File 0001-journald-do-not-store-the-iovec-entry-for-process-co.patch of Package systemd.9886

From cbf4d0c470ef739125fe0f905cc3d66787adb24c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 18:38:39 +0100
Subject: [PATCH 1/1] journald: do not store the iovec entry for process
 commandline on stack

This fixes a crash where we would read the commandline, whose length is under
control of the sending program, and then crash when trying to create a stack
allocation for it.

CVE-2018-16864
https://bugzilla.redhat.com/show_bug.cgi?id=1653855

The message actually doesn't get written to disk, because
journal_file_append_entry() returns -E2BIG.

[fbui: stripped the original fix to its minimal form while backporting to v210]
[fbui: fixes bsc#1120323]
[fbui: fixes CVE-2018-16864]
---
 src/journal/journald-server.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 4b1e0056eb..247448131a 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -558,6 +558,7 @@ static void dispatch_message_real(
                 o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
                 o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
                 o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
+        _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
         uid_t object_uid;
         gid_t object_gid;
         char *x;
@@ -608,9 +609,12 @@ static void dispatch_message_real(
 
                 r = get_process_cmdline(ucred->pid, 0, false, &t);
                 if (r >= 0) {
-                        x = strappenda("_CMDLINE=", t);
+                        /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
+                         * Let's use a heap allocation for this one. */
+                        cmdline1 = strappend("_CMDLINE=", t);
                         free(t);
-                        IOVEC_SET_STRING(iovec[n++], x);
+                        if (cmdline1)
+                                IOVEC_SET_STRING(iovec[n++], cmdline1);
                 }
 
                 r = get_process_capeff(ucred->pid, &t);
@@ -736,9 +740,12 @@ static void dispatch_message_real(
 
                 r = get_process_cmdline(object_pid, 0, false, &t);
                 if (r >= 0) {
-                        x = strappenda("OBJECT_CMDLINE=", t);
+                        /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
+                         * Let's use a heap allocation for this one. */
+                        cmdline2 = strappend("OBJECT_CMDLINE=", t);
                         free(t);
-                        IOVEC_SET_STRING(iovec[n++], x);
+                        if (cmdline2)
+                                IOVEC_SET_STRING(iovec[n++], cmdline2);
                 }
 
 #ifdef HAVE_AUDIT
-- 
2.19.0