Skip to content

basic/unit-name: do not use strdupa() on a path #20256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 20, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
basic/unit-name: do not use strdupa() on a path
The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

https://bugzilla.redhat.com/show_bug.cgi?id=1970887

The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616.
  • Loading branch information
keszybz committed Jun 23, 2021
commit 441e0115646d54f080e5c3bb0ba477c892861ab9
13 changes: 5 additions & 8 deletions src/basic/unit-name.c
Original file line number Diff line number Diff line change
Expand Up @@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
}

int unit_name_path_escape(const char *f, char **ret) {
char *p, *s;
_cleanup_free_ char *p = NULL;
char *s;

assert(f);
assert(ret);

p = strdupa(f);
p = strdup(f);
if (!p)
return -ENOMEM;

Expand All @@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
if (!path_is_normalized(p))
return -EINVAL;

/* Truncate trailing slashes */
/* Truncate trailing slashes and skip leading slashes */
delete_trailing_chars(p, "/");

/* Truncate leading slashes */
p = skip_leading_chars(p, "/");

s = unit_name_escape(p);
s = unit_name_escape(skip_leading_chars(p, "/"));
}
if (!s)
return -ENOMEM;
Expand Down