From b9ada65bf9d08cfc5e100ba268ade28bddd81819 Mon Sep 17 00:00:00 2001 From: openeuler-basic Date: Tue, 10 Mar 2020 09:45:02 +0800 Subject: [PATCH] fix CVE 2020 1712 and backport a patch --- CVE-2020-1712-1.patch | 84 ++++++++++++++ CVE-2020-1712-2.patch | 70 +++++++++++ CVE-2020-1712-3.patch | 109 ++++++++++++++++++ CVE-2020-1712-4.patch | 38 ++++++ ...tTasksMax-to-80-of-the-kernel-pid.ma.patch | 66 +++++++++++ ...-journal-files-that-were-deleted-by-.patch | 75 ++++++++++++ systemd.spec | 15 ++- 7 files changed, 456 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-1712-1.patch create mode 100644 CVE-2020-1712-2.patch create mode 100644 CVE-2020-1712-3.patch create mode 100644 CVE-2020-1712-4.patch create mode 100644 pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch create mode 100644 sd-journal-close-journal-files-that-were-deleted-by-.patch diff --git a/CVE-2020-1712-1.patch b/CVE-2020-1712-1.patch new file mode 100644 index 0000000..59aa7b8 --- /dev/null +++ b/CVE-2020-1712-1.patch @@ -0,0 +1,84 @@ +From 7f56982289275ce84e20f0554475864953e6aaab Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 22 Jan 2020 16:52:10 +0100 +Subject: [PATCH 1610/1760] polkit: on async pk requests, re-validate + action/details + +When we do an async pk request, let's store which action/details we used +for the original request, and when we are called for the second time, +let's compare. If the action/details changed, let's not allow the access +to go through. + +https://github.com/systemd/systemd/commit/7f56982289275ce84e20f0554475864953e6aaab + +--- + src/shared/bus-util.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index ce4ece6..4bfdd3a 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -318,6 +318,9 @@ int bus_test_polkit( + #if ENABLE_POLKIT + + typedef struct AsyncPolkitQuery { ++ char *action; ++ char **details; ++ + sd_bus_message *request, *reply; + sd_bus_message_handler_t callback; + void *userdata; +@@ -338,6 +341,9 @@ static void async_polkit_query_free(AsyncPolkitQuery *q) { + sd_bus_message_unref(q->request); + sd_bus_message_unref(q->reply); + ++ free(q->action); ++ strv_free(q->details); ++ + free(q); + } + +@@ -402,11 +408,17 @@ int bus_verify_polkit_async( + if (q) { + int authorized, challenge; + +- /* This is the second invocation of this function, and +- * there's already a response from polkit, let's +- * process it */ ++ /* This is the second invocation of this function, and there's already a response from ++ * polkit, let's process it */ + assert(q->reply); + ++ /* If the operation we want to authenticate changed between the first and the second time, ++ * let's not use this authentication, it might be out of date as the object and context we ++ * operate on might have changed. */ ++ if (!streq(q->action, action) || ++ !strv_equal(q->details, (char**) details)) ++ return -ESTALE; ++ + if (sd_bus_message_is_method_error(q->reply, NULL)) { + const sd_bus_error *e; + +@@ -512,6 +524,18 @@ int bus_verify_polkit_async( + q->callback = callback; + q->userdata = userdata; + ++ q->action = strdup(action); ++ if (!q->action) { ++ async_polkit_query_free(q); ++ return -ENOMEM; ++ } ++ ++ q->details = strv_copy((char**) details); ++ if (!q->details) { ++ async_polkit_query_free(q); ++ return -ENOMEM; ++ } ++ + r = hashmap_put(*registry, call, q); + if (r < 0) { + async_polkit_query_free(q); +-- +2.19.1 + diff --git a/CVE-2020-1712-2.patch b/CVE-2020-1712-2.patch new file mode 100644 index 0000000..502b86e --- /dev/null +++ b/CVE-2020-1712-2.patch @@ -0,0 +1,70 @@ +From 1068447e6954dc6ce52f099ed174c442cb89ed54 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 22 Jan 2020 17:05:17 +0100 +Subject: [PATCH 1612/1760] sd-bus: introduce API for re-enqueuing incoming + messages + +When authorizing via PolicyKit we want to process incoming method calls +twice: once to process and figure out that we need PK authentication, +and a second time after we aquired PK authentication to actually execute +the operation. With this new call sd_bus_enqueue_for_read() we have a +way to put an incoming message back into the read queue for this +purpose. + +This might have other uses too, for example debugging. + +https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 + +--- + src/libsystemd/sd-bus/sd-bus.c | 25 +++++++++++++++++++++++++ + src/systemd/sd-bus.h | 1 + + 2 files changed, 26 insertions(+) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 615346d..05593d1 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -4198,3 +4198,28 @@ _public_ int sd_bus_get_close_on_exit(sd_bus *bus) { + + return bus->close_on_exit; + } ++ ++ ++_public_ int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m) { ++ int r; ++ ++ assert_return(bus, -EINVAL); ++ assert_return(bus = bus_resolve(bus), -ENOPKG); ++ assert_return(m, -EINVAL); ++ assert_return(m->sealed, -EINVAL); ++ assert_return(!bus_pid_changed(bus), -ECHILD); ++ ++ if (!BUS_IS_OPEN(bus->state)) ++ return -ENOTCONN; ++ ++ /* Re-enqeue a message for reading. This is primarily useful for PolicyKit-style authentication, ++ * where we want accept a message, then determine we need to interactively authenticate the user, and ++ * when we have that process the message again. */ ++ ++ r = bus_rqueue_make_room(bus); ++ if (r < 0) ++ return r; ++ ++ bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(m, bus); ++ return 0; ++} +diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h +index 84ceb62..2e104f8 100644 +--- a/src/systemd/sd-bus.h ++++ b/src/systemd/sd-bus.h +@@ -201,6 +201,7 @@ int sd_bus_process(sd_bus *bus, sd_bus_message **r); + int sd_bus_process_priority(sd_bus *bus, int64_t max_priority, sd_bus_message **r); + int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec); + int sd_bus_flush(sd_bus *bus); ++int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m); + + sd_bus_slot* sd_bus_get_current_slot(sd_bus *bus); + sd_bus_message* sd_bus_get_current_message(sd_bus *bus); +-- +2.19.1 + diff --git a/CVE-2020-1712-3.patch b/CVE-2020-1712-3.patch new file mode 100644 index 0000000..ecd5d4d --- /dev/null +++ b/CVE-2020-1712-3.patch @@ -0,0 +1,109 @@ +From 95f82ae9d774f3508ce89dcbdd0714ef7385df59 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 22 Jan 2020 16:44:43 +0100 +Subject: [PATCH] polkit: reuse some common bus message appending code + +https://github.com/systemd/systemd/commit/95f82ae9d774f3508ce89dcbdd0714ef7385df59 + +--- + src/shared/bus-util.c | 56 ++++++++++++++++++++++++------------------- + 1 file changed, 32 insertions(+), 24 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 4bfdd3a..04153d6 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -211,6 +211,34 @@ static int check_good_user(sd_bus_message *m, uid_t good_user) { + return sender_uid == good_user; + } + ++#if ENABLE_POLKIT ++static int bus_message_append_strv_key_value( ++ sd_bus_message *m, ++ const char **l) { ++ ++ const char **k, **v; ++ int r; ++ ++ assert(m); ++ ++ r = sd_bus_message_open_container(m, 'a', "{ss}"); ++ if (r < 0) ++ return r; ++ ++ STRV_FOREACH_PAIR(k, v, l) { ++ r = sd_bus_message_append(m, "{ss}", *k, *v); ++ if (r < 0) ++ return r; ++ } ++ ++ r = sd_bus_message_close_container(m); ++ if (r < 0) ++ return r; ++ ++ return r; ++} ++#endif ++ + int bus_test_polkit( + sd_bus_message *call, + int capability, +@@ -241,7 +269,7 @@ int bus_test_polkit( + _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + int authorized = false, challenge = false; +- const char *sender, **k, **v; ++ const char *sender; + + sender = sd_bus_message_get_sender(call); + if (!sender) +@@ -265,17 +293,7 @@ int bus_test_polkit( + if (r < 0) + return r; + +- r = sd_bus_message_open_container(request, 'a', "{ss}"); +- if (r < 0) +- return r; +- +- STRV_FOREACH_PAIR(k, v, details) { +- r = sd_bus_message_append(request, "{ss}", *k, *v); +- if (r < 0) +- return r; +- } +- +- r = sd_bus_message_close_container(request); ++ r = bus_message_append_strv_key_value(request, details); + if (r < 0) + return r; + +@@ -388,7 +406,7 @@ int bus_verify_polkit_async( + #if ENABLE_POLKIT + _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL; + AsyncPolkitQuery *q; +- const char *sender, **k, **v; ++ const char *sender; + sd_bus_message_handler_t callback; + void *userdata; + int c; +@@ -498,17 +516,7 @@ int bus_verify_polkit_async( + if (r < 0) + return r; + +- r = sd_bus_message_open_container(pk, 'a', "{ss}"); +- if (r < 0) +- return r; +- +- STRV_FOREACH_PAIR(k, v, details) { +- r = sd_bus_message_append(pk, "{ss}", *k, *v); +- if (r < 0) +- return r; +- } +- +- r = sd_bus_message_close_container(pk); ++ r = bus_message_append_strv_key_value(pk, details); + if (r < 0) + return r; + +-- +2.19.1 + diff --git a/CVE-2020-1712-4.patch b/CVE-2020-1712-4.patch new file mode 100644 index 0000000..17ccb88 --- /dev/null +++ b/CVE-2020-1712-4.patch @@ -0,0 +1,38 @@ +From f4425c72c7395ec93ae00052916a66e2f60f200b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 22 Jan 2020 16:53:59 +0100 +Subject: [PATCH] polkit: use structured initialization + +https://github.com/systemd/systemd/commit/f4425c72c7395ec93ae00052916a66e2f60f200b + +--- + src/shared/bus-util.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 04153d6..0690a82 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -524,13 +524,15 @@ int bus_verify_polkit_async( + if (r < 0) + return r; + +- q = new0(AsyncPolkitQuery, 1); ++ q = new(AsyncPolkitQuery, 1); + if (!q) + return -ENOMEM; + +- q->request = sd_bus_message_ref(call); +- q->callback = callback; +- q->userdata = userdata; ++ *q = (AsyncPolkitQuery) { ++ .request = sd_bus_message_ref(call), ++ .callback = callback, ++ .userdata = userdata, ++ }; + + q->action = strdup(action); + if (!q->action) { +-- +2.19.1 + diff --git a/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch new file mode 100644 index 0000000..5b2f120 --- /dev/null +++ b/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -0,0 +1,66 @@ +From bb46b12cbb84411e378cd45f2ac320a9ce53551c Mon Sep 17 00:00:00 2001 +From: openEuler Buildteam +Date: Tue, 10 Mar 2020 21:01:43 +0800 +Subject: [PATCH] pid1 bump DefaultTasksMax to 80% of the kernel pid.max value + +--- + man/systemd-system.conf.xml | 2 +- + src/basic/cgroup-util.h | 4 ++-- + src/core/system.conf.in | 2 +- + units/user-.slice.d/10-defaults.conf | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index e403fa5..afd51ed 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -360,7 +360,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller ++ of slice units. Defaults to 80%, which equals 26214 with the kernel's defaults on the host, but might be smaller + in OS containers. + + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index a39ab45..f2f2c09 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -128,8 +128,8 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) { + } + + /* Default resource limits */ +-#define DEFAULT_TASKS_MAX_PERCENTAGE 15U /* 15% of PIDs, 4915 on default settings */ +-#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */ ++#define DEFAULT_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 4915 on default settings */ ++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 10813 on default settings */ + + typedef enum CGroupUnified { + CGROUP_UNIFIED_UNKNOWN = -1, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 8112125..9e75b14 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -51,7 +51,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=80% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +diff --git a/units/user-.slice.d/10-defaults.conf b/units/user-.slice.d/10-defaults.conf +index c81a00e..3b14c35 100644 +--- a/units/user-.slice.d/10-defaults.conf ++++ b/units/user-.slice.d/10-defaults.conf +@@ -14,4 +14,4 @@ After=systemd-user-sessions.service + StopWhenUnneeded=yes + + [Slice] +-TasksMax=33% ++TasksMax=80% +-- +1.8.3.1 + diff --git a/sd-journal-close-journal-files-that-were-deleted-by-.patch b/sd-journal-close-journal-files-that-were-deleted-by-.patch new file mode 100644 index 0000000..4d6247f --- /dev/null +++ b/sd-journal-close-journal-files-that-were-deleted-by-.patch @@ -0,0 +1,75 @@ +From 28ca867abdb20d0e4ac1901e2ed669cdb41ea3f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Sekleta=CC=81r?= +Date: Tue, 4 Feb 2020 14:23:14 +0100 +Subject: [PATCH] sd-journal: close journal files that were deleted by journald + before we've setup inotify watch +url:https://github.com/systemd/systemd/commit/28ca867abdb20d0e4ac1901e2ed669cdb41ea3f6.patch + +Fixes #14695 +--- + src/journal/journal-file.c | 2 +- + src/journal/journal-file.h | 1 + + src/journal/sd-journal.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c +index 505191999b..bd53635860 100644 +--- a/src/journal/journal-file.c ++++ b/src/journal/journal-file.c +@@ -601,7 +601,7 @@ static int journal_file_verify_header(JournalFile *f) { + return 0; + } + +-static int journal_file_fstat(JournalFile *f) { ++int journal_file_fstat(JournalFile *f) { + int r; + + assert(f); +diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h +index 502f1f567d..cf0f7691fb 100644 +--- a/src/journal/journal-file.h ++++ b/src/journal/journal-file.h +@@ -145,6 +145,7 @@ int journal_file_open( + int journal_file_set_offline(JournalFile *f, bool wait); + bool journal_file_is_offlining(JournalFile *f); + JournalFile* journal_file_close(JournalFile *j); ++int journal_file_fstat(JournalFile *f); + DEFINE_TRIVIAL_CLEANUP_FUNC(JournalFile*, journal_file_close); + + int journal_file_open_reliably( +diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c +index bced8af3e3..3fa98dfda2 100644 +--- a/src/journal/sd-journal.c ++++ b/src/journal/sd-journal.c +@@ -2661,6 +2661,8 @@ _public_ int sd_journal_wait(sd_journal *j, uint64_t timeout_usec) { + assert_return(!journal_pid_changed(j), -ECHILD); + + if (j->inotify_fd < 0) { ++ Iterator i; ++ JournalFile *f; + + /* This is the first invocation, hence create the + * inotify watch */ +@@ -2668,6 +2670,19 @@ _public_ int sd_journal_wait(sd_journal *j, uint64_t timeout_usec) { + if (r < 0) + return r; + ++ /* Server might have done some vacuuming while we weren't watching. ++ Get rid of the deleted files now so they don't stay around indefinitely. */ ++ ORDERED_HASHMAP_FOREACH(f, j->files, i) { ++ r = journal_file_fstat(f); ++ if (r < 0) { ++ log_debug_errno(r,"Failed to fstat() journal file '%s' : %m", f->path); ++ continue; ++ } ++ ++ if (f->last_stat.st_nlink <= 0) ++ remove_file_real(j, f); ++ } ++ + /* The journal might have changed since the context + * object was created and we weren't watching before, + * hence don't wait for anything, and return +-- +2.19.1 + diff --git a/systemd.spec b/systemd.spec index b06805f..45ce7a0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 16 +Release: 17 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -54,6 +54,12 @@ Patch0007: 0001-core-create-or-remove-unit-bus-name-slots-always-together.p Patch0008: 0001-core-drop-initial-ListNames-bus-call-from-PID1.patch Patch0009: 1605-update-rtc-with-system-clock-when-shutdown.patch Patch0010: 1603-udev-add-actions-while-rename-netif-failed.patch +Patch0011: CVE-2020-1712-1.patch +Patch0012: CVE-2020-1712-2.patch +Patch0013: CVE-2020-1712-3.patch +Patch0014: CVE-2020-1712-4.patch +Patch0015: sd-journal-close-journal-files-that-were-deleted-by-.patch +Patch0016: pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch #openEuler Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch @@ -1457,6 +1463,13 @@ fi %exclude /usr/share/man/man3/* %changelog +* Tue Mar 10 2020 openEuler Buildteam - 243-17 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:fix CVE-2020-1712 and close journal files that were deleted by journald + before we've setup inotify watch and bump pim_max to 80% + * Thu Mar 5 2020 openEuler Buildteam - 243-16 - Type:enhancement - ID:NA -- Gitee