From 80164b5f874e39dbe233b068abca703beef09eb901f42353f02a0fef318fc10e Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Thu, 13 Jan 2022 20:57:06 +0000 Subject: [PATCH] - Import commit 458220239c69b8e5fe7be480929348daeccb70d1 e95df40b09 shared/rm-rf: loop over nested directories instead of instead of recursing (CVE-2021-3997 bsc#1194178) 078e04305d shared/rm_rf: refactor rm_rf() to shorten code a bit 6d560d0aca shared/rm_rf: refactor rm_rf_children_inner() to shorten code a bit 6666ff056c localectl: don't omit keymaps files that are symlinks (bsc#1191826) OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1220 --- ...actor-rm_rf_children_inner-to-shorte.patch | 66 ----- ...refactor-rm_rf-to-shorten-code-a-bit.patch | 98 ------- ...p-over-nested-directories-instead-of.patch | 273 ------------------ systemd-v249.7+suse.66.ga54f80116c.tar.xz | 3 - systemd-v249.7+suse.71.g458220239c.tar.xz | 3 + systemd.changes | 14 +- systemd.spec | 8 +- 7 files changed, 16 insertions(+), 449 deletions(-) delete mode 100644 5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch delete mode 100644 5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch delete mode 100644 5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch delete mode 100644 systemd-v249.7+suse.66.ga54f80116c.tar.xz create mode 100644 systemd-v249.7+suse.71.g458220239c.tar.xz diff --git a/5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch b/5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch deleted file mode 100644 index bb00830..0000000 --- a/5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 5bc4f2e271c4907af1d3208c5bb33ce795326abc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 23 Nov 2021 15:55:45 +0100 -Subject: [PATCH 5000/5002] shared/rm_rf: refactor rm_rf_children_inner() to - shorten code a bit - ---- - src/shared/rm-rf.c | 27 +++++++++------------------ - 1 file changed, 9 insertions(+), 18 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 19f37e0f19..7362954116 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -124,7 +124,7 @@ static int rm_rf_children_inner( - const struct stat *root_dev) { - - struct stat st; -- int r; -+ int r, q = 0; - - assert(fd >= 0); - assert(fname); -@@ -142,7 +142,6 @@ static int rm_rf_children_inner( - - if (is_dir) { - _cleanup_close_ int subdir_fd = -1; -- int q; - - /* if root_dev is set, remove subdirectories only if device is same */ - if (root_dev && st.st_dev != root_dev->st_dev) -@@ -178,23 +177,15 @@ static int rm_rf_children_inner( - * again for each directory */ - q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); - -- r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags); -- if (r < 0) -- return r; -- if (q < 0) -- return q; -- -- return 1; -- -- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { -- r = unlinkat_harder(fd, fname, 0, flags); -- if (r < 0) -- return r; -- -- return 1; -- } -+ } else if (flags & REMOVE_ONLY_DIRECTORIES) -+ return 0; - -- return 0; -+ r = unlinkat_harder(fd, fname, is_dir ? AT_REMOVEDIR : 0, flags); -+ if (r < 0) -+ return r; -+ if (q < 0) -+ return q; -+ return 1; - } - - int rm_rf_children( --- -2.31.1 - diff --git a/5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch b/5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch deleted file mode 100644 index 347b5e5..0000000 --- a/5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 8f608df0305355c9b2ddd7c75926a6bd6247e635 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 23 Nov 2021 16:56:42 +0100 -Subject: [PATCH 5001/5002] shared/rm_rf: refactor rm_rf() to shorten code a - bit - ---- - src/shared/rm-rf.c | 53 ++++++++++++++++++++-------------------------- - 1 file changed, 23 insertions(+), 30 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 7362954116..c7d3b8b7ad 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -250,7 +250,7 @@ int rm_rf_children( - } - - int rm_rf(const char *path, RemoveFlags flags) { -- int fd, r; -+ int fd, r, q = 0; - - assert(path); - -@@ -282,49 +282,42 @@ int rm_rf(const char *path, RemoveFlags flags) { - } - - fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -- if (fd < 0) { -+ if (fd >= 0) { -+ /* We have a dir */ -+ r = rm_rf_children(fd, flags, NULL); -+ -+ if (FLAGS_SET(flags, REMOVE_ROOT)) -+ q = RET_NERRNO(rmdir(path)); -+ } else { - if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) - return 0; - - if (!IN_SET(errno, ENOTDIR, ELOOP)) - return -errno; - -- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES)) -+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT)) - return 0; - -- if (FLAGS_SET(flags, REMOVE_ROOT)) { -- -- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { -- struct statfs s; -- -- if (statfs(path, &s) < 0) -- return -errno; -- if (is_physical_fs(&s)) -- return log_error_errno(SYNTHETIC_ERRNO(EPERM), -- "Attempted to remove files from a disk file system under \"%s\", refusing.", -- path); -- } -- -- if (unlink(path) < 0) { -- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) -- return 0; -+ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { -+ struct statfs s; - -+ if (statfs(path, &s) < 0) - return -errno; -- } -+ if (is_physical_fs(&s)) -+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), -+ "Attempted to remove files from a disk file system under \"%s\", refusing.", -+ path); - } - -- return 0; -+ r = 0; -+ q = RET_NERRNO(unlink(path)); - } - -- r = rm_rf_children(fd, flags, NULL); -- -- if (FLAGS_SET(flags, REMOVE_ROOT) && -- rmdir(path) < 0 && -- r >= 0 && -- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT)) -- r = -errno; -- -- return r; -+ if (r < 0) -+ return r; -+ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK))) -+ return q; -+ return 0; - } - - int rm_rf_child(int fd, const char *name, RemoveFlags flags) { --- -2.31.1 - diff --git a/5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch b/5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch deleted file mode 100644 index 9c7eac6..0000000 --- a/5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch +++ /dev/null @@ -1,273 +0,0 @@ -From c561e2eab3b9b759b7592ea1b8168d4f36ede031 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Wed, 5 Jan 2022 15:08:07 +0100 -Subject: [PATCH 5002/5002] shared/rm-rf: loop over nested directories instead - of instead of recursing - -To remove directory structures, we need to remove the innermost items first, -and then recursively remove higher-level directories. We would recursively -descend into directories and invoke rm_rf_children and rm_rm_children_inner. -This is problematic when too many directories are nested. - -Instead, let's create a "TODO" queue. In the the queue, for each level we -hold the DIR* object we were working on, and the name of the directory. This -allows us to leave a partially-processed directory, and restart the removal -loop one level down. When done with the inner directory, we use the name to -unlinkat() it from the parent, and proceed with the removal of other items. - -Because the nesting is increased by one level, it is best to view this patch -with -b/--ignore-space-change. - -This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639. -The issue was reported and patches reviewed by Qualys Team. -Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure. - -[fbui: adjust context] -[fbui: fixes CVE-2021-3997] -[fbui: fixes bsc#1194178] ---- - src/shared/rm-rf.c | 159 +++++++++++++++++++++++++++++++-------------- - 1 file changed, 112 insertions(+), 47 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index c7d3b8b7ad..58da213e9f 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -52,7 +52,6 @@ static int patch_dirfd_mode( - } - - int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags) { -- - mode_t old_mode; - int r; - -@@ -116,12 +115,13 @@ int fstatat_harder(int dfd, - return 0; - } - --static int rm_rf_children_inner( -+static int rm_rf_inner_child( - int fd, - const char *fname, - int is_dir, - RemoveFlags flags, -- const struct stat *root_dev) { -+ const struct stat *root_dev, -+ bool allow_recursion) { - - struct stat st; - int r, q = 0; -@@ -141,9 +141,7 @@ static int rm_rf_children_inner( - } - - if (is_dir) { -- _cleanup_close_ int subdir_fd = -1; -- -- /* if root_dev is set, remove subdirectories only if device is same */ -+ /* If root_dev is set, remove subdirectories only if device is same */ - if (root_dev && st.st_dev != root_dev->st_dev) - return 0; - -@@ -155,7 +153,6 @@ static int rm_rf_children_inner( - return 0; - - if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { -- - /* This could be a subvolume, try to remove it */ - - r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); -@@ -169,13 +166,16 @@ static int rm_rf_children_inner( - return 1; - } - -- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -+ if (!allow_recursion) -+ return -EISDIR; -+ -+ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); - if (subdir_fd < 0) - return -errno; - - /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type - * again for each directory */ -- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); -+ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev); - - } else if (flags & REMOVE_ONLY_DIRECTORIES) - return 0; -@@ -188,63 +188,128 @@ static int rm_rf_children_inner( - return 1; - } - -+typedef struct TodoEntry { -+ DIR *dir; /* A directory that we were operating on. */ -+ char *dirname; /* The filename of that directory itself. */ -+} TodoEntry; -+ -+static void free_todo_entries(TodoEntry **todos) { -+ for (TodoEntry *x = *todos; x && x->dir; x++) { -+ closedir(x->dir); -+ free(x->dirname); -+ } -+ -+ freep(todos); -+} -+ - int rm_rf_children( - int fd, - RemoveFlags flags, - const struct stat *root_dev) { - -- _cleanup_closedir_ DIR *d = NULL; -+ _cleanup_(free_todo_entries) TodoEntry *todos = NULL; - struct dirent *de; -+ size_t n_todo = 0; -+ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */ - int ret = 0, r; - -- assert(fd >= 0); -+ /* Return the first error we run into, but nevertheless try to go on. -+ * The passed fd is closed in all cases, including on failure. */ -+ -+ for (;;) { /* This loop corresponds to the directory nesting level. */ -+ _cleanup_closedir_ DIR *d = NULL; -+ -+ if (n_todo > 0) { -+ /* We know that we are in recursion here, because n_todo is set. -+ * We need to remove the inner directory we were operating on. */ -+ assert(dirname); -+ r = unlinkat_harder(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR, flags); -+ if (r < 0 && r != -ENOENT && ret == 0) -+ ret = r; -+ dirname = mfree(dirname); -+ -+ /* And now let's back out one level up */ -+ n_todo --; -+ d = TAKE_PTR(todos[n_todo].dir); -+ dirname = TAKE_PTR(todos[n_todo].dirname); -+ -+ assert(d); -+ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */ -+ assert(fd >= 0); -+ } else { -+ next_fd: -+ assert(fd >= 0); -+ d = fdopendir(fd); -+ if (!d) { -+ safe_close(fd); -+ return -errno; -+ } -+ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have -+ * the right descriptor even if it were to internally invalidate the -+ * one we passed. */ -+ -+ if (!(flags & REMOVE_PHYSICAL)) { -+ struct statfs sfs; -+ -+ if (fstatfs(fd, &sfs) < 0) -+ return -errno; -+ -+ if (is_physical_fs(&sfs)) { -+ /* We refuse to clean physical file systems with this call, unless -+ * explicitly requested. This is extra paranoia just to be sure we -+ * never ever remove non-state data. */ -+ -+ _cleanup_free_ char *path = NULL; -+ -+ (void) fd_get_path(fd, &path); -+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), -+ "Attempted to remove disk file system under \"%s\", and we can't allow that.", -+ strna(path)); -+ } -+ } -+ } - -- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed -- * fd, in all cases, including on failure. */ -+ FOREACH_DIRENT_ALL(de, d, return -errno) { -+ int is_dir; - -- d = fdopendir(fd); -- if (!d) { -- safe_close(fd); -- return -errno; -- } -+ if (dot_or_dot_dot(de->d_name)) -+ continue; - -- if (!(flags & REMOVE_PHYSICAL)) { -- struct statfs sfs; -+ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR; - -- if (fstatfs(dirfd(d), &sfs) < 0) -- return -errno; -+ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false); -+ if (r == -EISDIR) { -+ /* Push the current working state onto the todo list */ - -- if (is_physical_fs(&sfs)) { -- /* We refuse to clean physical file systems with this call, unless explicitly -- * requested. This is extra paranoia just to be sure we never ever remove non-state -- * data. */ -+ if (!GREEDY_REALLOC0(todos, n_todo + 2)) -+ return log_oom(); - -- _cleanup_free_ char *path = NULL; -+ _cleanup_free_ char *newdirname = strdup(de->d_name); -+ if (!newdirname) -+ return log_oom(); - -- (void) fd_get_path(fd, &path); -- return log_error_errno(SYNTHETIC_ERRNO(EPERM), -- "Attempted to remove disk file system under \"%s\", and we can't allow that.", -- strna(path)); -- } -- } -+ int newfd = openat(fd, de->d_name, -+ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -+ if (newfd >= 0) { -+ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) }; -+ fd = newfd; -+ dirname = TAKE_PTR(newdirname); - -- FOREACH_DIRENT_ALL(de, d, return -errno) { -- int is_dir; -+ goto next_fd; - -- if (dot_or_dot_dot(de->d_name)) -- continue; -+ } else if (errno != -ENOENT && ret == 0) -+ ret = -errno; - -- is_dir = -- de->d_type == DT_UNKNOWN ? -1 : -- de->d_type == DT_DIR; -+ } else if (r < 0 && r != -ENOENT && ret == 0) -+ ret = r; -+ } - -- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev); -- if (r < 0 && r != -ENOENT && ret == 0) -- ret = r; -- } -+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0) -+ ret = -errno; - -- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0) -- ret = -errno; -+ if (n_todo == 0) -+ break; -+ } - - return ret; - } -@@ -336,5 +401,5 @@ int rm_rf_child(int fd, const char *name, RemoveFlags flags) { - if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME)) - return -EINVAL; - -- return rm_rf_children_inner(fd, name, -1, flags, NULL); -+ return rm_rf_inner_child(fd, name, -1, flags, NULL, true); - } --- -2.31.1 - diff --git a/systemd-v249.7+suse.66.ga54f80116c.tar.xz b/systemd-v249.7+suse.66.ga54f80116c.tar.xz deleted file mode 100644 index e1babce..0000000 --- a/systemd-v249.7+suse.66.ga54f80116c.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:91b2f8c8492b03612c3148615a39d7553632798941456e7702306837f0118dd8 -size 7276848 diff --git a/systemd-v249.7+suse.71.g458220239c.tar.xz b/systemd-v249.7+suse.71.g458220239c.tar.xz new file mode 100644 index 0000000..6b7dfbb --- /dev/null +++ b/systemd-v249.7+suse.71.g458220239c.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ba7beb93531d1b148950ba94787d2b7ea4633a9f1f6b4d0fa34aee6298ccdb4 +size 7276576 diff --git a/systemd.changes b/systemd.changes index b3e7e52..5616fb4 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Jan 13 20:03:51 UTC 2022 - Franck Bui + +- Import commit 458220239c69b8e5fe7be480929348daeccb70d1 + + e95df40b09 shared/rm-rf: loop over nested directories instead of instead of recursing (CVE-2021-3997 bsc#1194178) + 078e04305d shared/rm_rf: refactor rm_rf() to shorten code a bit + 6d560d0aca shared/rm_rf: refactor rm_rf_children_inner() to shorten code a bit + 6666ff056c localectl: don't omit keymaps files that are symlinks (bsc#1191826) + ------------------------------------------------------------------- Tue Jan 11 08:06:11 UTC 2022 - Franck Bui @@ -49,7 +59,7 @@ Wed Nov 24 10:40:01 UTC 2021 - Ludwig Nussel ------------------------------------------------------------------- Mon Nov 22 08:48:12 UTC 2021 - Franck Bui -- Import commit 523f32df573d459551760b072cb62906f4a2cf23 (merge of 249.7) +- Import commit 523f32df573d459551760b072cb62906f4a2cf23 (merge of v249.7) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/c34c98712600bc206919ec6ed136195f75ac1967...523f32df573d459551760b072cb62906f4a2cf23 @@ -69,7 +79,7 @@ Mon Nov 22 08:43:25 UTC 2021 - Franck Bui ------------------------------------------------------------------- Mon Nov 15 09:35:08 UTC 2021 - Franck Bui -- Import commit 61c79e68381801428c0bc00a56b9e2e9cfa68373 (merge of 249.6) +- Import commit 61c79e68381801428c0bc00a56b9e2e9cfa68373 (merge of v249.6) bcdeee7b4c virt: Support detection for ARM64 Hyper-V guests (bsc#1186071) [...] diff --git a/systemd.spec b/systemd.spec index 2219cde..c977d83 100644 --- a/systemd.spec +++ b/systemd.spec @@ -32,7 +32,7 @@ %endif %define min_kernel_version 4.5 -%define suse_version +suse.66.ga54f80116c +%define suse_version +suse.71.g458220239c %define _testsuitedir /usr/lib/systemd/tests %if 0%{?bootstrap} @@ -210,12 +210,6 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch # temporary and should be removed as soon as a fix is merged by # upstream. -# The following patches address CVE-2021-3997. They will be moved to the git -# repo once the issue will become public and upstream will release them. -Patch5000: 5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch -Patch5001: 5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch -Patch5002: 5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch - %description Systemd is a system and service manager, compatible with SysV and LSB init scripts for Linux. systemd provides aggressive parallelization