| From 8ccebb04e07628f7fe10131d6cd4f19d6a0d8f45 Mon Sep 17 00:00:00 2001 |
| From: Yu Watanabe <watanabe.yu+github@gmail.com> |
| Date: Wed, 8 Aug 2018 15:06:36 +0900 |
| Subject: [PATCH] journal: fix syslog_parse_identifier() |
| |
| Fixes #9829. |
| |
| An out of bounds read was discovered in systemd-journald in the way it |
| parses log messages that terminate with a colon ':'. A local attacker |
| can use this flaw to disclose process memory data. |
| |
| Patch backported from systemd master at |
| a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. |
| |
| This matches the change done for systemd-journald, hence forming the first |
| part of the fix for CVE-2018-16866. |
| --- |
| src/journal/journald-syslog.c | 6 +++--- |
| src/journal/test-journal-syslog.c | 10 ++++++++-- |
| 2 files changed, 11 insertions(+), 5 deletions(-) |
| |
| diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c |
| index 9dea116722..97711ac7a3 100644 |
| --- a/src/journal/journald-syslog.c |
| +++ b/src/journal/journald-syslog.c |
| @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| e = l; |
| l--; |
| |
| - if (p[l-1] == ']') { |
| + if (l > 0 && p[l-1] == ']') { |
| size_t k = l-1; |
| |
| for (;;) { |
| @@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| if (t) |
| *identifier = t; |
| |
| - if (strchr(WHITESPACE, p[e])) |
| - e++; |
| + e += strspn(p + e, WHITESPACE); |
| + |
| *buf = p + e; |
| return e; |
| } |
| diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c |
| index 9ba86f6c8a..05f759817e 100644 |
| --- a/src/journal/test-journal-syslog.c |
| +++ b/src/journal/test-journal-syslog.c |
| @@ -5,8 +5,8 @@ |
| #include "macro.h" |
| #include "string-util.h" |
| |
| -static void test_syslog_parse_identifier(const char* str, |
| - const char *ident, const char*pid, int ret) { |
| +static void test_syslog_parse_identifier(const char *str, |
| + const char *ident, const char *pid, int ret) { |
| const char *buf = str; |
| _cleanup_free_ char *ident2 = NULL, *pid2 = NULL; |
| int ret2; |
| @@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str, |
| int main(void) { |
| test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11); |
| test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6); |
| + test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7); |
| test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0); |
| + test_syslog_parse_identifier(":", "", NULL, 1); |
| + test_syslog_parse_identifier(": ", "", NULL, 3); |
| + test_syslog_parse_identifier("pidu:", "pidu", NULL, 5); |
| + test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6); |
| + test_syslog_parse_identifier("pidu : ", NULL, NULL, 0); |
| |
| return 0; |
| } |
| -- |
| 2.11.0 |
| |