poky/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch - openbmc/openbmc - Gitiles

 From 8ccebb04e07628f7fe10131d6cd4f19d6a0d8f45 Mon Sep 17 00:00:00 2001
 From: Yu Watanabe <watanabe.yu+github@gmail.com>
 Date: Wed, 8 Aug 2018 15:06:36 +0900
 Subject: [PATCH] journal: fix syslog_parse_identifier()

 Fixes #9829.

 An out of bounds read was discovered in systemd-journald in the way it
 parses log messages that terminate with a colon ':'. A local attacker
 can use this flaw to disclose process memory data.

 Patch backported from systemd master at
 a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.

 This matches the change done for systemd-journald, hence forming the first
 part of the fix for CVE-2018-16866.
 ---
  src/journal/journald-syslog.c     |  6 +++---
  src/journal/test-journal-syslog.c | 10 ++++++++--
  2 files changed, 11 insertions(+), 5 deletions(-)

 diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
 index 9dea116722..97711ac7a3 100644
 --- a/src/journal/journald-syslog.c
 +++ b/src/journal/journald-syslog.c
 @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
          e = l;
          l--;

 -        if (p[l-1] == ']') {
 +        if (l > 0 && p[l-1] == ']') {
                  size_t k = l-1;

                  for (;;) {
 @@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
          if (t)
                  *identifier = t;

 -        if (strchr(WHITESPACE, p[e]))
 -                e++;
 +        e += strspn(p + e, WHITESPACE);
 +
          *buf = p + e;
          return e;
  }
 diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c
 index 9ba86f6c8a..05f759817e 100644
 --- a/src/journal/test-journal-syslog.c
 +++ b/src/journal/test-journal-syslog.c
 @@ -5,8 +5,8 @@
  #include "macro.h"
  #include "string-util.h"

 -static void test_syslog_parse_identifier(const char* str,
 -                                         const char *ident, const char*pid, int ret) {
 +static void test_syslog_parse_identifier(const char *str,
 +                                         const char *ident, const char *pid, int ret) {
          const char *buf = str;
          _cleanup_free_ char *ident2 = NULL, *pid2 = NULL;
          int ret2;
 @@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str,
  int main(void) {
          test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
          test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
 +        test_syslog_parse_identifier("pidu:  xxx", "pidu", NULL, 7);
          test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
 +        test_syslog_parse_identifier(":", "", NULL, 1);
 +        test_syslog_parse_identifier(":  ", "", NULL, 3);
 +        test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
 +        test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
 +        test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);

          return 0;
  }
 --
 2.11.0
	From 8ccebb04e07628f7fe10131d6cd4f19d6a0d8f45 Mon Sep 17 00:00:00 2001
	From: Yu Watanabe <watanabe.yu+github@gmail.com>
	Date: Wed, 8 Aug 2018 15:06:36 +0900
	Subject: [PATCH] journal: fix syslog_parse_identifier()

	Fixes #9829.

	An out of bounds read was discovered in systemd-journald in the way it
	parses log messages that terminate with a colon ':'. A local attacker
	can use this flaw to disclose process memory data.

	Patch backported from systemd master at
	a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.

	This matches the change done for systemd-journald, hence forming the first
	part of the fix for CVE-2018-16866.
	---
	src/journal/journald-syslog.c \| 6 +++---
	src/journal/test-journal-syslog.c \| 10 ++++++++--
	2 files changed, 11 insertions(+), 5 deletions(-)

	diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
	index 9dea116722..97711ac7a3 100644
	--- a/src/journal/journald-syslog.c
	+++ b/src/journal/journald-syslog.c
	@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char buf, char identifier, char **pid)
	e = l;
	l--;

	- if (p[l-1] == ']') {
	+ if (l > 0 && p[l-1] == ']') {
	size_t k = l-1;

	for (;;) {
	@@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char buf, char identifier, char **pid)
	if (t)
	*identifier = t;

	- if (strchr(WHITESPACE, p[e]))
	- e++;
	+ e += strspn(p + e, WHITESPACE);
	+
	*buf = p + e;
	return e;
	}
	diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c
	index 9ba86f6c8a..05f759817e 100644
	--- a/src/journal/test-journal-syslog.c
	+++ b/src/journal/test-journal-syslog.c
	@@ -5,8 +5,8 @@
	#include "macro.h"
	#include "string-util.h"

	-static void test_syslog_parse_identifier(const char* str,
	- const char ident, const charpid, int ret) {
	+static void test_syslog_parse_identifier(const char *str,
	+ const char ident, const char pid, int ret) {
	const char *buf = str;
	_cleanup_free_ char ident2 = NULL, pid2 = NULL;
	int ret2;
	@@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str,
	int main(void) {
	test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
	test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
	+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7);
	test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
	+ test_syslog_parse_identifier(":", "", NULL, 1);
	+ test_syslog_parse_identifier(": ", "", NULL, 3);
	+ test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
	+ test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
	+ test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);

	return 0;
	}
	--
	2.11.0