From ed724b69dc28b2a540fa115a4158af5829ffc8ef Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Wed, 22 Feb 2017 10:29:24 +0100 Subject: [PATCH] Backport bunch of bugfixes (asserts, segv, memleaks) from upstream --- ...-assert-when-we-try-to-free-NULL-man.patch | 29 +++++ ...t-command-vanishes-during-runtime-do.patch | 39 +++++++ ...n-assert-when-printing-status-messag.patch | 38 ++++++ ...ling-unit_free-NULL-in-device-setup-.patch | 36 ++++++ ...emleak-in-dhcp6_option_parse_domainn.patch | 87 ++++++++++++++ ...emleak-in-dhcp6_lease_set_domains-51.patch | 58 ++++++++++ ...iting-no-signal-event-are-pending-is.patch | 57 +++++++++ ...-fix-segfault-with-certain-request-3.patch | 34 ++++++ ...ot-fix-bootctl-install-segfault-4404.patch | 27 +++++ 0033-sysusers-fix-memleak-4430.patch | 38 ++++++ 0034-sysusers-fix-memleak-4443.patch | 38 ++++++ 0035-journalctl-fix-memleak.patch | 43 +++++++ 0036-acl-util-fix-memleak.patch | 59 ++++++++++ ...-in-bus_exec_context_set_transient_p.patch | 47 ++++++++ 0038-core-dbus-fix-two-strv-memleaks.patch | 38 ++++++ 0039-resolve-fix-strv-memleak.patch | 28 +++++ ...lace-lstat-open-with-open-O_NOFOLLOW.patch | 109 ++++++++++++++++++ systemd.spec | 18 +++ 18 files changed, 823 insertions(+) create mode 100644 0024-logind-don-t-hit-assert-when-we-try-to-free-NULL-man.patch create mode 100644 0025-core-if-the-start-command-vanishes-during-runtime-do.patch create mode 100644 0026-core-don-t-hit-an-assert-when-printing-status-messag.patch create mode 100644 0027-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch create mode 100644 0028-sd-network-fix-memleak-in-dhcp6_option_parse_domainn.patch create mode 100644 0029-sd-network-fix-memleak-in-dhcp6_lease_set_domains-51.patch create mode 100644 0030-sd-event-when-exiting-no-signal-event-are-pending-is.patch create mode 100644 0031-journal-gatewayd-fix-segfault-with-certain-request-3.patch create mode 100644 0032-boot-fix-bootctl-install-segfault-4404.patch create mode 100644 0033-sysusers-fix-memleak-4430.patch create mode 100644 0034-sysusers-fix-memleak-4443.patch create mode 100644 0035-journalctl-fix-memleak.patch create mode 100644 0036-acl-util-fix-memleak.patch create mode 100644 0037-core-fix-memleak-in-bus_exec_context_set_transient_p.patch create mode 100644 0038-core-dbus-fix-two-strv-memleaks.patch create mode 100644 0039-resolve-fix-strv-memleak.patch create mode 100644 0040-sd-device-replace-lstat-open-with-open-O_NOFOLLOW.patch diff --git a/0024-logind-don-t-hit-assert-when-we-try-to-free-NULL-man.patch b/0024-logind-don-t-hit-assert-when-we-try-to-free-NULL-man.patch new file mode 100644 index 0000000..cd53459 --- /dev/null +++ b/0024-logind-don-t-hit-assert-when-we-try-to-free-NULL-man.patch @@ -0,0 +1,29 @@ +From 264148da88b25a0800178f0c33e2b6ae292de455 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 20 Oct 2016 19:19:46 +0200 +Subject: [PATCH] logind: don't hit assert when we try to free NULL manager + object + +Fixes: #4431 +(cherry picked from commit 84a4e6608dbda38c724ab196a226db209a50b224) +--- + src/login/logind.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/login/logind.c b/src/login/logind.c +index 5ce36d2..e5854db 100644 +--- a/src/login/logind.c ++++ b/src/login/logind.c +@@ -125,7 +125,8 @@ static void manager_free(Manager *m) { + Inhibitor *i; + Button *b; + +- assert(m); ++ if (!m) ++ return; + + while ((session = hashmap_first(m->sessions))) + session_free(session); +-- +2.9.3 + diff --git a/0025-core-if-the-start-command-vanishes-during-runtime-do.patch b/0025-core-if-the-start-command-vanishes-during-runtime-do.patch new file mode 100644 index 0000000..58d840b --- /dev/null +++ b/0025-core-if-the-start-command-vanishes-during-runtime-do.patch @@ -0,0 +1,39 @@ +From a30e889de3487c8c478389da0aded6d73f7f4cc7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 21 Oct 2016 12:27:46 +0200 +Subject: [PATCH] core: if the start command vanishes during runtime don't hit + an assert + +This can happen when the configuration is changed and reloaded while we are +executing a service. Let's not hit an assert in this case. + +Fixes: #4444 +(cherry picked from commit 47fffb3530af3e3ad4048570611685635fde062e) +--- + src/core/service.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/core/service.c b/src/core/service.c +index afb1985..537db62 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1706,7 +1706,15 @@ static void service_enter_start(Service *s) { + } + + if (!c) { +- assert(s->type == SERVICE_ONESHOT); ++ if (s->type != SERVICE_ONESHOT) { ++ /* There's no command line configured for the main command? Hmm, that is strange. This can only ++ * happen if the configuration changes at runtime. In this case, let's enter a failure ++ * state. */ ++ log_unit_error(UNIT(s), "There's no 'start' task anymore we could start: %m"); ++ r = -ENXIO; ++ goto fail; ++ } ++ + service_enter_start_post(s); + return; + } +-- +2.9.3 + diff --git a/0026-core-don-t-hit-an-assert-when-printing-status-messag.patch b/0026-core-don-t-hit-an-assert-when-printing-status-messag.patch new file mode 100644 index 0000000..ed3b587 --- /dev/null +++ b/0026-core-don-t-hit-an-assert-when-printing-status-messag.patch @@ -0,0 +1,38 @@ +From f1d2c31949a501d919a17e09b0d2a093d93837b4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 2 Nov 2016 12:02:53 -0600 +Subject: [PATCH] core: don't hit an assert when printing status messages about + units with overly long description strings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This essentially reverts one part of d054f0a4d451120c26494263fc4dc175bfd405b1. + +(We might also choose to use proper ellipsation here, but I wasn't sure the +memory allocation this requires wouöld be a good idea here...) + +Fixes: #4534 +(cherry picked from commit 07ecca0dc9d2d8f3b3abd73ab32f254f339fd903) +--- + src/core/job.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/core/job.c b/src/core/job.c +index 7557874..4efcfb8 100644 +--- a/src/core/job.c ++++ b/src/core/job.c +@@ -767,8 +767,9 @@ static void job_log_status_message(Unit *u, JobType t, JobResult result) { + if (!format) + return; + ++ /* The description might be longer than the buffer, but that's OK, we'll just truncate it here */ + DISABLE_WARNING_FORMAT_NONLITERAL; +- xsprintf(buf, format, unit_description(u)); ++ snprintf(buf, sizeof(buf), format, unit_description(u)); + REENABLE_WARNING; + + switch (t) { +-- +2.9.3 + diff --git a/0027-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch b/0027-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch new file mode 100644 index 0000000..26ab36f --- /dev/null +++ b/0027-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch @@ -0,0 +1,36 @@ +From 3c9f8cc10801766fba96459c46e52eaf1f77f16b Mon Sep 17 00:00:00 2001 +From: Dave Reisner +Date: Sun, 27 Nov 2016 17:05:39 -0500 +Subject: [PATCH] device: Avoid calling unit_free(NULL) in device setup logic + (#4748) + +Since a581e45ae8f9bb5c, there's a few function calls to +unit_new_for_name which will unit_free on failure. Prior to this commit, +a failure would result in calling unit_free with a NULL unit, and hit an +assertion failure, seen at least via device_setup_unit: + +Assertion 'u' failed at src/core/unit.c:519, function unit_free(). Aborting. + +Fixes #4747 +https://bugs.archlinux.org/task/51950 +(cherry picked from commit d112eae7da77899be245ab52aa1747d4675549f1) +--- + src/core/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/device.c b/src/core/device.c +index 16e56ef..31724e4 100644 +--- a/src/core/device.c ++++ b/src/core/device.c +@@ -369,7 +369,7 @@ static int device_setup_unit(Manager *m, struct udev_device *dev, const char *pa + fail: + log_unit_warning_errno(u, r, "Failed to set up device unit: %m"); + +- if (delete) ++ if (delete && u) + unit_free(u); + + return r; +-- +2.9.3 + diff --git a/0028-sd-network-fix-memleak-in-dhcp6_option_parse_domainn.patch b/0028-sd-network-fix-memleak-in-dhcp6_option_parse_domainn.patch new file mode 100644 index 0000000..cedebe1 --- /dev/null +++ b/0028-sd-network-fix-memleak-in-dhcp6_option_parse_domainn.patch @@ -0,0 +1,87 @@ +From 0360725e0871bf29251636c561bfcd738ac5aba2 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Tue, 24 Jan 2017 05:11:59 +0300 +Subject: [PATCH] sd-network: fix memleak in dhcp6_option_parse_domainname + (#5114) + +The simplest way to reproduce: +```diff +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index bd289fa..7b0a5ef 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -168,7 +168,7 @@ static uint8_t msg_advertise[198] = { + 0x00, 0x17, 0x00, 0x10, 0x20, 0x01, 0x0d, 0xb8, + 0xde, 0xad, 0xbe, 0xef, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x0b, +- 0x03, 0x6c, 0x61, 0x62, 0x05, 0x69, 0x6e, 0x74, ++ 0x01, 0x6c, 0x01, 0x62, 0x00, 0x0a, 0x6e, 0x74, + 0x72, 0x61, 0x00, 0x00, 0x1f, 0x00, 0x10, 0x20, + 0x01, 0x0d, 0xb8, 0xde, 0xad, 0xbe, 0xef, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, +@@ -338,9 +338,7 @@ static int test_advertise_option(sd_event *e) { + assert_se(!memcmp(addrs, &msg_advertise[124], r * 16)); + + r = sd_dhcp6_lease_get_domains(lease, &domains); +- assert_se(r == 1); +- assert_se(!strcmp("lab.intra", domains[0])); +- assert_se(domains[1] == NULL); ++ assert_se(r == -ENOENT); + + r = sd_dhcp6_lease_get_ntp_addrs(lease, &addrs); + assert_se(r == 1); +``` + +Fixes: +``` +================================================================= +==15043==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 4 byte(s) in 1 object(s) allocated from: + #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160) + #1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552 + #2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399 + #3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225 + #4 0x55f775774b95 in test_advertise_option src/libsystemd-network/test-dhcp6-client.c:287 + #5 0x55f77577883e in main src/libsystemd-network/test-dhcp6-client.c:759 + #6 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400) + +Direct leak of 4 byte(s) in 1 object(s) allocated from: + #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160) + #1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552 + #2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399 + #3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225 + #4 0x55f775781348 in client_parse_message src/libsystemd-network/sd-dhcp6-client.c:807 + #5 0x55f775781ba2 in client_receive_advertise src/libsystemd-network/sd-dhcp6-client.c:895 + #6 0x55f775782453 in client_receive_message src/libsystemd-network/sd-dhcp6-client.c:994 + #7 0x7f13c7e447f4 in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 + #8 0x7f13c7e471b0 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 + #9 0x7f13c7e47ab3 in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 + #10 0x7f13c7e47c21 in sd_event_loop src/libsystemd/sd-event/sd-event.c:2706 + #11 0x55f77577863c in test_client_solicit src/libsystemd-network/test-dhcp6-client.c:737 + #12 0x55f77577884b in main src/libsystemd-network/test-dhcp6-client.c:760 + #13 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400) + +SUMMARY: AddressSanitizer: 8 byte(s) leaked in 2 allocation(s). +``` +(cherry picked from commit 419eaa8f8d2025bae98c23bdedb434d6dbb025b8) +--- + src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 5462e03..f8056db 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -339,7 +339,7 @@ int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, + + int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char ***str_arr) { + size_t pos = 0, idx = 0; +- _cleanup_free_ char **names = NULL; ++ _cleanup_strv_free_ char **names = NULL; + int r; + + assert_return(optlen > 1, -ENODATA); +-- +2.9.3 + diff --git a/0029-sd-network-fix-memleak-in-dhcp6_lease_set_domains-51.patch b/0029-sd-network-fix-memleak-in-dhcp6_lease_set_domains-51.patch new file mode 100644 index 0000000..4e678e6 --- /dev/null +++ b/0029-sd-network-fix-memleak-in-dhcp6_lease_set_domains-51.patch @@ -0,0 +1,58 @@ +From c0f1299f8dda31ca91e5b7c8a098fad633156960 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Tue, 24 Jan 2017 05:12:58 +0300 +Subject: [PATCH] sd-network: fix memleak in dhcp6_lease_set_domains (#5113) + +The simplest way to reproduce: +```diff +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index bd289fa..4e14d8f 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -286,6 +286,8 @@ static int test_advertise_option(sd_event *e) { + assert_se(optlen == 11); + assert_se(dhcp6_lease_set_domains(lease, optval, + optlen) >= 0); ++ assert_se(dhcp6_lease_set_domains(lease, optval, ++ optlen) >= 0); + break; + + case SD_DHCP6_OPTION_SNTP_SERVERS: +``` + +Fixes: +``` +==27369==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 10 byte(s) in 1 object(s) allocated from: + #0 0x7f90e7d21160 in strdup (/lib64/libasan.so.3+0x5a160) + #1 0x7f90e7467f69 in strv_extend src/basic/strv.c:552 + #2 0x5612fcc19379 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399 + #3 0x5612fcc1acdf in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225 + #4 0x5612fcc06b95 in test_advertise_option src/libsystemd-network/test-dhcp6-client.c:287 + #5 0x5612fcc0a987 in main src/libsystemd-network/test-dhcp6-client.c:761 + #6 0x7f90e6d46400 in __libc_start_main (/lib64/libc.so.6+0x20400) + +SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s). +``` +(cherry picked from commit 0b75a95ace6e1d82772f6b5f1809f4839b810628) +--- + src/libsystemd-network/sd-dhcp6-lease.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 5c10a63..681384b 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -226,7 +226,7 @@ int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, uint8_t *optval, + if (r < 0) + return 0; + +- free(lease->domains); ++ strv_free(lease->domains); + lease->domains = domains; + lease->domains_count = r; + +-- +2.9.3 + diff --git a/0030-sd-event-when-exiting-no-signal-event-are-pending-is.patch b/0030-sd-event-when-exiting-no-signal-event-are-pending-is.patch new file mode 100644 index 0000000..ae4cd0d --- /dev/null +++ b/0030-sd-event-when-exiting-no-signal-event-are-pending-is.patch @@ -0,0 +1,57 @@ +From b3f8184653e03409669e24c4e42b2aff4ecf00b7 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Wed, 8 Feb 2017 20:56:22 +0100 +Subject: [PATCH] sd-event: "when exiting no signal event are pending" is a + wrong assertion (#5271) + +The code make the following assertion: when freeing a event loop object +(usually it's done after exiting from the main event loop), no signal events +are still queued and are pending. + +This assertion can be found in event_unmask_signal_data() with +"assert(!d->current);" assertion. + +It appears that this assertion can be wrong at least in a specific case +described below. + +Consider the following example which is inspired from udev: a process defines 3 +source events: 2 are created by sd_event_add_signal() and 1 is created by +sd_event_add_post(). + + 1. the process receives the 2 signals consecutively so that signal 'A' source + event is queued and pending. Consequently the post source event is also + queued and pending. This is done by sd_event_wait(). + + 2. The callback for signal 'A' is called by sd_event_dispatch(). + + 3. The next call to sd_event_wait() will queue signal 'B' source event. + + 4. The callback for the post source event is called and calls sd_event_exit(). + + 5. the event loop is exited. + + 6. freeing the event loop object will lead to the assertion failure in + event_unmask_signal_data(). + +This patch simply removes this assertion as it doesn't seem to be a +bug if the signal data still reference a signal source at this point. +(cherry picked from commit 4470860388e12a5dda1d65773e411a349221a3e9) +--- + src/libsystemd/sd-event/sd-event.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 9857f8b..41ce91f 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -730,7 +730,6 @@ static void event_unmask_signal_data(sd_event *e, struct signal_data *d, int sig + + /* If all the mask is all-zero we can get rid of the structure */ + hashmap_remove(e->signal_data, &d->priority); +- assert(!d->current); + safe_close(d->fd); + free(d); + return; +-- +2.9.3 + diff --git a/0031-journal-gatewayd-fix-segfault-with-certain-request-3.patch b/0031-journal-gatewayd-fix-segfault-with-certain-request-3.patch new file mode 100644 index 0000000..5c8aebd --- /dev/null +++ b/0031-journal-gatewayd-fix-segfault-with-certain-request-3.patch @@ -0,0 +1,34 @@ +From 965082d8f944d96ff1f1f5c5483d2d50215ff1a6 Mon Sep 17 00:00:00 2001 +From: Yi EungJun +Date: Sun, 7 Aug 2016 05:39:13 +0900 +Subject: [PATCH] journal-gatewayd: fix segfault with certain request (#3893) + +When client requests to get logs with `follow` and `KEY=match` that +doesn't match any log entry, journal-gatewayd segfaulted. + +Make request_reader_entries to return zero in such case to wait for +matching entries. + +This fixes https://github.com/systemd/systemd/issues/3873. +(cherry picked from commit 3475fc5899db8c8c9198573912429b85213e4862) +--- + src/journal-remote/journal-gatewayd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c +index 4ad9184..e4a8287 100644 +--- a/src/journal-remote/journal-gatewayd.c ++++ b/src/journal-remote/journal-gatewayd.c +@@ -239,6 +239,9 @@ static ssize_t request_reader_entries( + m->size = (uint64_t) sz; + } + ++ if (m->tmp == NULL && m->follow) ++ return 0; ++ + if (fseeko(m->tmp, pos, SEEK_SET) < 0) { + log_error_errno(errno, "Failed to seek to position: %m"); + return MHD_CONTENT_READER_END_WITH_ERROR; +-- +2.9.3 + diff --git a/0032-boot-fix-bootctl-install-segfault-4404.patch b/0032-boot-fix-bootctl-install-segfault-4404.patch new file mode 100644 index 0000000..db2987a --- /dev/null +++ b/0032-boot-fix-bootctl-install-segfault-4404.patch @@ -0,0 +1,27 @@ +From 293bb90e89dfdfdad1423d0d1a8e1487a95fec46 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 19 Oct 2016 20:50:47 +0900 +Subject: [PATCH] boot: fix `bootctl install` segfault (#4404) + +(cherry picked from commit 9ee051b9c7623e148bf0d768cc2677aecf283fc8) +--- + src/boot/bootctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index 37fa049..115fe93 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -550,7 +550,8 @@ static const char *efi_subdirs[] = { + "EFI/systemd", + "EFI/BOOT", + "loader", +- "loader/entries" ++ "loader/entries", ++ NULL + }; + + static int create_dirs(const char *esp_path) { +-- +2.9.3 + diff --git a/0033-sysusers-fix-memleak-4430.patch b/0033-sysusers-fix-memleak-4430.patch new file mode 100644 index 0000000..0885914 --- /dev/null +++ b/0033-sysusers-fix-memleak-4430.patch @@ -0,0 +1,38 @@ +From 8f88b3ca7697acfe79a97d6c7094c277744fd6b2 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Thu, 20 Oct 2016 21:23:32 +0300 +Subject: [PATCH] sysusers: fix memleak (#4430) + +Fixes: +``` +==28075== 64 bytes in 1 blocks are definitely lost in loss record 2 of 3 +==28075== at 0x4C2BAEE: malloc (vg_replace_malloc.c:298) +==28075== by 0x4C2DCA1: realloc (vg_replace_malloc.c:785) +==28075== by 0x4ED40A2: greedy_realloc (alloc-util.c:57) +==28075== by 0x4E90F87: extract_first_word (extract-word.c:78) +==28075== by 0x4E91813: extract_many_words (extract-word.c:270) +==28075== by 0x10FE93: parse_line (sysusers.c:1325) +==28075== by 0x11198B: read_config_file (sysusers.c:1640) +==28075== by 0x111EB8: main (sysusers.c:1773) +==28075== +``` +(cherry picked from commit d9b8ea5448ba1e61d681a206d770a4eac39b9936) +--- + src/sysusers/sysusers.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index 787d68a..a39a580 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -1189,6 +1189,7 @@ static void item_free(Item *i) { + free(i->uid_path); + free(i->gid_path); + free(i->description); ++ free(i->home); + free(i); + } + +-- +2.9.3 + diff --git a/0034-sysusers-fix-memleak-4443.patch b/0034-sysusers-fix-memleak-4443.patch new file mode 100644 index 0000000..4f0d5a3 --- /dev/null +++ b/0034-sysusers-fix-memleak-4443.patch @@ -0,0 +1,38 @@ +From fa36e278e78aea1d23aac18239f928e168223f39 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Fri, 21 Oct 2016 13:30:45 +0300 +Subject: [PATCH] sysusers: fix memleak (#4443) + +Fixes: +Oct 20 09:10:49 systemd-sysusers[144]: Direct leak of 20 byte(s) in 1 object(s) allocated from: +Oct 20 09:10:49 systemd-sysusers[144]: #0 0x7f3565a13e60 in malloc (/lib64/libasan.so.3+0xc6e60) +Oct 20 09:10:49 systemd-sysusers[144]: #1 0x7f3565526bd0 in malloc_multiply src/basic/alloc-util.h:70 +Oct 20 09:10:49 systemd-sysusers[144]: #2 0x7f356552cb55 in tempfn_xxxxxx src/basic/fileio.c:1116 +Oct 20 09:10:49 systemd-sysusers[144]: #3 0x7f356552c4f0 in fopen_temporary src/basic/fileio.c:1042 +Oct 20 09:10:49 systemd-sysusers[144]: #4 0x7f356555e00e in fopen_temporary_label src/basic/fileio-label.c:63 +Oct 20 09:10:49 systemd-sysusers[144]: #5 0x56197c4a1766 in make_backup src/sysusers/sysusers.c:209 +Oct 20 09:10:49 systemd-sysusers[144]: #6 0x56197c4a6335 in write_files src/sysusers/sysusers.c:710 +Oct 20 09:10:49 systemd-sysusers[144]: #7 0x56197c4ae571 in main src/sysusers/sysusers.c:1817 +Oct 20 09:10:49 systemd-sysusers[144]: #8 0x7f3564dee730 in __libc_start_main (/lib64/libc.so.6+0x20730) +(cherry picked from commit 0a12bb1eaa097dc83018aa034faef113a91e6014) +--- + src/sysusers/sysusers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index a39a580..dfb708c 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -190,7 +190,8 @@ static int load_group_database(void) { + static int make_backup(const char *target, const char *x) { + _cleanup_close_ int src = -1; + _cleanup_fclose_ FILE *dst = NULL; +- char *backup, *temp; ++ _cleanup_free_ char *temp = NULL; ++ char *backup; + struct timespec ts[2]; + struct stat st; + int r; +-- +2.9.3 + diff --git a/0035-journalctl-fix-memleak.patch b/0035-journalctl-fix-memleak.patch new file mode 100644 index 0000000..c9af64a --- /dev/null +++ b/0035-journalctl-fix-memleak.patch @@ -0,0 +1,43 @@ +From 01ad377a1d4029efb083c6a512793ca7b2a58048 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Thu, 3 Nov 2016 21:23:22 +0000 +Subject: [PATCH] journalctl: fix memleak + +bash-4.3# journalctl --no-hostname >/dev/null + +================================================================= +==288==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 48492 byte(s) in 2694 object(s) allocated from: + #0 0x7fb4aba13e60 in malloc (/lib64/libasan.so.3+0xc6e60) + #1 0x7fb4ab5b2cc4 in malloc_multiply src/basic/alloc-util.h:70 + #2 0x7fb4ab5b3194 in parse_field src/shared/logs-show.c:98 + #3 0x7fb4ab5b4918 in output_short src/shared/logs-show.c:347 + #4 0x7fb4ab5b7cb7 in output_journal src/shared/logs-show.c:977 + #5 0x5650e29cd83d in main src/journal/journalctl.c:2581 + #6 0x7fb4aabdb730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: 48492 byte(s) leaked in 2694 allocation(s). + +Closes: #4568 +(cherry picked from commit 12104159ed88324fa95505a6a8b333dd92a80368) +--- + src/shared/logs-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c +index d04728f..f347cee 100644 +--- a/src/shared/logs-show.c ++++ b/src/shared/logs-show.c +@@ -378,7 +378,7 @@ static int output_short( + + if (hostname && (flags & OUTPUT_NO_HOSTNAME)) { + /* Suppress display of the hostname if this is requested. */ +- hostname = NULL; ++ hostname = mfree(hostname); + hostname_len = 0; + } + +-- +2.9.3 + diff --git a/0036-acl-util-fix-memleak.patch b/0036-acl-util-fix-memleak.patch new file mode 100644 index 0000000..6bb2511 --- /dev/null +++ b/0036-acl-util-fix-memleak.patch @@ -0,0 +1,59 @@ +From 02fc17d4db1f2bc215f7915f4394ea7f4d8d0602 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Thu, 3 Nov 2016 22:04:40 +0000 +Subject: [PATCH] acl-util: fix memleak + +Fixes: +$ ./libtool --mode execute valgrind --leak-check=full ./journalctl >/dev/null +==22309== Memcheck, a memory error detector +==22309== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. +==22309== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info +==22309== Command: /home/vagrant/systemd/.libs/lt-journalctl +==22309== +Hint: You are currently not seeing messages from other users and the system. + Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. + Pass -q to turn off this notice. +==22309== +==22309== HEAP SUMMARY: +==22309== in use at exit: 8,680 bytes in 4 blocks +==22309== total heap usage: 5,543 allocs, 5,539 frees, 9,045,618 bytes allocated +==22309== +==22309== 488 (56 direct, 432 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4 +==22309== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299) +==22309== by 0x6F37A0A: __new_var_obj_p (__libobj.c:36) +==22309== by 0x6F362F7: __acl_init_obj (acl_init.c:28) +==22309== by 0x6F37731: __acl_from_xattr (__acl_from_xattr.c:54) +==22309== by 0x6F36087: acl_get_file (acl_get_file.c:69) +==22309== by 0x4F15752: acl_search_groups (acl-util.c:172) +==22309== by 0x113A1E: access_check_var_log_journal (journalctl.c:1836) +==22309== by 0x113D8D: access_check (journalctl.c:1889) +==22309== by 0x115681: main (journalctl.c:2236) +==22309== +==22309== LEAK SUMMARY: +==22309== definitely lost: 56 bytes in 1 blocks +==22309== indirectly lost: 432 bytes in 1 blocks +==22309== possibly lost: 0 bytes in 0 blocks +==22309== still reachable: 8,192 bytes in 2 blocks +==22309== suppressed: 0 bytes in 0 blocks + +(cherry picked from commit 29d87223d54fc13e16f444677f0a94ed0755bd88) +--- + src/shared/acl-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c +index 2aa951f..79a3b95 100644 +--- a/src/shared/acl-util.c ++++ b/src/shared/acl-util.c +@@ -162,7 +162,7 @@ int add_base_acls_if_needed(acl_t *acl_p, const char *path) { + + int acl_search_groups(const char *path, char ***ret_groups) { + _cleanup_strv_free_ char **g = NULL; +- _cleanup_(acl_free) acl_t acl = NULL; ++ _cleanup_(acl_freep) acl_t acl = NULL; + bool ret = false; + acl_entry_t entry; + int r; +-- +2.9.3 + diff --git a/0037-core-fix-memleak-in-bus_exec_context_set_transient_p.patch b/0037-core-fix-memleak-in-bus_exec_context_set_transient_p.patch new file mode 100644 index 0000000..0c4968e --- /dev/null +++ b/0037-core-fix-memleak-in-bus_exec_context_set_transient_p.patch @@ -0,0 +1,47 @@ +From a402c90c369f083d37c65a8ba830e7b123b4278b Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Wed, 25 Jan 2017 05:53:50 +0300 +Subject: [PATCH] core: fix memleak in bus_exec_context_set_transient_property + (#5143) + +Fixes: +```sh +systemd-run --property EnvironmentFile=/some/environment/file /bin/sleep 30 +``` +``` + 23 bytes in 1 blocks are definitely lost in loss record 1 of 7 + at 0x4C2DB9D: malloc (vg_replace_malloc.c:299) + by 0x4E85488: malloc_multiply (alloc-util.h:70) + by 0x4E85F19: strjoin_real (string-util.c:252) + by 0x1AF741: bus_exec_context_set_transient_property (dbus-execute.c:1418) + by 0x1A907C: bus_service_set_property (dbus-service.c:330) + by 0x1A66DD: bus_unit_set_properties (dbus-unit.c:1456) + by 0x19CF93: transient_unit_from_message (dbus-manager.c:892) + by 0x19D388: method_start_transient_unit (dbus-manager.c:980) + by 0x4F60544: method_callbacks_run (bus-objects.c:418) + by 0x4F62D9D: object_find_and_run (bus-objects.c:1255) + by 0x4F633CE: bus_process_object (bus-objects.c:1371) + by 0x4F2CE1D: process_message (sd-bus.c:2563) +``` +Closes: #5142 +(cherry picked from commit 9b531f04fb16e072100b10b93613abe846140305) +--- + src/core/dbus-execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index 307c3d8..a1d5523 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -1224,7 +1224,7 @@ int bus_exec_context_set_transient_property( + + _cleanup_free_ char *joined = NULL; + _cleanup_fclose_ FILE *f = NULL; +- _cleanup_free_ char **l = NULL; ++ _cleanup_strv_free_ char **l = NULL; + size_t size = 0; + char **i; + +-- +2.9.3 + diff --git a/0038-core-dbus-fix-two-strv-memleaks.patch b/0038-core-dbus-fix-two-strv-memleaks.patch new file mode 100644 index 0000000..7fd3e75 --- /dev/null +++ b/0038-core-dbus-fix-two-strv-memleaks.patch @@ -0,0 +1,38 @@ +From 827038487456a5ad249529cb643ec30bcd1dac62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 24 Jan 2017 22:21:16 -0500 +Subject: [PATCH] core/dbus: fix two strv memleaks + +job_dbus_path and unit_dbus_path both allocate new strings, so we should use +strv_free. + +(cherry picked from commit f0c03de85afa93d1df2bb533a46748e7f4264af6) +--- + src/core/dbus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/dbus.c b/src/core/dbus.c +index 3422a02..5d87bca 100644 +--- a/src/core/dbus.c ++++ b/src/core/dbus.c +@@ -477,7 +477,7 @@ static int bus_kill_context_find(sd_bus *bus, const char *path, const char *inte + } + + static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) { +- _cleanup_free_ char **l = NULL; ++ _cleanup_strv_free_ char **l = NULL; + Manager *m = userdata; + unsigned k = 0; + Iterator i; +@@ -504,7 +504,7 @@ static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char + } + + static int bus_unit_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) { +- _cleanup_free_ char **l = NULL; ++ _cleanup_strv_free_ char **l = NULL; + Manager *m = userdata; + unsigned k = 0; + Iterator i; +-- +2.9.3 + diff --git a/0039-resolve-fix-strv-memleak.patch b/0039-resolve-fix-strv-memleak.patch new file mode 100644 index 0000000..4565aa8 --- /dev/null +++ b/0039-resolve-fix-strv-memleak.patch @@ -0,0 +1,28 @@ +From 610b7bf641e708c95e5ec7e7bd2bc8742a44e86a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 24 Jan 2017 22:27:21 -0500 +Subject: [PATCH] resolve: fix strv memleak + +sd_bus_message_read_strv() returns a normal strv... + +(cherry picked from commit c6d92582205065e4924b9f0cb1428f4a5f210fd4) +--- + src/resolve/resolved-link-bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c +index 3648122..59cd6cf 100644 +--- a/src/resolve/resolved-link-bus.c ++++ b/src/resolve/resolved-link-bus.c +@@ -462,7 +462,7 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e + + int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_set_free_free_ Set *ns = NULL; +- _cleanup_free_ char **ntas = NULL; ++ _cleanup_strv_free_ char **ntas = NULL; + Link *l = userdata; + int r; + char **i; +-- +2.9.3 + diff --git a/0040-sd-device-replace-lstat-open-with-open-O_NOFOLLOW.patch b/0040-sd-device-replace-lstat-open-with-open-O_NOFOLLOW.patch new file mode 100644 index 0000000..c76f4da --- /dev/null +++ b/0040-sd-device-replace-lstat-open-with-open-O_NOFOLLOW.patch @@ -0,0 +1,109 @@ +From e863293901fc7cfe823c0c0213b86aa5a98b07ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 19 Feb 2017 14:17:19 -0500 +Subject: [PATCH] sd-device: replace lstat() + open() with open(O_NOFOLLOW) + +Coverity was complaining about TOCTOU (CID #745806). Indeed, it seems better +to open the file and avoid the stat altogether: + +- O_NOFOLLOW means we'll get ELOOP, which we can translate to EINVAL as before, +- similarly, open(O_WRONLY) on a directory will fail with EISDIR, +- and finally, it makes no sense to check access mode ourselves: just let + the kernel do it and propagate the error. + +v2: +- fix memleak, don't clober input arg + +(cherry picked from commit 2fa4861ad5a203bff604cac660136834e3b70108) +--- + src/libsystemd/sd-device/sd-device.c | 43 ++++++++++++++---------------------- + 1 file changed, 16 insertions(+), 27 deletions(-) + +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 0c4ad96..1d68fe0 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -1857,8 +1857,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr, + _cleanup_free_ char *value = NULL; + const char *syspath; + char *path; +- struct stat statbuf; +- size_t value_len = 0; ++ size_t len = 0; + ssize_t size; + int r; + +@@ -1876,8 +1875,14 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr, + return r; + + path = strjoina(syspath, "/", sysattr); +- r = lstat(path, &statbuf); +- if (r < 0) { ++ ++ fd = open(path, O_WRONLY | O_CLOEXEC | O_NOFOLLOW); ++ if (fd < 0) { ++ if (errno == ELOOP) ++ return -EINVAL; ++ if (errno == EISDIR) ++ return -EISDIR; ++ + value = strdup(""); + if (!value) + return -ENOMEM; +@@ -1889,46 +1894,30 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr, + return -ENXIO; + } + +- if (S_ISLNK(statbuf.st_mode)) +- return -EINVAL; +- +- /* skip directories */ +- if (S_ISDIR(statbuf.st_mode)) +- return -EISDIR; +- +- /* skip non-readable files */ +- if ((statbuf.st_mode & S_IRUSR) == 0) +- return -EACCES; +- +- value_len = strlen(_value); ++ len = strlen(_value); + + /* drop trailing newlines */ +- while (value_len > 0 && _value[value_len - 1] == '\n') +- _value[--value_len] = '\0'; ++ while (len > 0 && _value[len - 1] == '\n') ++ len --; + + /* value length is limited to 4k */ +- if (value_len > 4096) ++ if (len > 4096) + return -EINVAL; + +- fd = open(path, O_WRONLY | O_CLOEXEC); +- if (fd < 0) +- return -errno; +- +- value = strdup(_value); ++ value = strndup(_value, len); + if (!value) + return -ENOMEM; + +- size = write(fd, value, value_len); ++ size = write(fd, value, len); + if (size < 0) + return -errno; + +- if ((size_t)size != value_len) ++ if ((size_t)size != len) + return -EIO; + + r = device_add_sysattr_value(device, sysattr, value); + if (r < 0) + return r; +- + value = NULL; + + return 0; +-- +2.9.3 + diff --git a/systemd.spec b/systemd.spec index 006595c..bdeb140 100644 --- a/systemd.spec +++ b/systemd.spec @@ -60,6 +60,23 @@ Patch0020: 0020-Various-simplifications.patch Patch0021: 0021-build-sys-check-for-lz4-in-the-old-and-new-numbering.patch Patch0022: 0022-pid1-do-not-use-mtime-0-as-sign-of-masking-4388.patch Patch0023: 0023-udev-net_id-add-support-for-phys_port_name-attribute.patch +Patch0024: 0024-logind-don-t-hit-assert-when-we-try-to-free-NULL-man.patch +Patch0025: 0025-core-if-the-start-command-vanishes-during-runtime-do.patch +Patch0026: 0026-core-don-t-hit-an-assert-when-printing-status-messag.patch +Patch0027: 0027-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch +Patch0028: 0028-sd-network-fix-memleak-in-dhcp6_option_parse_domainn.patch +Patch0029: 0029-sd-network-fix-memleak-in-dhcp6_lease_set_domains-51.patch +Patch0030: 0030-sd-event-when-exiting-no-signal-event-are-pending-is.patch +Patch0031: 0031-journal-gatewayd-fix-segfault-with-certain-request-3.patch +Patch0032: 0032-boot-fix-bootctl-install-segfault-4404.patch +Patch0033: 0033-sysusers-fix-memleak-4430.patch +Patch0034: 0034-sysusers-fix-memleak-4443.patch +Patch0035: 0035-journalctl-fix-memleak.patch +Patch0036: 0036-acl-util-fix-memleak.patch +Patch0037: 0037-core-fix-memleak-in-bus_exec_context_set_transient_p.patch +Patch0038: 0038-core-dbus-fix-two-strv-memleaks.patch +Patch0039: 0039-resolve-fix-strv-memleak.patch +Patch0040: 0040-sd-device-replace-lstat-open-with-open-O_NOFOLLOW.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -960,6 +977,7 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd %changelog * Wed Feb 22 2017 Michal Sekletar - 231-14 - Backport support for phys_port_name to net_id (#1425737) +- Backport bunch of bugfixes (asserts, segv, memleaks) from upstream * Tue Jan 17 2017 Zbigniew Jędrzejewski-Szmek - 231-13 - Backport mtime==0 fix (#1384150)