime the userdata might be released and re-acquired. Let's avoid
 this by always traversing through the message handlers so that we always
 re-resolve the callback and userdata pair and thus can be sure it's
 up-to-date and properly valid.
 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb
 ---
 src/shared/bus-util.c | 75 ++++++++++++++++++++++++++++---------------
 1 file changed, 50 insertions(+), 25 deletions(-)
 diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
 index 0690a82..41288a7 100644
 --- a/src/shared/bus-util.c
 +++ b/src/shared/bus-util.c
@@ -340,14 +340,13 @@ typedef struct AsyncPolkitQuery {
         char **details;
         sd_bus_message *request, *reply;
 -        sd_bus_message_handler_t callback;
 -        void *userdata;
         sd_bus_slot *slot;
 +
         Hashmap *registry;
 +        sd_event_source *defer_event_source;
 } AsyncPolkitQuery;
 static void async_polkit_query_free(AsyncPolkitQuery *q) {
 -
         if (!q)
                 return;
@@ -362,9 +361,22 @@ static void async_polkit_query_free(AsyncPolkitQuery *q) {
         free(q->action);
         strv_free(q->details);
 +        sd_event_source_disable_unref(q->defer_event_source);
         free(q);
 }
 +static int async_polkit_defer(sd_event_source *s, void *userdata) {
 +        AsyncPolkitQuery *q = userdata;
 +
 +        assert(s);
 +
 +        /* This is called as idle event source after we processed the async polkit reply, hopefully after the
 +         * method call we re-enqueued has been properly processed. */
 +
 +        async_polkit_query_free(q);
 +        return 0;
 +}
 +
 static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
         _cleanup_(sd_bus_error_free) sd_bus_error error_buffer = SD_BUS_ERROR_NULL;
         AsyncPolkitQuery *q = userdata;
@@ -373,19 +385,45 @@ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_e
         assert(reply);
         assert(q);
 +        assert(q->slot);
         q->slot = sd_bus_slot_unref(q->slot);
 +
 +        assert(!q->reply);
         q->reply = sd_bus_message_ref(reply);
 +	        /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
 +         * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
 +         * again.
 +         *
 +         * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
 +         * i.e. after the second time the message is processed is complete. */
 +
 +        assert(!q->defer_event_source);
 +        r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
 +        if (r < 0)
 +                goto fail;
 +
 +        r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
 +        if (r < 0)
 +                goto fail;
 +
 +        r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
 +        if (r < 0)
 +                goto fail;
 +
         r = sd_bus_message_rewind(q->request, true);
 -        if (r < 0) {
 -                r = sd_bus_reply_method_errno(q->request, r, NULL);
 -                goto finish;
 -        }
 +        if (r < 0)
 +                goto fail;
 -        r = q->callback(q->request, q->userdata, &error_buffer);
 -        r = bus_maybe_reply_error(q->request, r, &error_buffer);
 +        r = sd_bus_enqeue_for_read(sd_bus_message_get_bus(q->request), q->request);
 +        if (r < 0)
 +                goto fail;
 +
 +        return 1;
 -finish:
 +fail:
 +        log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
 +        (void) sd_bus_reply_method_errno(q->request, r, NULL);
         async_polkit_query_free(q);
         return r;
@@ -406,11 +444,9 @@ int bus_verify_polkit_async(
 #if ENABLE_POLKIT
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
         AsyncPolkitQuery *q;
 -        const char *sender;
 -        sd_bus_message_handler_t callback;
 -        void *userdata;
         int c;
 #endif
 +        const char *sender;
         int r;
         assert(call);
@@ -474,20 +510,11 @@ int bus_verify_polkit_async(
         else if (r > 0)
                 return 1;
 -#if ENABLE_POLKIT
 -        if (sd_bus_get_current_message(call->bus) != call)
 -                return -EINVAL;
 -
 -        callback = sd_bus_get_current_handler(call->bus);
 -        if (!callback)
 -                return -EINVAL;
 -
 -        userdata = sd_bus_get_current_userdata(call->bus);
 -
         sender = sd_bus_message_get_sender(call);
         if (!sender)
                 return -EBADMSG;
 +#if ENABLE_POLKIT
         c = sd_bus_message_get_allow_interactive_authorization(call);
         if (c < 0)
                 return c;
@@ -530,8 +557,6 @@ int bus_verify_polkit_async(
         *q = (AsyncPolkitQuery) {
                 .request = sd_bus_message_ref(call),
 -                .callback = callback,
 -                .userdata = userdata,
         };
         q->action = strdup(action);
 -- 
 2.19.1
--- a/systemd.spec
+++ b/systemd.spec
@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        18
+Release:        19
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
@ -58,9 +58,10 @@ Patch0011:      CVE-2020-1712-1.patch
 Patch0012:      CVE-2020-1712-2.patch
 Patch0013:      CVE-2020-1712-3.patch
 Patch0014:      CVE-2020-1712-4.patch
-Patch0015:      sd-journal-close-journal-files-that-were-deleted-by-.patch
+Patch0015:      CVE-2020-1712-5.patch
-Patch0016:      pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
+Patch0016:      sd-journal-close-journal-files-that-were-deleted-by-.patch
-Patch0017:      fix-two-VF-virtual-machines-have-same-mac-address.patch
+Patch0017:      pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
 Patch0018:      fix-two-VF-virtual-machines-have-same-mac-address.patch
 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@ -1464,6 +1465,12 @@ fi
 %exclude /usr/share/man/man3/*
 %changelog
 * Wed Mar 25 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-19
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:add patch of CVE-2020-1714-5
 * Fri Mar 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-18
 - Type:enhancement
 - ID:NA