packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
systemd/backport-nspawn-fix-a-global-buffer-overflow.patch
wangyuhang a4f95d3244 sync patch from systemd community 
(cherry picked from commit 88369f234ec01b60fb047caf87b90ef10a92b0db)
2023-10-10 10:04:24 +08:00

87 lines
4.3 KiB
Diff
Raw Blame History

From ccb4b3522cdc6abf8a0a5443f6318fe3918795fd Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 15 May 2023 20:25:43 +0200
Subject: [PATCH] nspawn: fix a global-buffer-overflow
Whoopsie.
=================================================================
==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658
READ of size 8 at 0x00000051d0b8 thread T0
#0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347
#1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838
#2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905
#4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030
#6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198
#8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#10 0x4552fb in main ../src/nspawn/nspawn.c:5920
#11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284)
0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8
0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch
Shadow bytes around the buggy address:
0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9
0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3789231==ABORTING
(cherry picked from commit 525c3e3438a7e4cd78b42f5f6ccdc3df1e363ca9)
(cherry picked from commit b8ed81660f0ad27f047153da8c28d9be4e8e1540)
(cherry picked from commit 6f52d1bf9e0a4a4e959c9967d4643084b9ed6f17)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/ccb4b3522cdc6abf8a0a5443f6318fe3918795fd
---
src/nspawn/nspawn-oci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index 86b838bd0e..ded7fe0d41 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -1888,6 +1888,7 @@ static int oci_seccomp_syscalls(const char *name, JsonVariant *v, JsonDispatchFl
{ "names", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct syscall_rule, names), JSON_MANDATORY },
{ "action", JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), JSON_MANDATORY },
{ "args", JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 },
+ {}
};
struct syscall_rule rule = {
.action = UINT32_MAX,
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink