poky/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch - openbmc/openbmc - Gitiles

 From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Wed, 5 Dec 2018 22:45:02 +0100
 Subject: [PATCH] journald: set a limit on the number of fields (1k)

 We allocate a iovec entry for each field, so with many short entries,
 our memory usage and processing time can be large, even with a relatively
 small message size. Let's refuse overly long entries.

 CVE-2018-16865
 https://bugzilla.redhat.com/show_bug.cgi?id=1653861

 What from I can see, the problem is not from an alloca, despite what the CVE
 description says, but from the attack multiplication that comes from creating
 many very small iovecs: (void* + size_t) for each three bytes of input message.

 Patch backported from systemd master at
 052c57f132f04a3cf4148f87561618da1a6908b4.
 ---
  src/basic/journal-importer.h  | 3 +++
  src/journal/journald-native.c | 5 +++++
  2 files changed, 8 insertions(+)

 diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
 index f49ce734a1..c4ae45d32d 100644
 --- a/src/basic/journal-importer.h
 +++ b/src/basic/journal-importer.h
 @@ -16,6 +16,9 @@
  #define DATA_SIZE_MAX (1024*1024*768u)
  #define LINE_CHUNK 8*1024u

 +/* The maximum number of fields in an entry */
 +#define ENTRY_FIELD_COUNT_MAX 1024
 +
  struct iovec_wrapper {
          struct iovec *iovec;
          size_t size_bytes;
 diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
 index 5ff22a10af..951d092053 100644
 --- a/src/journal/journald-native.c
 +++ b/src/journal/journald-native.c
 @@ -140,6 +140,11 @@ static int server_process_entry(
                  }

                  /* A property follows */
 +                if (n > ENTRY_FIELD_COUNT_MAX) {
 +                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
 +                        r = 1;
 +                        goto finish;
 +                }

                  /* n existing properties, 1 new, +1 for _TRANSPORT */
                  if (!GREEDY_REALLOC(iovec, m,
 --
 2.11.0
	From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
	Date: Wed, 5 Dec 2018 22:45:02 +0100
	Subject: [PATCH] journald: set a limit on the number of fields (1k)

	We allocate a iovec entry for each field, so with many short entries,
	our memory usage and processing time can be large, even with a relatively
	small message size. Let's refuse overly long entries.

	CVE-2018-16865
	https://bugzilla.redhat.com/show_bug.cgi?id=1653861

	What from I can see, the problem is not from an alloca, despite what the CVE
	description says, but from the attack multiplication that comes from creating
	many very small iovecs: (void* + size_t) for each three bytes of input message.

	Patch backported from systemd master at
	052c57f132f04a3cf4148f87561618da1a6908b4.
	---
	src/basic/journal-importer.h \| 3 +++
	src/journal/journald-native.c \| 5 +++++
	2 files changed, 8 insertions(+)

	diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
	index f49ce734a1..c4ae45d32d 100644
	--- a/src/basic/journal-importer.h
	+++ b/src/basic/journal-importer.h
	@@ -16,6 +16,9 @@
	#define DATA_SIZE_MAX (10241024768u)
	#define LINE_CHUNK 8*1024u

	+/* The maximum number of fields in an entry */
	+#define ENTRY_FIELD_COUNT_MAX 1024
	+
	struct iovec_wrapper {
	struct iovec *iovec;
	size_t size_bytes;
	diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
	index 5ff22a10af..951d092053 100644
	--- a/src/journal/journald-native.c
	+++ b/src/journal/journald-native.c
	@@ -140,6 +140,11 @@ static int server_process_entry(
	}

	/* A property follows */
	+ if (n > ENTRY_FIELD_COUNT_MAX) {
	+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
	+ r = 1;
	+ goto finish;
	+ }

	/* n existing properties, 1 new, +1 for _TRANSPORT */
	if (!GREEDY_REALLOC(iovec, m,
	--
	2.11.0