Commit 64196d50 authored by Martin Pitt's avatar Martin Pitt

pid1: process zero-length notification messages again

Just remove the assertion, the "n" value was not used anyway. This fixes
a local DoS due to unprocessed/unclosed fds which got introduced by the
previous fix.

Patch backported from upstream master.

Closes: #839171
LP: #1628687
parent 04448ebe
From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 29 Sep 2016 16:06:02 +0200
Subject: pid1: process zero-length notification messages again
This undoes 531ac2b234. I acked that patch without looking at the code
carefully enough. There are two problems:
- we want to process the fds anyway
- in principle empty notification messages are valid, and we should
process them as usual, including logging using log_unit_debug().
---
src/core/manager.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index 89bb465..83ab0b6 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1585,13 +1585,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
return 0;
}
-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) {
+static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
_cleanup_strv_free_ char **tags = NULL;
assert(m);
assert(u);
assert(buf);
- assert(n > 0);
tags = strv_split(buf, "\n\r");
if (!tags) {
@@ -1649,10 +1648,6 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
return -errno;
}
- if (n == 0) {
- log_debug("Got zero-length notification message. Ignoring.");
- return 0;
- }
CMSG_FOREACH(cmsg, &msghdr) {
if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
@@ -1688,25 +1683,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
return 0;
}
+ /* The message should be a string. Here we make sure it's NUL-terminated,
+ * but only the part until first NUL will be used anyway. */
buf[n] = 0;
/* Notify every unit that might be interested, but try
* to avoid notifying the same one multiple times. */
u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
if (u1) {
- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds);
+ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
found = true;
}
u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid));
if (u2 && u2 != u1) {
- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds);
+ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
found = true;
}
u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid));
if (u3 && u3 != u2 && u3 != u1) {
- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds);
+ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
found = true;
}
......@@ -18,6 +18,7 @@ core-add-Ref-Unref-bus-calls-for-units.patch
nss-install-nss-modules-to-rootlibdir.patch
build-sys-get-rid-of-move-to-rootlibdir.patch
If-the-notification-message-length-is-0-ignore-the-messag.patch
pid1-process-zero-length-notification-messages-again.patch
debian/Use-Debian-specific-config-files.patch
debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment