| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The switch to memory_startswith() changed the logic to only look for a space or
NUL byte after the matched word, but matching the full size should also be
acceptable.
This changed the behavior of parsing of "AUTH\r\n", where m will be set to 4,
since even though the word will match, the check for it being followed by ' '
or NUL will make line_begins() return false.
Tested:
- Using netcat to connect to the private socket directly:
$ echo -ne '\0AUTH\r\n' | sudo nc -U /run/systemd/private
REJECTED EXTERNAL ANONYMOUS
- Running the Ignition blackbox test:
$ sudo sh -c 'PATH=$PWD/bin/amd64:$PATH ./tests.test'
PASS
Fixes: d27b725abf64a19a6b2f99332b663f17ad046771
(cherry picked from commit 3f10c66270b74530339b3f466c43874bb40c210f)
Resolves: #1692991
|
| |
|
|
|
| |
rhel-only
Resolves: #1670126
|
| |
|
|
|
|
|
|
| |
Kernel removed the elevator= option, so let's reintroduce
it for rhel8 via udev rule.
rhel-only
Resolves: #1670126
|
| |
|
|
|
|
| |
Fixes #10934.
(cherry picked from commit e327272d795453f68a4c30ba21eb0e887516cf68)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original version of the test used netcat along with a standard
AF_UNIX socket, which caused issues across different netcat
implementations. The AF_UNIX socket was then replaced by a FIFO with a
simple echo, which, however, suffers from the same issue (some echo
implementations don't check if the write() was successful).
Let's revert back to the AF_UNIX socket, but replace netcat with socat,
which, hopefully, resolves the main issue.
Relevant commit: 9b45c2bf02a43e3e1b42de1ab0c3fe29c64dc5f5
(cherry picked from commit b35d6d828b3216d022e565820d9971cb0f7746c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With cgroupsv1 a zombie process is migrated to root cgroup in all
hierarchies. This was changed for unified hierarchy and /proc/PID/cgroup
reports cgroup to which process belonged before it exited.
Be more suspicious about cgroup path reported by the kernel and use
unit_id provided by the log client if the kernel reports that process is
running in the root cgroup.
Users tend to care the most about 'log->unit_id' mapping so systemctl
status can correctly report last log lines. Also we wouldn't be able to
infer anything useful from "/" path anyway.
See: https://github.com/torvalds/linux/commit/2e91fa7f6d451e3ea9fec999065d2fd199691f9d
(cherry picked from commit 672773b63a4ebf95242b27e63071b93073ebc1f5)
Resolves: #1658115
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).
This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
(cherry-picked from commit ef4d6abe7c7fab6cbff975b32e76b09feee56074)
Resolves: #1664977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling mhd_respond(), which ulimately calls MHD_queue_response() is
ineffective at point, becuase MHD_queue_response() immediately returns
MHD_NO signifying an error, because the connection is in state
MHD_CONNECTION_CONTINUE_SENT.
As Christian Grothoff kindly explained:
> You are likely calling MHD_queue_repsonse() too late: once you are
> receiving upload_data, HTTP forces you to process it all. At this time,
> MHD has already sent "100 continue" and cannot take it back (hence you
> get MHD_NO!).
>
> In your request handler, the first time when you are called for a
> connection (and when hence *upload_data_size == 0 and upload_data ==
> NULL) you must check the content-length header and react (with
> MHD_queue_response) based on this (to prevent MHD from automatically
> generating 100 continue).
If we ever encounter this kind of error, print a warning and immediately
abort the connection. (The alternative would be to keep reading the data,
but ignore it, and return an error after we get to the end of data.
That is possible, but of course puts additional load on both the
sender and reciever, and doesn't seem important enough just to return
a good error message.)
Note that sending of the error does not work (the connection is always aborted
when MHD_queue_response is used with MHD_RESPMEM_MUST_FREE, as in this case)
with libµhttpd 0.59, but works with 0.61:
https://src.fedoraproject.org/rpms/libmicrohttpd/pull-request/1
(cherry-picked from commit 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd)
Related: #1664977
|
| |
|
|
|
|
| |
(cherry-picked from commit d101fb24eb1c58c97f2adce1f69f4b61a788933a)
Related: #1664977
|
| |
|
|
|
|
|
|
|
|
| |
We immediately read the whole contents into memory, making thigs much more
expensive. Sealed fds should be used instead since they are more efficient
on our side.
(cherry-picked from commit 6670c9de196c8e2d5e84a8890cbb68f70c4db6e3)
Related: #1664977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
messages
We'd first parse all or most of the message, and only then consider if it
is not too large. Also, when encountering a single field over the limit,
we'd still process the preceding part of the message. Let's be stricter,
and check size limits early, and let's refuse the whole message if it fails
any of the size limits.
(cherry-picked from commit 964ef920ea6735d39f856b05fd8ef451a09a6a1d)
Related: #1664977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.
CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.
(cherry-picked from commit 052c57f132f04a3cf4148f87561618da1a6908b4)
Resolves: #1664977
|
| |
|
|
|
|
|
|
| |
Fixes #9829.
(cherry-picked from commit a6aadf4ae0bae185dc4c414d492a4a781c80ffe5)
Resolves: #1664978
|
| |
|
|
|
|
| |
This reverts commit 75c9af80cf3529c76988451e63f98010c86f48f1.
Resolves: #1653824
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Allocate new string as a return value and free our "scratch pad"
buffer that is potentially much larger than needed (up to
_SC_ARG_MAX).
Fixes #11502
(cherry-picked from commit eb1ec489eef8a32918bbfc56a268c9d10464584d)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
| |
In normal use, this allow us to drop dead entries from the cache and reduces
the cache size so that we don't evict entries unnecessarily. The time limit is
there mostly to serve as a guard against malicious logging from many different
PIDs.
(cherry-picked from commit 91714a7f427a6c9c5c3be8b3819fee45050028f3)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is far from perfect, but should give mostly reasonable values. My
assumption is that if somebody has a few hundred MB of memory, they are
unlikely to have thousands of processes logging. A hundred would already be a
lot. So let's scale the cache size propritionally to the total memory size,
with clamping on both ends.
The formula gives 64 cache entries for each GB of RAM.
(cherry-picked from commit b12a480829c5ca8f4d4fa9cde8716b5f2f12a3ad)
Related: #1664976
|
| |
|
|
|
|
| |
(cherry-picked from commit ef21b3b5bf824e652addf850bcfd9374c7b33ce8)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
|
| |
procfs_memory_get_current is renamed to procfs_memory_get_used, because
"current" can mean anything, including total memory, used memory, and free
memory, as long as the value is up to date.
No functional change.
(cherry-picked from commit c482724aa5c5d0b1391fcf958a9a3ea6ce73a085)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
| |
If creation of the message failed, we'd write a bogus entry:
systemd-coredump[1400]: Cannot store coredump of 416 (systemd-journal): No space left on device
systemd-coredump[1400]: MESSAGE=Process 416 (systemd-journal) of user 0 dumped core.
systemd-coredump[1400]: Coredump diverted to
(cherry-picked from commit f0136e09221364f931c3a3b715da4e4d3ee9f2ac)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This affects systemd-journald and systemd-coredump.
Example entry:
$ journalctl -o export -n1 'MESSAGE=Something logged'
__CURSOR=s=976542d120c649f494471be317829ef9;i=34e;b=4871e4c474574ce4a462dfe3f1c37f06;m=c7d0c37dd2;t=57c4ac58f3b98;x=67598e942bd23dc0
__REALTIME_TIMESTAMP=1544035467475864
__MONOTONIC_TIMESTAMP=858200964562
_BOOT_ID=4871e4c474574ce4a462dfe3f1c37f06
PRIORITY=6
_UID=1000
_GID=1000
_CAP_EFFECTIVE=0
_SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
_AUDIT_SESSION=1
_AUDIT_LOGINUID=1000
_SYSTEMD_OWNER_UID=1000
_SYSTEMD_UNIT=user@1000.service
_SYSTEMD_SLICE=user-1000.slice
_SYSTEMD_USER_SLICE=-.slice
_SYSTEMD_INVOCATION_ID=1c4a469986d448719cb0f9141a10810e
_MACHINE_ID=08a5690a2eed47cf92ac0a5d2e3cf6b0
_HOSTNAME=krowka
_TRANSPORT=syslog
SYSLOG_FACILITY=17
SYSLOG_IDENTIFIER=syslog-caller
MESSAGE=Something logged
_COMM=poc
_EXE=/home/zbyszek/src/systemd-work3/poc
_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
_SYSTEMD_USER_UNIT=gnome-terminal-server.service
SYSLOG_PID=4108
SYSLOG_TIMESTAMP=Dec 5 19:44:27
_PID=4108
_CMDLINE=./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
_SOURCE_REALTIME_TIMESTAMP=1544035467475848
$ journalctl -o export -n1 'MESSAGE=Something logged' --output-fields=_CMDLINE|wc
6 2053 2097410
2MB might be hard for some clients to use meaningfully, but OTOH, it is
important to log the full commandline sometimes. For example, when the program
is crashing, the exact argument list is useful.
(cherry-picked from commit 2d5d2e0cc5171c6795d2a485841474345d9e30ab)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a crash where we would read the commandline, whose length is under
control of the sending program, and then crash when trying to create a stack
allocation for it.
CVE-2018-16864
https://bugzilla.redhat.com/show_bug.cgi?id=1653855
The message actually doesn't get written to disk, because
journal_file_append_entry() returns -E2BIG.
(cherry-picked from commit 084eeb865ca63887098e0945fb4e93c852b91b0f)
Resolves: #1664976
|
| |
|
|
|
|
| |
(cherry-picked from commit bc2762a309132a34db1797d8b5792d5747a94484)
Related: #1664976
|
| |
|
|
|
|
|
|
|
|
|
|
| |
systemd-coredump[9982]: MESSAGE=Process 771 (systemd-journal) of user 0 dumped core.
systemd-coredump[9982]: Coredump diverted to /var/lib/systemd/coredump/core...
log_dispatch() calls log_dispatch_internal() which calls write_to_journal()
which appends MESSAGE= on its own.
(cherry-picked from commit 4f62556d71206ac814a020a954b397d4940e14c3)
Related: #1664976
|
| | |
|
| |
|
|
| |
(cherry picked from commit 7f9d44f527ea214347f7d3b3b067f84df53feed7)
|
| |
|
|
| |
(cherry picked from commit 90399c456fe8cf726fc04fb7be9e2a01f9ca0eae)
|
| |
|
|
| |
(cherry picked from commit e5c78840b2b124400f56cb5fbaf2357cd8901218)
|
| |
|
|
| |
(cherry picked from commit 2014cb51b6dfe1f7f0b98e62311398c2bf801c2b)
|
| |
|
|
|
|
|
|
| |
Let's better be safe than sorry, and put a limit on what we receive.
(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)
Related: CVE-2018-15686
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should be much better than fgets(), as we can read substantially
longer lines and overly long lines result in proper errors.
Fixes a vulnerability discovered by Jann Horn at Google.
CVE-2018-15686
LP: #1796402
https://bugzilla.redhat.com/show_bug.cgi?id=1639071
(cherry picked from commit 8948b3415d762245ebf5e19d80b97d4d8cc208c1)
Resolves: CVE-2018-15686
|
| |
|
|
|
|
|
|
|
|
| |
Docker's default capability set has the inherited flag already
set - that breaks tests which expect otherwise. Let's just
drop the check and run the test anyway.
Fixes #10663
Cherry-picked from: c446b8486d9ed18d1bc780948ae9ee8a53fa4c3f
|
| |
|
|
|
| |
rhel-only
Resolves: #1619292
|
| |
|
|
|
|
| |
Fixes #9403
Cherry-picked from: f02582f69fe1e7663a87ba80bd4f90d5d23ee75f
|
| |
|
|
|
|
|
|
|
| |
Meson added -Doptimization and -Ddebug options, which obviously causes
a conflict with our -Ddebug options. Let's rename it.
Fixes #9883.
Cherry-picked from: 8f6b442a78d0b485f044742ad90b2e8271b4e68e
|
| |
|
|
|
|
|
|
| |
Not all distros support booting without an initrd. E.g. the Debian
kernel builds ext4 as a module and so relies on an initrd to
successfully start the QEMU-based images.
Cherry-picked from: c2d4da002095fe6f86f89a508a81e48fb6d3196f
|
| |
|
|
|
|
| |
Fixes: #10544
Cherry-picked from: 6619ad889da260cf83079cc74a85d571acd1df5a
|
| |
|
|
| |
Cherry-picked from: 67f5c0c776ce9449ad21e9854665573a05141fd4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This switches the RFC3704 Reverse Path filtering from Strict mode to Loose
mode. The Strict mode breaks some pretty common and reasonable use cases,
such as keeping connections via one default route alive after another one
appears (e.g. plugging an Ethernet cable when connected via Wi-Fi).
The strict filter also makes it impossible for NetworkManager to do
connectivity check on a newly arriving default route (it starts with a
higher metric and is bumped lower if there's connectivity).
Kernel's default is 0 (no filter), but a Loose filter is good enough. The
few use cases where a Strict mode could make sense can easily override
this.
The distributions that don't care about the client use cases and prefer a
strict filter could just ship a custom configuration in
/usr/lib/sysctl.d/ to override this.
Cherry-picked from: 230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e
Resolves: #1653824
|
| |
|
|
|
|
|
|
|
| |
To make sure the change event is emitted and udev db is updated
after metadata changes.
(cherry picked from commit 38397c8ce044fdc0138c9919168a856c0e16f720)
Resolves: #1638676
|
| |
|
|
|
|
|
|
|
|
| |
For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't
work, because we truncated label at the first whitespace character,
i.e. LABEL="KEYFILE".
(cherry-picked from commit 7949dfa73a44ae6524779689483d12243dfbcfdf)
Related: #1656869
|
| |
|
|
|
|
| |
(cherry-picked from commit 579875bc4a59b917fa32519e3d96d56dc591ad1e)
Related: #1656869
|
| |
|
|
|
|
|
|
|
|
| |
We are not the ones receiving an error here, but the ones generating it,
hence we shouldn't show it with %m, that's just confusing, as it
suggests we received an error from some other call.
(cherry-picked from commit 2abe64666e544be6499f870618185f8819b4c152)
Related: #1656869
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dracut has a support for unlocking encrypted drives with keyfile stored
on the external drive. This support is included in the generated initrd
only if systemd module is not included.
When systemd is used in initrd then attachment of encrypted drives is
handled by systemd-cryptsetup tools. Our generator has support for
keyfile, however, it didn't support keyfile on the external block
device (keydev).
This commit introduces basic keydev support. Keydev can be specified per
luks.uuid on the kernel command line. Keydev is automatically mounted
during boot and we look for keyfile in the keydev
mountpoint (i.e. keyfile path is prefixed with the keydev mount point
path). After crypt device is attached we automatically unmount
where keyfile resides.
Example:
rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
(cherry-picked from commit 70f5f48eb891b12e969577b464de61e15a2593da)
Resolves: #1656869
|
| |
|
|
|
|
|
|
|
| |
Fixes a SIGSEGV introduced by commit 38a5315a3a6fab745d8c86ff9e486faaf50b28d1.
The same problem doesn't exist upstream, as the container structure
there is initialized using a compound literal, which is zeroed out by
default.
Related: #1635435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We didn't free one of the fields in two of the places.
$ valgrind --show-leak-kinds=all --leak-check=full \
build/fuzz-bus-message \
test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
...
==14457== HEAP SUMMARY:
==14457== in use at exit: 3 bytes in 1 blocks
==14457== total heap usage: 509 allocs, 508 frees, 51,016 bytes allocated
==14457==
==14457== 3 bytes in 1 blocks are definitely lost in loss record 1 of 1
==14457== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
==14457== by 0x53AFE79: strndup (in /usr/lib64/libc-2.27.so)
==14457== by 0x4F52EB8: free_and_strndup (string-util.c:1039)
==14457== by 0x4F8E1AB: sd_bus_message_peek_type (bus-message.c:4193)
==14457== by 0x4F76CB5: bus_message_dump (bus-dump.c:144)
==14457== by 0x108F12: LLVMFuzzerTestOneInput (fuzz-bus-message.c:24)
==14457== by 0x1090F7: main (fuzz-main.c:34)
==14457==
==14457== LEAK SUMMARY:
==14457== definitely lost: 3 bytes in 1 blocks
(cherry picked from commit 6d1e0f4fcba8d6f425da3dc91805db95399b3c8b)
Resolves: #1635435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quoting https://github.com/systemd/systemd/issues/10074:
> detect_vm_uml() reads /proc/cpuinfo with read_full_file()
> read_full_file() has a file max limit size of READ_FULL_BYTES_MAX=(4U*1024U*1024U)
> Unfortunately, the size of my /proc/cpuinfo is bigger, approximately:
> echo $(( 4* $(cat /proc/cpuinfo | wc -c)))
> 9918072
> This causes read_full_file() to fail and the Condition test fallout.
Let's just read line by line until we find an intersting line. This also
helps if not running under UML, because we avoid reading as much data.
(cherry picked from commit 6058516a14ada1748313af6783f5b4e7e3006654)
Resolves: #1631532
|
| |
|
|
|
|
|
|
|
|
|
| |
Turning on ECN still causes slow or broken network on linux. Our tcp
is not yet ready for wide spread use of ECN.
This reverts commit 919472741dba6ad0a3f6c2b76d390a02d0e2fdc3.
(cherry picked from commit 1e190dfd5bb95036f937ef1dc46f43eb0a146612)
Resolves: #1619790
|
| |
|
|
|
|
|
|
| |
[msekleta: I removed call to log_test_skipped() and replaced it with older construct log_info() + return EXIT_TEST_SKIP]
(cherry-picked from commit cb9e44db36caefcbb8ee7a12e14217305ed69ff2)
Related: #1643368
|
| |
|
|
|
|
| |
(cherry-picked from commit cd6b7d50c337b3676a3d5fc2188ff298dcbdb939)
Related: #1643368
|
