review.tizen.org Git - platform/upstream/systemd.git/commit

author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 23 Jun 2021 09:46:41 +0000 (11:46 +0200)
committer	Michal Bloch <m.bloch@samsung.com>
	Thu, 22 Jul 2021 10:55:35 +0000 (12:55 +0200)
commit	87ca945439e5cc5ef049a5a8af25d2fb9ac2b4f5
tree	cbbeb254b554a4895acdd60c5ac38e8560dbdc93	tree \| snapshot
parent	cf950008b4816b1e7662c6fb69f3480f047d9549	commit \| diff

basic/unit-name: do not use strdupa() on a path

The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

https://bugzilla.redhat.com/show_bug.cgi?id=1970887

The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.

Change-Id: I4e2d3a82bbc4f53845cca6186c62588d8894566e