From 657ad8be9ad33e8e1550d18c31050f94c530c5e9 Mon Sep 17 00:00:00 2001 From: fayeinseu <15651793630@163.com> Date: Tue, 7 Jul 2020 16:30:00 +0800 Subject: [PATCH] fix buffer overrun when urlifying. --- ...al-fix-buffer-overrun-when-urlifying.patch | 49 +++++++++++++++++++ systemd.spec | 9 +++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 journal-fix-buffer-overrun-when-urlifying.patch diff --git a/journal-fix-buffer-overrun-when-urlifying.patch b/journal-fix-buffer-overrun-when-urlifying.patch new file mode 100644 index 0000000..d46e191 --- /dev/null +++ b/journal-fix-buffer-overrun-when-urlifying.patch @@ -0,0 +1,49 @@ +From 85fbebe61a1aec2f86e36fb464283b6b55d3d76d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 23 Jun 2020 20:51:13 +0200 +Subject: [PATCH] journal: fix buffer overrun when urlifying + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122. + +message is only valid until message_len, and we need to make sure we're not +reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0. +--- + src/shared/logs-show.c | 9 ++++++--- + test/fuzz/fuzz-journal-remote/oss-fuzz-21122 | Bin 0 -> 35798 bytes + 2 files changed, 6 insertions(+), 3 deletions(-) + create mode 100644 test/fuzz/fuzz-journal-remote/oss-fuzz-21122 + +diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c +index 570377dc76..fee6ccdf2a 100644 +--- a/src/shared/logs-show.c ++++ b/src/shared/logs-show.c +@@ -573,19 +573,22 @@ static int output_short( + if (config_file && + message_len >= config_file_len && + memcmp(message, config_file, config_file_len) == 0 && +- IN_SET(message[config_file_len], ':', ' ', '\0') && ++ (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) && + (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) { + + _cleanup_free_ char *t = NULL, *urlified = NULL; + + t = strndup(config_file, config_file_len); + if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) { +- size_t shift = strlen(urlified) - config_file_len; ++ size_t urlified_len = strlen(urlified); ++ size_t shift = urlified_len - config_file_len; + char *joined; + +- joined = strjoin(urlified, message + config_file_len); ++ joined = realloc(urlified, message_len + shift); + if (joined) { ++ memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len); + free_and_replace(message, joined); ++ TAKE_PTR(urlified); + message_len += shift; + if (highlight) { + highlight_shifted[0] += shift; + +-- +2.23.0 + diff --git a/systemd.spec b/systemd.spec index baf372a..6a90b19 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 25 +Release: 26 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -113,6 +113,7 @@ Patch0062: core-use-unit-based-logging-instead-of-generic-loggi.patch Patch0063: core-set-error-value-correctly.patch Patch0064: core-fix-re-realization-of-cgroup-siblings.patch Patch0065: basic-string-table-avoid-crash-when-table-is-sparse.patch +Patch0066: journal-fix-buffer-overrun-when-urlifying.patch #openEuler Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch @@ -1505,6 +1506,12 @@ fi %exclude /usr/share/man/man3/* %changelog +* Tue Jul 7 2020 openEuler Buildteam - 243-26 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:fix buffer overrun when urlifying + * Thu Jun 18 2020 openEuler Buildteam - 243-25 - Type:enhancement - ID:NA -- Gitee