Brad Bishop | f8caae3 | 2019-03-25 13:13:56 -0400 | [diff] [blame^] | 1 | From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 |
| 2 | From: Filipe Brandenburger <filbranden@google.com> |
| 3 | Date: Thu, 10 Jan 2019 14:53:33 -0800 |
| 4 | Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 |
| 5 | |
| 6 | The original code didn't account for the fact that strchr() would match on the |
| 7 | '\0' character, making it read past the end of the buffer if no non-whitespace |
| 8 | character was present. |
| 9 | |
| 10 | This bug was introduced in commit ec5ff4445cca6a which was first released in |
| 11 | systemd v221 and later fixed in commit 8595102d3ddde6 which was released in |
| 12 | v240, so versions in the range [v221, v240) are affected. |
| 13 | |
| 14 | Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b |
| 15 | also includes a change from systemd master which removes a heap buffer overflow |
| 16 | a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. |
| 17 | |
| 18 | CVE: CVE-2018-16866 |
| 19 | Upstream-Status: Backport |
| 20 | Signed-off-by: Marcus Cooper <marcusc@axis.com> |
| 21 | --- |
| 22 | src/journal/journald-syslog.c | 4 ++-- |
| 23 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 24 | |
| 25 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c |
| 26 | index 9dea116722..809b318c06 100644 |
| 27 | --- a/src/journal/journald-syslog.c |
| 28 | +++ b/src/journal/journald-syslog.c |
| 29 | @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| 30 | e = l; |
| 31 | l--; |
| 32 | |
| 33 | - if (p[l-1] == ']') { |
| 34 | + if (l > 0 && p[l-1] == ']') { |
| 35 | size_t k = l-1; |
| 36 | |
| 37 | for (;;) { |
| 38 | @@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| 39 | if (t) |
| 40 | *identifier = t; |
| 41 | |
| 42 | - if (strchr(WHITESPACE, p[e])) |
| 43 | + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) |
| 44 | e++; |
| 45 | *buf = p + e; |
| 46 | return e; |
| 47 | -- |
| 48 | 2.11.0 |
| 49 | |