packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

journal fix buffer overrun when urlifying

Browse Source
This commit is contained in:
fayeinseu 2020-07-07 15:44:13 +08:00
parent 35b3b17128
commit f899147ebd
2 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
journal-fix-buffer-overrun-when-urlifying.patch Normal file
View File

@ -0,0 +1,49 @@
From 85fbebe61a1aec2f86e36fb464283b6b55d3d76d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Jun 2020 20:51:13 +0200
Subject: [PATCH] journal: fix buffer overrun when urlifying
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.
message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.
---
src/shared/logs-show.c | 9 ++++++---
test/fuzz/fuzz-journal-remote/oss-fuzz-21122 | Bin 0 -> 35798 bytes
2 files changed, 6 insertions(+), 3 deletions(-)
create mode 100644 test/fuzz/fuzz-journal-remote/oss-fuzz-21122
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 570377dc76..fee6ccdf2a 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -573,19 +573,22 @@ static int output_short(
if (config_file &&
message_len >= config_file_len &&
memcmp(message, config_file, config_file_len) == 0 &&
- IN_SET(message[config_file_len], ':', ' ', '\0') &&
+ (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
(!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
_cleanup_free_ char *t = NULL, *urlified = NULL;
t = strndup(config_file, config_file_len);
if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
- size_t shift = strlen(urlified) - config_file_len;
+ size_t urlified_len = strlen(urlified);
+ size_t shift = urlified_len - config_file_len;
char *joined;
- joined = strjoin(urlified, message + config_file_len);
+ joined = realloc(urlified, message_len + shift);
if (joined) {
+ memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
free_and_replace(message, joined);
+ TAKE_PTR(urlified);
message_len += shift;
if (highlight) {
highlight_shifted[0] += shift;
--
2.23.0

10
systemd.spec
View File

@ -20,7 +20,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 246
Release: 1
Release: 2
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -63,7 +63,7 @@ Patch0012: Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
Patch0013: sd-bus-properly-initialize-containers.patch
Patch0014: Revert-core-one-step-back-again-for-nspawn-we-actual.patch
Patch0015: journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0016: journal-fix-buffer-overrun-when-urlifying.patch
## The patch of 0026~0029 resolve the pid1 memory leaks
#Patch0034: revert-pid1-drop-unit-caches-only-based-on-mtime.patch
#Patch0035: revert-analyze-add-unit-files-to-dump-the-unit-fragm.patch
@ -1495,6 +1495,12 @@ fi
%exclude /usr/share/man/man3/*
%changelog
* Tue Jul 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 246-2
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:fix buffer overrun when urlifying.
* Fri Jun 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 246-1
- Type:enhancement
- ID:NA