Backport recent fixes to v260-stable#12
Open
daan-test[bot] wants to merge 29 commits intov260-stablefrom
Open
Conversation
The check compared bLength against (size - sizeof(descriptor)), which is an absolute limit unrelated to the current buffer position. Since bLength is uint8_t (max 255), this can never exceed size - 9 for any realistic input, making the check dead code. Use (size - pos) instead so the check actually catches descriptors that extend past the end of the read data. Fixes: systemd#41570 (cherry picked from commit 4b32ab5)
With the old version there was a potential connection count leak if either of the two hashmap operations in count_connection() failed. In that case we'd return from sd_varlink_server_add_connection_pair() _before_ attached the sd_varlink_server object to an sd_varlink object, and since varlink_detach_server() is the only place where the connection counter is decremented (called through sd_varlink_close() in various error paths later _if_ the "server" object is not null, i.e. attached to the sd_varlink object) we'd "leak" a connection every time this happened. However, the potential of abusing this is very theoretical, as one would need to hit OOM every time either of the hashmap operations was executed for a while before exhausting the connection limit. Let's just increment the connection counter after any potential error path, so we don't have to deal with potential rollbacks. (cherry picked from commit d3a1710)
…ionSec is set manager_set_dns_server() and dns_server_flush_cache() call dns_cache_flush() unconditionally, wiping the entire cache even when StaleRetentionSec is configured. This defeats serve-stale by discarding cached records that should remain available during server switches and feature-level re-probes. The original serve-stale commit (5ed9148) added a stale_retention_usec guard to link_set_dns_server(), and a later commit (7928c0e) added the same guard to dns_delegate_set_dns_server(), but these two call sites in resolved-dns-server.c were missed. This is particularly visible with DNSOverTLS, where TLS handshake failures trigger frequent feature-level downgrades and re-probes via dns_server_flush_cache(), flushing the cache each time. Add the same stale_retention_usec guard to both call sites so that cache entries are allowed to expire naturally via dns_cache_prune() when serve-stale is enabled. Fixes: systemd#40781 This commit was prepared with assistance from an AI coding agent (GitHub Copilot). All changes have been reviewed for correctness and adherence to the systemd coding style. (cherry picked from commit fb0ae74)
dnssec_rsa_verify_raw() asserts that RSA_size(key) matches the RRSIG signature size, and dnssec_ecdsa_verify_raw() asserts that EC_KEY_check_key() succeeds. Both conditions depend on parsed DNS record content. Replace with proper error returns. The actual crypto verify calls (EVP_PKEY_verify / ECDSA_do_verify) handle mismatches fine on their own, so the asserts were also redundant. While at it, fix the misleading "EC_POINT_bn2point failed" log message that actually refers to an EC_KEY_set_public_key() failure. Fixes: systemd#41569 (cherry picked from commit dd80e5a)
newa(t, n) already allocates sizeof(t) * n bytes, so previously we'd actually allocate sizeof(t) * sizeof(t) * n bytes, which is ~16x more (on x86_64) that we actually needed. This is probably an oversight from a tree-wide change in 6e9417f that replaced alloca() with newa(). Follow-up for 6e9417f. (cherry picked from commit 92d87ac)
Otherwise you run into errors such as: """ ../meson.build:2899:28: ERROR: File src/test/test-loop-util.c does not exist. """ when deleting a file in git without staging the deletion. (cherry picked from commit 8355eb6)
(cherry picked from commit 1016dd3)
When a service is configured with Delegate=yes and DelegateSubgroup=sub, the delegated container may write domain controllers (e.g. "pids") into the service cgroup's cgroup.subtree_control via its cgroupns root. On container exit the stale controllers remain, and on service restart clone3() with CLONE_INTO_CGROUP fails with EBUSY because placing a process into a cgroup that has domain controllers in subtree_control violates the no-internal- processes rule. The same issue affects systemctl clean, where cg_attach() fails with EBUSY for the same reason. Add unit_cgroup_disable_all_controllers() helper in cgroup.c that clears stale controllers via cg_enable(mask=0) and updates cgroup_enabled_mask to keep internal tracking in sync. Call it from service_start() and service_clean() right before spawning, so that resource control is preserved for any lingering processes from the previous invocation as long as possible. (cherry picked from commit 056bc10)
-N was clearing and re-setting the same bit in arg_import_flags_mask, which is a no-op. It should clear the bit in arg_import_flags instead, matching what --keep-download=no does via SET_FLAG(). (cherry picked from commit ee96f93)
Coverity complains that the -EOPNOTSUPP can never be returned, because we always have !watch_fallback==locked. CID#1654169 (cherry picked from commit 1c9fbba)
Currently translated at 100.0% (266 of 266 strings) Co-authored-by: joo es <jonnyse@users.noreply.translate.fedoraproject.org> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ar/ Translation: systemd/main (cherry picked from commit 043689f)
1024 connections per UID is unnecessarily generous, so let's scale this down a bit. D-Bus defaults to 256 connections per UID, but let's be even more conservative and go with 128. (cherry picked from commit d9da339)
The BreakpointType enum includes _BREAKPOINT_TYPE_INVALID (-EINVAL), so Coverity flags the bit shift as potentially using a negative shift amount. Add an assert to verify the type is in valid range, since the static table only contains valid entries. CID#1568482 Follow-up for 1929226 (cherry picked from commit efccc0d)
So we can access them from the code there as well. (cherry picked from commit d830bb1)
We already do that with other algorithms, so let's make decompress_blob_lz4() consistent with the rest. (cherry picked from commit 2cda5f6)
We already have checks in place during compression that limit the data
we compress, so they shouldn't decompress to anything larger than
DATA_SIZE_MAX unless they've been tampered with. Let's make this
explicit and limit all our decompress_blob() calls in journal-handling
code to that limit.
One possible scenario this should prevent is when one tries to open and
verify a journal file that contains a compression bomb in its payload:
$ ls -lh test.journal
-rw-rw-r--+ 1 fsumsal fsumsal 1.2M Apr 12 15:07 test.journal
$ systemd-run --user --wait --pipe -- build-local/journalctl --verify --file=$PWD/test.journal
Running as unit: run-p682422-i4875779.service
000110: Invalid hash (00000000 vs. 11e4948d73bdafdd)
000110: Invalid object contents: Bad message
File corruption detected at /home/fsumsal/repos/@systemd/systemd/test.journal:272 (of 1249896 bytes, 0%).
FAIL: /home/fsumsal/repos/@systemd/systemd/test.journal (Bad message)
Finished with result: exit-code
Main processes terminated with: code=exited, status=1/FAILURE
Service runtime: 48.051s
CPU time consumed: 47.941s
Memory peak: 8G (swap: 0B)
Same could be, in theory, possible with just `journalctl --file=`, but
the reproducer would be a bit more complicated (haven't tried it, yet).
Lastly, the change in journal-remote is mostly hardening, as the maximum
input size to decompress_blob() there is mandated by MHD's connection
memory limit (set to JOURNAL_SERVER_MEMORY_MAX which is 128 KiB at the
time of writing), so the possible output size there is already quite
limited (e.g. ~800 - 900 MiB for xz-compressed data).
(cherry picked from commit 31d360f)
nss_count_strv() counts trailing NULL pointers in n. The pointer area then used (n + 1), reserving one slot more than the size check accounted for. Drop the + 1 since n already includes the trailing NULLs, unlike the non-shadow nss_pack_group_record() where n does not. Fixes: systemd#41591 (cherry picked from commit aa85a74)
(cherry picked from commit 06d3f37)
(cherry picked from commit 7fbdc6a)
…n 0 or USEC_INFINITY We generally assume that valid times returned by clock_gettime() are > 0 and < USEC_INFINITY. If this wouldn't hold all kinds of things would break, because we couldn't distuingish our niche values from regular values anymore. Let's hence encode our assumptions in C, already to help static analyzers and LLMs. Inspired by: systemd#41601 (review) (cherry picked from commit e700d51)
With yeswehack.com suspended due to funding issues for triagers being worked out, reports on GH are starting to pile up. Explicitly define some ground rules to avoid noise and time wasting. (cherry picked from commit a1813a4)
Sometimes we want need to diff two unsigned numbers, which is awkward because we need to cast them to something with a sign first, if we want to use abs(). Let's add a helper that avoids the function call altogether. Also drop unnecessary parens arounds args which are delimited by commas. (cherry picked from commit efbd8a2)
Coverity was complaining that we we're doing a integer division and then casting that to double. This was OK, but it was also a bit pointless. An operation on a double and unsigned promoted the unsigned to a double, so it's enough if we have a double somewhere as an argument early enough. Drop noop casts and parens to make the formulas easier to read. CID#1466459 (cherry picked from commit 3fac595)
(cherry picked from commit 087733e)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated backport to
v260-stableThe following commits from
mainwere cherry-picked:Each commit was cherry-picked with
git cherry-pick -xto preserve provenance.Skipped commits
c9defc1bebexec_with_listen_fdscalls) does not exist on v260-stablePlease review the changes and merge when ready.
Workflow run