systemd: Fix memory use after free errors

Found with gcc trunk (From OE-Core rev: 381c63ad2a6e004658b0232b6e6763f49f412b2b) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Khem Raj <raj.khem@gmail.com> 2018-12-16 21:54:42 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-01-28 16:56:33 +0000
commit: 82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2 (patch)
tree: d5360bed6cd12f975c9ad6392927cdd99a5909e0 /meta
parent: 9a78a8821f863ca6af15132201bc38f36d6e17a6 (diff)
download: openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.tar.gz
openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.tar.bz2
openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.zip
3 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch b/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch
new file mode 100644
index 0000000000..0538c7bbc8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch
@@ -0,0 +1,31 @@
+From bfc4183ea995f1c211385d066cdb1fe9ce89f621 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 16 Dec 2018 20:53:38 -0800
+Subject: [PATCH 1/2] sysctl: Don't pass null directive argument to '%s'
+
+value pointer here is always NULL but  subsequent use of that pointer
+with a %s format will always be NULL, printing p instead would be a
+valid string
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179]
+ src/sysctl/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
+index 1cfe51018..c67d79032 100644
+--- a/src/sysctl/sysctl.c
++++ b/src/sysctl/sysctl.c
+@@ -115,7 +115,7 @@ static int parse_file(OrderedHashmap *sysctl_options, const char *path, bool ign
+ 
+                 value = strchr(p, '=');
+                 if (!value) {
+-                        log_error("Line is not an assignment at '%s:%u': %s", path, c, value);
++                        log_error("Line is not an assignment at '%s:%u': %s", path, c, p);
+ 
+                         if (r == 0)
+                                 r = -EINVAL;
+-- 
+2.20.1
+
diff --git a/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch b/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch
new file mode 100644
index 0000000000..4da96e2920
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0002-core-Fix-use-after-free-case-in-load_from_path.patch
@@ -0,0 +1,43 @@
+From cb67aebd63d9f0077cbf3e769f0b223c5bba20ac Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 16 Dec 2018 20:58:35 -0800
+Subject: [PATCH 2/2] core: Fix use after free case in load_from_path()
+
+ensure that mfree() on filename is called after the logging function
+which uses the string pointed by filename
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179]
+ src/core/load-fragment.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
+index fc5644f48..da585786e 100644
+--- a/src/core/load-fragment.c
++++ b/src/core/load-fragment.c
+@@ -4531,7 +4531,6 @@ static int load_from_path(Unit *u, const char *path) {
+                                 r = open_follow(&filename, &f, symlink_names, &id);
+                         if (r >= 0)
+                                 break;
+-                        filename = mfree(filename);
+ 
+                         /* ENOENT means that the file is missing or is a dangling symlink.
+                          * ENOTDIR means that one of paths we expect to be is a directory
+@@ -4540,9 +4539,12 @@ static int load_from_path(Unit *u, const char *path) {
+                          */
+                         if (r == -EACCES)
+                                 log_debug_errno(r, "Cannot access \"%s\": %m", filename);
+-                        else if (!IN_SET(r, -ENOENT, -ENOTDIR))
++                        else if (!IN_SET(r, -ENOENT, -ENOTDIR)) {
++                                filename = mfree(filename);
+                                 return r;
++                        }
+ 
++                        filename = mfree(filename);
+                         /* Empty the symlink names for the next run */
+                         set_clear_free(symlink_names);
+                 }
+-- 
+2.20.1
+
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index a40c89973a..03acce25b7 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -35,6 +35,8 @@ SRC_URI += "file://touchscreen.rules \
            file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \
            file://0001-Revert-sysctl.d-request-ECN-on-both-in-and-outgoing-.patch \
            file://0001-timesync-changes-type-of-drift_freq-to-int64_t.patch \
+           file://0001-sysctl-Don-t-pass-null-directive-argument-to-s.patch \
+           file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \
            "
 
 # patches made for musl are only applied on TCLIBC is musl
author	Khem Raj <raj.khem@gmail.com>	2018-12-16 21:54:42 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-01-28 16:56:33 +0000
commit	82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2 (patch)
tree	d5360bed6cd12f975c9ad6392927cdd99a5909e0 /meta
parent	9a78a8821f863ca6af15132201bc38f36d6e17a6 (diff)
download	openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.tar.gz openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.tar.bz2 openembedded-core-82cb42d24250d211c1d9bd4ab9e91bbb0ef6ffa2.zip