diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-12-05 22:45:02 +0100 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2019-01-09 10:12:25 -0500 |
commit | 229829c4ed0346c8426055dc3063aefbced0e17f (patch) | |
tree | 78f5f13b3df7ec06a591a2810be763bba2d08cf9 | |
parent | coredump: fix message when we fail to save a journald coredump (diff) | |
download | systemd-229829c4ed0346c8426055dc3063aefbced0e17f.tar.gz systemd-229829c4ed0346c8426055dc3063aefbced0e17f.tar.bz2 systemd-229829c4ed0346c8426055dc3063aefbced0e17f.zip |
journald: set a limit on the number of fields (1k)
We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.
CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.
-rw-r--r-- | src/journal/journald-native.c | 5 | ||||
-rw-r--r-- | src/shared/journal-importer.h | 3 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index e86178ed7..d0fee2a79 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -141,6 +141,11 @@ static int server_process_entry( } /* A property follows */ + if (n > ENTRY_FIELD_COUNT_MAX) { + log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); + r = 1; + goto finish; + } /* n existing properties, 1 new, +1 for _TRANSPORT */ if (!GREEDY_REALLOC(iovec, m, diff --git a/src/shared/journal-importer.h b/src/shared/journal-importer.h index 53354b7c7..7914c0cf5 100644 --- a/src/shared/journal-importer.h +++ b/src/shared/journal-importer.h @@ -21,6 +21,9 @@ #endif #define LINE_CHUNK 8*1024u +/* The maximum number of fields in an entry */ +#define ENTRY_FIELD_COUNT_MAX 1024 + struct iovec_wrapper { struct iovec *iovec; size_t size_bytes; |