Overview

File 0002-journald-set-a-limit-on-the-number-of-fields-1k.patch of Package systemd.9833

From 4fc5042eb3e38c2a5d8bdb7351a81fa9ecf7c7f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 22:45:02 +0100
Subject: [PATCH 2/4] journald: set a limit on the number of fields (1k)

We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.

CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861

What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.

[fbui: adjust context]
[fbui: fixes bsc#1120323]
[fbui: fixes CVE-2018-16865]
---
 src/journal/journald-native.c | 4 ++++
 src/journal/journald-native.h | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index 69a685c06f..618de68b59 100644
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -140,6 +140,10 @@ void server_process_native_message(
                 }
 
                 /* A property follows */
+                if (n > ENTRY_FIELD_COUNT_MAX) {
+                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
+                        goto finish;
+                }
 
                 /* n existing properties, 1 new, +1 for _TRANSPORT */
                 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
diff --git a/src/journal/journald-native.h b/src/journal/journald-native.h
index 2f9d458fb5..47573b2d8b 100644
--- a/src/journal/journald-native.h
+++ b/src/journal/journald-native.h
@@ -28,6 +28,9 @@
 #define ENTRY_SIZE_MAX (1024*1024*770u)
 #define DATA_SIZE_MAX (1024*1024*768u)
 
+/* The maximum number of fields in an entry */
+#define ENTRY_FIELD_COUNT_MAX 1024
+
 bool valid_user_field(const char *p, size_t l, bool allow_protected);
 
 void server_process_native_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const struct timeval *tv, const char *label, size_t label_len);
-- 
2.19.0
openSUSE Build Service is sponsored by
Places