| Brad Bishop | 977dc1a | 2019-02-06 16:01:43 -0500 | [diff] [blame] | 1 | From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 |
| 2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> |
| 3 | Date: Wed, 5 Dec 2018 22:45:02 +0100 |
| 4 | Subject: [PATCH] journald: set a limit on the number of fields (1k) |
| 5 | |
| 6 | We allocate a iovec entry for each field, so with many short entries, |
| 7 | our memory usage and processing time can be large, even with a relatively |
| 8 | small message size. Let's refuse overly long entries. |
| 9 | |
| 10 | CVE-2018-16865 |
| 11 | https://bugzilla.redhat.com/show_bug.cgi?id=1653861 |
| 12 | |
| 13 | What from I can see, the problem is not from an alloca, despite what the CVE |
| 14 | description says, but from the attack multiplication that comes from creating |
| 15 | many very small iovecs: (void* + size_t) for each three bytes of input message. |
| 16 | |
| 17 | Patch backported from systemd master at |
| 18 | 052c57f132f04a3cf4148f87561618da1a6908b4. |
| 19 | --- |
| 20 | src/basic/journal-importer.h | 3 +++ |
| 21 | src/journal/journald-native.c | 5 +++++ |
| 22 | 2 files changed, 8 insertions(+) |
| 23 | |
| 24 | diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h |
| 25 | index f49ce734a1..c4ae45d32d 100644 |
| 26 | --- a/src/basic/journal-importer.h |
| 27 | +++ b/src/basic/journal-importer.h |
| 28 | @@ -16,6 +16,9 @@ |
| 29 | #define DATA_SIZE_MAX (1024*1024*768u) |
| 30 | #define LINE_CHUNK 8*1024u |
| 31 | |
| 32 | +/* The maximum number of fields in an entry */ |
| 33 | +#define ENTRY_FIELD_COUNT_MAX 1024 |
| 34 | + |
| 35 | struct iovec_wrapper { |
| 36 | struct iovec *iovec; |
| 37 | size_t size_bytes; |
| 38 | diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c |
| 39 | index 5ff22a10af..951d092053 100644 |
| 40 | --- a/src/journal/journald-native.c |
| 41 | +++ b/src/journal/journald-native.c |
| 42 | @@ -140,6 +140,11 @@ static int server_process_entry( |
| 43 | } |
| 44 | |
| 45 | /* A property follows */ |
| 46 | + if (n > ENTRY_FIELD_COUNT_MAX) { |
| 47 | + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); |
| 48 | + r = 1; |
| 49 | + goto finish; |
| 50 | + } |
| 51 | |
| 52 | /* n existing properties, 1 new, +1 for _TRANSPORT */ |
| 53 | if (!GREEDY_REALLOC(iovec, m, |
| 54 | -- |
| 55 | 2.11.0 |
| 56 | |