packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE 2020 1712 and backport a patch

Browse Source
This commit is contained in:
openeuler-basic 2020-03-10 09:45:02 +08:00
parent e05170dd87
commit b9ada65bf9
7 changed files with 456 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
CVE-2020-1712-1.patch Normal file
View File

@ -0,0 +1,84 @@
From 7f56982289275ce84e20f0554475864953e6aaab Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jan 2020 16:52:10 +0100
Subject: [PATCH 1610/1760] polkit: on async pk requests, re-validate
action/details
When we do an async pk request, let's store which action/details we used
for the original request, and when we are called for the second time,
let's compare. If the action/details changed, let's not allow the access
to go through.
https://github.com/systemd/systemd/commit/7f56982289275ce84e20f0554475864953e6aaab
---
src/shared/bus-util.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
index ce4ece6..4bfdd3a 100644
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -318,6 +318,9 @@ int bus_test_polkit(
#if ENABLE_POLKIT
typedef struct AsyncPolkitQuery {
+ char *action;
+ char **details;
+
sd_bus_message *request, *reply;
sd_bus_message_handler_t callback;
void *userdata;
@@ -338,6 +341,9 @@ static void async_polkit_query_free(AsyncPolkitQuery *q) {
sd_bus_message_unref(q->request);
sd_bus_message_unref(q->reply);
+ free(q->action);
+ strv_free(q->details);
+
free(q);
}
@@ -402,11 +408,17 @@ int bus_verify_polkit_async(
if (q) {
int authorized, challenge;
- /* This is the second invocation of this function, and
- * there's already a response from polkit, let's
- * process it */
+ /* This is the second invocation of this function, and there's already a response from
+ * polkit, let's process it */
assert(q->reply);
+ /* If the operation we want to authenticate changed between the first and the second time,
+ * let's not use this authentication, it might be out of date as the object and context we
+ * operate on might have changed. */
+ if (!streq(q->action, action) ||
+ !strv_equal(q->details, (char**) details))
+ return -ESTALE;
+
if (sd_bus_message_is_method_error(q->reply, NULL)) {
const sd_bus_error *e;
@@ -512,6 +524,18 @@ int bus_verify_polkit_async(
q->callback = callback;
q->userdata = userdata;
+ q->action = strdup(action);
+ if (!q->action) {
+ async_polkit_query_free(q);
+ return -ENOMEM;
+ }
+
+ q->details = strv_copy((char**) details);
+ if (!q->details) {
+ async_polkit_query_free(q);
+ return -ENOMEM;
+ }
+
r = hashmap_put(*registry, call, q);
if (r < 0) {
async_polkit_query_free(q);
--
2.19.1

70
CVE-2020-1712-2.patch Normal file
View File

@ -0,0 +1,70 @@
From 1068447e6954dc6ce52f099ed174c442cb89ed54 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jan 2020 17:05:17 +0100
Subject: [PATCH 1612/1760] sd-bus: introduce API for re-enqueuing incoming
messages
When authorizing via PolicyKit we want to process incoming method calls
twice: once to process and figure out that we need PK authentication,
and a second time after we aquired PK authentication to actually execute
the operation. With this new call sd_bus_enqueue_for_read() we have a
way to put an incoming message back into the read queue for this
purpose.
This might have other uses too, for example debugging.
https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54
---
src/libsystemd/sd-bus/sd-bus.c | 25 +++++++++++++++++++++++++
src/systemd/sd-bus.h | 1 +
2 files changed, 26 insertions(+)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index 615346d..05593d1 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -4198,3 +4198,28 @@ _public_ int sd_bus_get_close_on_exit(sd_bus *bus) {
return bus->close_on_exit;
}
+
+
+_public_ int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m) {
+ int r;
+
+ assert_return(bus, -EINVAL);
+ assert_return(bus = bus_resolve(bus), -ENOPKG);
+ assert_return(m, -EINVAL);
+ assert_return(m->sealed, -EINVAL);
+ assert_return(!bus_pid_changed(bus), -ECHILD);
+
+ if (!BUS_IS_OPEN(bus->state))
+ return -ENOTCONN;
+
+ /* Re-enqeue a message for reading. This is primarily useful for PolicyKit-style authentication,
+ * where we want accept a message, then determine we need to interactively authenticate the user, and
+ * when we have that process the message again. */
+
+ r = bus_rqueue_make_room(bus);
+ if (r < 0)
+ return r;
+
+ bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(m, bus);
+ return 0;
+}
diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h
index 84ceb62..2e104f8 100644
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@@ -201,6 +201,7 @@ int sd_bus_process(sd_bus *bus, sd_bus_message **r);
int sd_bus_process_priority(sd_bus *bus, int64_t max_priority, sd_bus_message **r);
int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec);
int sd_bus_flush(sd_bus *bus);
+int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m);
sd_bus_slot* sd_bus_get_current_slot(sd_bus *bus);
sd_bus_message* sd_bus_get_current_message(sd_bus *bus);
--
2.19.1

109
CVE-2020-1712-3.patch Normal file
View File

@ -0,0 +1,109 @@
From 95f82ae9d774f3508ce89dcbdd0714ef7385df59 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jan 2020 16:44:43 +0100
Subject: [PATCH] polkit: reuse some common bus message appending code
https://github.com/systemd/systemd/commit/95f82ae9d774f3508ce89dcbdd0714ef7385df59
---
src/shared/bus-util.c | 56 ++++++++++++++++++++++++-------------------
1 file changed, 32 insertions(+), 24 deletions(-)
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
index 4bfdd3a..04153d6 100644
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -211,6 +211,34 @@ static int check_good_user(sd_bus_message *m, uid_t good_user) {
return sender_uid == good_user;
}
+#if ENABLE_POLKIT
+static int bus_message_append_strv_key_value(
+ sd_bus_message *m,
+ const char **l) {
+
+ const char **k, **v;
+ int r;
+
+ assert(m);
+
+ r = sd_bus_message_open_container(m, 'a', "{ss}");
+ if (r < 0)
+ return r;
+
+ STRV_FOREACH_PAIR(k, v, l) {
+ r = sd_bus_message_append(m, "{ss}", *k, *v);
+ if (r < 0)
+ return r;
+ }
+
+ r = sd_bus_message_close_container(m);
+ if (r < 0)
+ return r;
+
+ return r;
+}
+#endif
+
int bus_test_polkit(
sd_bus_message *call,
int capability,
@@ -241,7 +269,7 @@ int bus_test_polkit(
_cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
int authorized = false, challenge = false;
- const char *sender, **k, **v;
+ const char *sender;
sender = sd_bus_message_get_sender(call);
if (!sender)
@@ -265,17 +293,7 @@ int bus_test_polkit(
if (r < 0)
return r;
- r = sd_bus_message_open_container(request, 'a', "{ss}");
- if (r < 0)
- return r;
-
- STRV_FOREACH_PAIR(k, v, details) {
- r = sd_bus_message_append(request, "{ss}", *k, *v);
- if (r < 0)
- return r;
- }
-
- r = sd_bus_message_close_container(request);
+ r = bus_message_append_strv_key_value(request, details);
if (r < 0)
return r;
@@ -388,7 +406,7 @@ int bus_verify_polkit_async(
#if ENABLE_POLKIT
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
AsyncPolkitQuery *q;
- const char *sender, **k, **v;
+ const char *sender;
sd_bus_message_handler_t callback;
void *userdata;
int c;
@@ -498,17 +516,7 @@ int bus_verify_polkit_async(
if (r < 0)
return r;
- r = sd_bus_message_open_container(pk, 'a', "{ss}");
- if (r < 0)
- return r;
-
- STRV_FOREACH_PAIR(k, v, details) {
- r = sd_bus_message_append(pk, "{ss}", *k, *v);
- if (r < 0)
- return r;
- }
-
- r = sd_bus_message_close_container(pk);
+ r = bus_message_append_strv_key_value(pk, details);
if (r < 0)
return r;
--
2.19.1

38
CVE-2020-1712-4.patch Normal file
View File

@ -0,0 +1,38 @@
From f4425c72c7395ec93ae00052916a66e2f60f200b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jan 2020 16:53:59 +0100
Subject: [PATCH] polkit: use structured initialization
https://github.com/systemd/systemd/commit/f4425c72c7395ec93ae00052916a66e2f60f200b
---
src/shared/bus-util.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
index 04153d6..0690a82 100644
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -524,13 +524,15 @@ int bus_verify_polkit_async(
if (r < 0)
return r;
- q = new0(AsyncPolkitQuery, 1);
+ q = new(AsyncPolkitQuery, 1);
if (!q)
return -ENOMEM;
- q->request = sd_bus_message_ref(call);
- q->callback = callback;
- q->userdata = userdata;
+ *q = (AsyncPolkitQuery) {
+ .request = sd_bus_message_ref(call),
+ .callback = callback,
+ .userdata = userdata,
+ };
q->action = strdup(action);
if (!q->action) {
--
2.19.1

66
pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch Normal file
View File

@ -0,0 +1,66 @@
From bb46b12cbb84411e378cd45f2ac320a9ce53551c Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Tue, 10 Mar 2020 21:01:43 +0800
Subject: [PATCH] pid1 bump DefaultTasksMax to 80% of the kernel pid.max value
---
man/systemd-system.conf.xml | 2 +-
src/basic/cgroup-util.h | 4 ++--
src/core/system.conf.in | 2 +-
units/user-.slice.d/10-defaults.conf | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index e403fa5..afd51ed 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -360,7 +360,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
+ of slice units. Defaults to 80%, which equals 26214 with the kernel's defaults on the host, but might be smaller
in OS containers.</para></listitem>
</varlistentry>
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index a39ab45..f2f2c09 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -128,8 +128,8 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
}
/* Default resource limits */
-#define DEFAULT_TASKS_MAX_PERCENTAGE 15U /* 15% of PIDs, 4915 on default settings */
-#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */
+#define DEFAULT_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 4915 on default settings */
+#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 10813 on default settings */
typedef enum CGroupUnified {
CGROUP_UNIFIED_UNKNOWN = -1,
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 8112125..9e75b14 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -51,7 +51,7 @@
#DefaultBlockIOAccounting=no
#DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=80%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
diff --git a/units/user-.slice.d/10-defaults.conf b/units/user-.slice.d/10-defaults.conf
index c81a00e..3b14c35 100644
--- a/units/user-.slice.d/10-defaults.conf
+++ b/units/user-.slice.d/10-defaults.conf
@@ -14,4 +14,4 @@ After=systemd-user-sessions.service
StopWhenUnneeded=yes
[Slice]
-TasksMax=33%
+TasksMax=80%
--
1.8.3.1

75
sd-journal-close-journal-files-that-were-deleted-by-.patch Normal file
View File

@ -0,0 +1,75 @@
From 28ca867abdb20d0e4ac1901e2ed669cdb41ea3f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Sekleta=CC=81r?= <msekleta@redhat.com>
Date: Tue, 4 Feb 2020 14:23:14 +0100
Subject: [PATCH] sd-journal: close journal files that were deleted by journald
before we've setup inotify watch
url:https://github.com/systemd/systemd/commit/28ca867abdb20d0e4ac1901e2ed669cdb41ea3f6.patch
Fixes #14695
---
src/journal/journal-file.c | 2 +-
src/journal/journal-file.h | 1 +
src/journal/sd-journal.c | 15 +++++++++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
index 505191999b..bd53635860 100644
--- a/src/journal/journal-file.c
+++ b/src/journal/journal-file.c
@@ -601,7 +601,7 @@ static int journal_file_verify_header(JournalFile *f) {
return 0;
}
-static int journal_file_fstat(JournalFile *f) {
+int journal_file_fstat(JournalFile *f) {
int r;
assert(f);
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
index 502f1f567d..cf0f7691fb 100644
--- a/src/journal/journal-file.h
+++ b/src/journal/journal-file.h
@@ -145,6 +145,7 @@ int journal_file_open(
int journal_file_set_offline(JournalFile *f, bool wait);
bool journal_file_is_offlining(JournalFile *f);
JournalFile* journal_file_close(JournalFile *j);
+int journal_file_fstat(JournalFile *f);
DEFINE_TRIVIAL_CLEANUP_FUNC(JournalFile*, journal_file_close);
int journal_file_open_reliably(
diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c
index bced8af3e3..3fa98dfda2 100644
--- a/src/journal/sd-journal.c
+++ b/src/journal/sd-journal.c
@@ -2661,6 +2661,8 @@ _public_ int sd_journal_wait(sd_journal *j, uint64_t timeout_usec) {
assert_return(!journal_pid_changed(j), -ECHILD);
if (j->inotify_fd < 0) {
+ Iterator i;
+ JournalFile *f;
/* This is the first invocation, hence create the
* inotify watch */
@@ -2668,6 +2670,19 @@ _public_ int sd_journal_wait(sd_journal *j, uint64_t timeout_usec) {
if (r < 0)
return r;
+ /* Server might have done some vacuuming while we weren't watching.
+ Get rid of the deleted files now so they don't stay around indefinitely. */
+ ORDERED_HASHMAP_FOREACH(f, j->files, i) {
+ r = journal_file_fstat(f);
+ if (r < 0) {
+ log_debug_errno(r,"Failed to fstat() journal file '%s' : %m", f->path);
+ continue;
+ }
+
+ if (f->last_stat.st_nlink <= 0)
+ remove_file_real(j, f);
+ }
+
/* The journal might have changed since the context
* object was created and we weren't watching before,
* hence don't wait for anything, and return
--
2.19.1

15
systemd.spec
View File

@ -16,7 +16,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 243
Release: 16
Release: 17
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -54,6 +54,12 @@ Patch0007: 0001-core-create-or-remove-unit-bus-name-slots-always-together.p
Patch0008: 0001-core-drop-initial-ListNames-bus-call-from-PID1.patch
Patch0009: 1605-update-rtc-with-system-clock-when-shutdown.patch
Patch0010: 1603-udev-add-actions-while-rename-netif-failed.patch
Patch0011: CVE-2020-1712-1.patch
Patch0012: CVE-2020-1712-2.patch
Patch0013: CVE-2020-1712-3.patch
Patch0014: CVE-2020-1712-4.patch
Patch0015: sd-journal-close-journal-files-that-were-deleted-by-.patch
Patch0016: pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
#openEuler
Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch
@ -1457,6 +1463,13 @@ fi
%exclude /usr/share/man/man3/*
%changelog
* Tue Mar 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-17
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:fix CVE-2020-1712 and close journal files that were deleted by journald
before we've setup inotify watch and bump pim_max to 80%
* Thu Mar 5 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-16
- Type:enhancement
- ID:NA