[AUTOPATCHER-CORE] systemd add patch to address CVE-2022-45873 - (#4451)

* systemd: add patch to address CVE-2022-45873

* Add prereq patch, also update bootstrap

* Add additional prereq patch

Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot 2022-12-14 14:40:24 -08:00 коммит произвёл GitHub
Родитель 8cd9b00d73
Коммит 52cb0f9c6f
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 272 добавлений и 10 удалений

Просмотреть файл

@ -0,0 +1,252 @@
From 7922ead507e0d83e4ec72a8cbd2b67194766e58c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 18 Oct 2022 18:09:06 +0200
Subject: [PATCH] shared/json: allow json_variant_dump() to return an error
---
src/shared/json.c | 7 ++++---
src/shared/json.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/shared/json.c b/src/shared/json.c
index 950be9485d58..baa468c6974e 100644
--- a/src/shared/json.c
+++ b/src/shared/json.c
@@ -1785,9 +1785,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
return (int) sz - 1;
}
-void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
if (!v)
- return;
+ return 0;
if (!f)
f = stdout;
@@ -1813,7 +1813,8 @@ void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const cha
fputc('\n', f); /* In case of SSE add a second newline */
if (flags & JSON_FORMAT_FLUSH)
- fflush(f);
+ return fflush_and_check(f);
+ return 0;
}
int json_variant_filter(JsonVariant **v, char **to_remove) {
diff --git a/src/shared/json.h b/src/shared/json.h
index 1992170ed7c2..5993e05299c6 100644
--- a/src/shared/json.h
+++ b/src/shared/json.h
@@ -197,7 +197,7 @@ typedef enum JsonFormatFlags {
} JsonFormatFlags;
int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret);
-void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
int json_variant_filter(JsonVariant **v, char **to_remove);
From 87a16eb8b54002a49f12944fc09ce45d0cbadf45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 19 Oct 2022 08:41:13 +0200
Subject: [PATCH] shared/json: use different return code for empty input
It is useful to distinguish if json_parse_file() got no input or invalid input.
Use different return codes for the two cases.
---
src/shared/elf-util.c | 2 +-
src/shared/json.c | 6 ++++--
src/test/test-json.c | 18 ++++++++++++++++++
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
index c0f540abc50a..83721ff787ea 100644
--- a/src/shared/elf-util.c
+++ b/src/shared/elf-util.c
@@ -859,7 +859,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
return -errno;
r = json_parse_file(json_in, NULL, 0, &package_metadata, NULL, NULL);
- if (r < 0 && r != -EINVAL) /* EINVAL: json was empty, so we got nothing, but that's ok */
+ if (r < 0 && r != -ENODATA) /* ENODATA: json was empty, so we got nothing, but that's ok */
return r;
}
diff --git a/src/shared/json.c b/src/shared/json.c
index baa468c6974e..eda7bb19563e 100644
--- a/src/shared/json.c
+++ b/src/shared/json.c
@@ -3187,7 +3187,6 @@ int json_parse_continue(const char **p, JsonParseFlags flags, JsonVariant **ret,
int json_parse_file_at(FILE *f, int dir_fd, const char *path, JsonParseFlags flags, JsonVariant **ret, unsigned *ret_line, unsigned *ret_column) {
_cleanup_(json_source_unrefp) JsonSource *source = NULL;
_cleanup_free_ char *text = NULL;
- const char *p;
int r;
if (f)
@@ -3199,13 +3198,16 @@ int json_parse_file_at(FILE *f, int dir_fd, const char *path, JsonParseFlags fla
if (r < 0)
return r;
+ if (isempty(text))
+ return -ENODATA;
+
if (path) {
source = json_source_new(path);
if (!source)
return -ENOMEM;
}
- p = text;
+ const char *p = text;
return json_parse_internal(&p, source, flags, ret, ret_line, ret_column, false);
}
diff --git a/src/test/test-json.c b/src/test/test-json.c
index 3563d004c8fa..946c827ccf00 100644
--- a/src/test/test-json.c
+++ b/src/test/test-json.c
@@ -344,6 +344,24 @@ TEST(build) {
assert_se(json_variant_equal(a, b));
}
+TEST(json_parse_file_empty) {
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+
+ assert_se(fopen_unlocked("/dev/null", "re", &f) >= 0);
+ assert_se(json_parse_file(f, "waldo", 0, &v, NULL, NULL) == -ENODATA);
+ assert_se(v == NULL);
+}
+
+TEST(json_parse_file_invalid) {
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+
+ assert_se(f = fmemopen_unlocked((void*) "kookoo", 6, "r"));
+ assert_se(json_parse_file(f, "waldo", 0, &v, NULL, NULL) == -EINVAL);
+ assert_se(v == NULL);
+}
+
TEST(source) {
static const char data[] =
"\n"
From 076b807be472630692c5348c60d0c2b7b28ad437 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 18 Oct 2022 18:23:53 +0200
Subject: [PATCH] coredump: avoid deadlock when passing processed backtrace
data
We would deadlock when passing the data back from the forked-off process that
was doing backtrace generation back to the coredump parent. This is because we
fork the child and wait for it to exit. The child tries to write too much data
to the output pipe, and and after the first 64k blocks on the parent because
the pipe is full. The bug surfaced in Fedora because of a combination of four
factors:
- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which
allowed coredump processing to be successful.
- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output
was very verbose.
- Fedora has the ELF package metadata available, so a lot of output can be
generated. Most other distros just don't have the information.
- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output
are generated for it.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778.
The code is changed to try to write data opportunistically. If we get partial
information, that is still logged. In is generally better to log partial
backtrace information than nothing at all.
---
src/shared/elf-util.c | 37 +++++++++++++++++++++++++++++++------
1 file changed, 31 insertions(+), 6 deletions(-)
diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
index 83721ff787ea..181735409d42 100644
--- a/src/shared/elf-util.c
+++ b/src/shared/elf-util.c
@@ -30,6 +30,9 @@
#define THREADS_MAX 64
#define ELF_PACKAGE_METADATA_ID 0xcafe1a7e
+/* The amount of data we're willing to write to each of the output pipes. */
+#define COREDUMP_PIPE_MAX (1024*1024U)
+
static void *dw_dl = NULL;
static void *elf_dl = NULL;
@@ -759,13 +762,13 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
return r;
if (ret) {
- r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC));
+ r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC|O_NONBLOCK));
if (r < 0)
return r;
}
if (ret_package_metadata) {
- r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC));
+ r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC|O_NONBLOCK));
if (r < 0)
return r;
}
@@ -809,8 +812,24 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
goto child_fail;
if (buf) {
- r = loop_write(return_pipe[1], buf, strlen(buf), false);
- if (r < 0)
+ size_t len = strlen(buf);
+
+ if (len > COREDUMP_PIPE_MAX) {
+ /* This is iffy. A backtrace can be a few hundred kilobytes, but too much is
+ * too much. Let's log a warning and ignore the rest. */
+ log_warning("Generated backtrace is %zu bytes (more than the limit of %u bytes), backtrace will be truncated.",
+ len, COREDUMP_PIPE_MAX);
+ len = COREDUMP_PIPE_MAX;
+ }
+
+ /* Bump the space for the returned string.
+ * Failure is ignored, because partial output is still useful. */
+ (void) fcntl(return_pipe[1], F_SETPIPE_SZ, len);
+
+ r = loop_write(return_pipe[1], buf, len, false);
+ if (r == -EAGAIN)
+ log_warning("Write failed, backtrace will be truncated.");
+ else if (r < 0)
goto child_fail;
return_pipe[1] = safe_close(return_pipe[1]);
@@ -819,13 +838,19 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
if (package_metadata) {
_cleanup_fclose_ FILE *json_out = NULL;
+ /* Bump the space for the returned string. We don't know how much space we'll need in
+ * advance, so we'll just try to write as much as possible and maybe fail later. */
+ (void) fcntl(json_pipe[1], F_SETPIPE_SZ, COREDUMP_PIPE_MAX);
+
json_out = take_fdopen(&json_pipe[1], "w");
if (!json_out) {
r = -errno;
goto child_fail;
}
- json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
+ r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
+ if (r < 0)
+ log_warning_errno(r, "Failed to write JSON package metadata, ignoring: %m");
}
_exit(EXIT_SUCCESS);
@@ -860,7 +885,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
r = json_parse_file(json_in, NULL, 0, &package_metadata, NULL, NULL);
if (r < 0 && r != -ENODATA) /* ENODATA: json was empty, so we got nothing, but that's ok */
- return r;
+ log_warning_errno(r, "Failed to read or parse json metadata, ignoring: %m");
}
if (ret)

Просмотреть файл

@ -1,7 +1,7 @@
Summary: Bootstrap version of systemd. Workaround for systemd circular dependency.
Name: systemd-bootstrap
Version: 250.3
Release: 9%{?dist}
Release: 10%{?dist}
License: LGPLv2+ AND GPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -20,6 +20,8 @@ Patch1: add-fsync-sysusers-passwd.patch
Patch2: gpt-auto-devno-not-determined.patch
# Patch3 can be removed once we update to major version 251 or higher:
Patch3: CVE-2022-3821.patch
# Patch4 can be removed once we update to version 252
Patch4: CVE-2022-45873.patch
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: gettext
@ -239,6 +241,9 @@ fi
%{_datadir}/pkgconfig/udev.pc
%changelog
* Wed Dec 14 2022 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 250.3-10
- Add patch for CVE-2022-45873
* Wed Nov 29 2022 Daniel McIlvaney <damcilva@microsoft.com> - 250.3-9
- Conditionally run systemctl preset-all only when first installing systemd, not on upgrades

Просмотреть файл

@ -1,7 +1,7 @@
Summary: Systemd-250
Name: systemd
Version: 250.3
Release: 11%{?dist}
Release: 12%{?dist}
License: LGPLv2+ AND GPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -20,6 +20,8 @@ Patch1: add-fsync-sysusers-passwd.patch
Patch2: gpt-auto-devno-not-determined.patch
# Patch3 can be removed once we update to major version 251 or higher:
Patch3: CVE-2022-3821.patch
# Patch4 can be removed once we update to version 252
Patch4: CVE-2022-45873.patch
BuildRequires: cryptsetup-devel
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
@ -269,6 +271,9 @@ fi
%files lang -f %{name}.lang
%changelog
* Wed Dec 14 2022 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 250.3-12
- Add patch for CVE-2022-45873
* Wed Nov 29 2022 Daniel McIlvaney <damcilva@microsoft.com> - 250.3-11
- Conditionally run systemctl preset-all only when first installing systemd, not on upgrades

Просмотреть файл

@ -548,10 +548,10 @@ sqlite-devel-3.39.2-2.cm2.aarch64.rpm
sqlite-libs-3.39.2-2.cm2.aarch64.rpm
swig-4.0.2-3.cm2.aarch64.rpm
swig-debuginfo-4.0.2-3.cm2.aarch64.rpm
systemd-bootstrap-250.3-9.cm2.aarch64.rpm
systemd-bootstrap-debuginfo-250.3-9.cm2.aarch64.rpm
systemd-bootstrap-devel-250.3-9.cm2.aarch64.rpm
systemd-bootstrap-rpm-macros-250.3-9.cm2.noarch.rpm
systemd-bootstrap-250.3-10.cm2.aarch64.rpm
systemd-bootstrap-debuginfo-250.3-10.cm2.aarch64.rpm
systemd-bootstrap-devel-250.3-10.cm2.aarch64.rpm
systemd-bootstrap-rpm-macros-250.3-10.cm2.noarch.rpm
tar-1.34-1.cm2.aarch64.rpm
tar-debuginfo-1.34-1.cm2.aarch64.rpm
tdnf-3.2.2-4.cm2.aarch64.rpm

Просмотреть файл

@ -548,10 +548,10 @@ sqlite-devel-3.39.2-2.cm2.x86_64.rpm
sqlite-libs-3.39.2-2.cm2.x86_64.rpm
swig-4.0.2-3.cm2.x86_64.rpm
swig-debuginfo-4.0.2-3.cm2.x86_64.rpm
systemd-bootstrap-250.3-9.cm2.x86_64.rpm
systemd-bootstrap-debuginfo-250.3-9.cm2.x86_64.rpm
systemd-bootstrap-devel-250.3-9.cm2.x86_64.rpm
systemd-bootstrap-rpm-macros-250.3-9.cm2.noarch.rpm
systemd-bootstrap-250.3-10.cm2.x86_64.rpm
systemd-bootstrap-debuginfo-250.3-10.cm2.x86_64.rpm
systemd-bootstrap-devel-250.3-10.cm2.x86_64.rpm
systemd-bootstrap-rpm-macros-250.3-10.cm2.noarch.rpm
tar-1.34-1.cm2.x86_64.rpm
tar-debuginfo-1.34-1.cm2.x86_64.rpm
tdnf-3.2.2-4.cm2.x86_64.rpm