You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 lines
2.1 KiB
47 lines
2.1 KiB
5 years ago
|
From 4b0ebd414553f9ccab85dfd708bf808127da505f Mon Sep 17 00:00:00 2001
|
||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||
|
Date: Wed, 16 Jan 2019 10:24:56 +0100
|
||
|
Subject: [PATCH] journald: free cmdline buffers owned by iovec
|
||
|
|
||
|
Resolves: #1666646
|
||
|
|
||
|
[msekleta: this is a followup for the fix of CVE-2018-16864. While
|
||
|
backporting upstream changes I've accidentally dropped the automatic
|
||
|
cleanup of the cmdline buffers. Technically speaking similar issue is in
|
||
|
coredump.c too, but after we dispatch iovec buffer in coredump.c we
|
||
|
immediately exit so allocated memory is reclaimed by the kernel.]
|
||
|
---
|
||
|
src/journal/journald-server.c | 5 +++--
|
||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
||
|
index c35858247b..88d8f3e41d 100644
|
||
|
--- a/src/journal/journald-server.c
|
||
|
+++ b/src/journal/journald-server.c
|
||
|
@@ -738,6 +738,7 @@ static void dispatch_message_real(
|
||
|
o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
|
||
|
o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
|
||
|
o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
|
||
|
+ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
|
||
|
uid_t object_uid;
|
||
|
gid_t object_gid;
|
||
|
char *x;
|
||
|
@@ -790,7 +791,7 @@ static void dispatch_message_real(
|
||
|
if (r >= 0) {
|
||
|
/* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
|
||
|
* Let's use a heap allocation for this one. */
|
||
|
- set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
||
|
+ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
|
||
|
}
|
||
|
|
||
|
r = get_process_capeff(ucred->pid, &t);
|
||
|
@@ -916,7 +917,7 @@ static void dispatch_message_real(
|
||
|
|
||
|
r = get_process_cmdline(object_pid, 0, false, &t);
|
||
|
if (r >= 0)
|
||
|
- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
||
|
+ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
|
||
|
|
||
|
#ifdef HAVE_AUDIT
|
||
|
r = audit_session_from_pid(object_pid, &audit);
|