From aa2942b36eced3e881f15728ac5430dbf9f0d576 Mon Sep 17 00:00:00 2001 From: yangmingtaip Date: Thu, 22 Jul 2021 20:44:46 +0800 Subject: [PATCH] fix CVE-2021-33910 --- 0021-fix-CVE-2021-33910.patch | 66 +++++++++++++++++++++++++++++++++++ systemd.spec | 9 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0021-fix-CVE-2021-33910.patch diff --git a/0021-fix-CVE-2021-33910.patch b/0021-fix-CVE-2021-33910.patch new file mode 100644 index 0000000..e0a971f --- /dev/null +++ b/0021-fix-CVE-2021-33910.patch @@ -0,0 +1,66 @@ +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. + +https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9 +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 532f8fa..024b8a5 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; +-- +2.23.0 + diff --git a/systemd.spec b/systemd.spec index 2829c5d..1120552 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 246 -Release: 15 +Release: 16 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -69,6 +69,7 @@ Patch0017: fix-capsh-drop-but-ping-success.patch Patch0018: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Patch0019: core-serialize-u-pids-until-the-processes-have-been-.patch Patch0020: scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch +Patch0021: 0021-fix-CVE-2021-33910.patch Patch6000: backport-xdg-autostart-Lower-most-info-messages-to-debug-leve.patch Patch6001: backport-RFC-Make-user-instance-aware-of-delegated-cgroup-controllers.patch @@ -1491,6 +1492,12 @@ fi %exclude /usr/share/man/man3/* %changelog +* Thu Jul 22 2021 yangmingtai - 246-16 +- Type:CVE +- ID:CVE-2021-33910 +- SUG:NA +- DESC:fix CVE-2021-33910 + * Wed Mar 17 2021 shenyangyang - 246-15 - Type:bugfix - ID:NA -- Gitee