systemd CVE-2016-7796
Hello All,
Just looking at this issue in Wheezy. Looks like it should be easy to
patch, assuming we consider this deserving a security update - it
requires local access.
The code is a bit different in wheezy:
if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) <= 0) {
if (n >= 0)
return -EIO;
if (errno == EAGAIN || errno == EINTR)
break;
return -errno;
}
The condition n >= 0 is a bit confusing, as we already checked that n <=
0. So if this succeeds I think n == 0.
The upstream patch is:
diff --git a/src/core/manager.c b/src/core/manager.c
index 43e231c..5704005 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1716,10 +1716,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
·
n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
if (n < 0) {
- if (errno == EAGAIN || errno == EINTR)
- return 0;
+ if (!IN_SET(errno, EAGAIN, EINTR))
+ log_error("Failed to receive notification message: %m");
·
- return -errno;
+ /* It's not an option to return an error here since it
+ * would disable the notification handler entirely. Services
+ * wouldn't be able to send the WATCHDOG message for
+ * example... */
+ return 0;
}
if (n == 0) {
log_debug("Got zero-length notification message. Ignoring.");
[next hunk appears not relevant except it changes another return to a
return 0]
So guessing maybe something like:
--- systemd-44.orig/src/manager.c
+++ systemd-44/src/manager.c
@@ -2030,13 +2030,18 @@
msghdr.msg_controllen = sizeof(control);
if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) <= 0) {
+ /* It's not an option to return an error here since it
+ * would disable the notification handler entirely. Services
+ * wouldn't be able to send the WATCHDOG message for
+ * example... */
if (n >= 0)
- return -EIO;
+ return 0;
if (errno == EAGAIN || errno == EINTR)
+ log_error("Failed to receive notification message: %m");
break;
- return -errno;
+ return 0;
}
if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) ||
@@ -2058,7 +2063,7 @@
assert((size_t) n < sizeof(buf));
buf[n] = 0;
if (!(tags = strv_split(buf, "\n\r")))
- return -ENOMEM;
+ return 0;
log_debug("Got notification message for unit %s", u->id);
I have not yet claimed systemd yet, if somebody else wants to claim it
before I do, go ahead.
--
Brian May <bam@debian.org>
Reply to: