[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd CVE-2016-7796

Ben Hutchings <ben@decadent.org.uk> writes:

> [ Unknown signature status ]
> On Thu, 2016-10-06 at 08:07 +1100, Brian May wrote:
>> Here is a new revised patch:
> You're trying to make multiple changes in one patch, and still not
> getting all of them.  I think you will need to apply (at least) this
> series of patches:

Ok, sure.

> 1. Change from version 219 that removed the treatment of n < 0 as an
> error

It looks like n < 0 in version 219 is an error to me:

                n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
                if (n < 0) {
                        if (errno == EAGAIN || errno == EINTR)

                        return -errno;

I also see the assert(n > 0) line.

Did I misunderstand? Maybe you meant to say n==0 shouldn't return an
error (actually that is what I initially thought you said).

If so, unfortunately there isn't a single patch that changes this.

This (big) patch (which I initially thought removed the error) moves the
test down several lines and changes the error from EIO to ECONNRESET:


Ok, found the next commit:


So assuming this is what you want, probably easiest to recreate this

> 2. Fix for CVE-2016-7796
> 3. If-the-notification-message-length-is-0-ignore-the-messag.patch
> 4. pid1-process-zero-length-notification-messages-again.patch
Brian May <bam@debian.org>

Reply to: