Merge pull request #20256 from keszybz/one-alloca-too-many

basic/unit-name: do not use strdupa() on a path
hwdb: 60-keyboard::remove hardcoded definition for KEYBOARD_KEY_56 for MSI Prestige And Modern
2026-03-23 07:14:53 +01:00 · 2021-07-20 14:39:23 +02:00 · 2021-07-20 09:42:04 +01:00 · 2021-06-23 17:25:30 +02:00 · 2021-06-23 17:25:30 +02:00
2 changed files with 7 additions and 11 deletions
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -1303,7 +1303,6 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pnU90/U100:*
 # Keymaps MSI Prestige And MSI Modern FnKeys and Special keys
 evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*Prestige*:*
 evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*Modern*:*
- KEYBOARD_KEY_56=backslash                              # Secondary backslash key
 KEYBOARD_KEY_f1=f20                                    # Fn+F5 Micmute
 KEYBOARD_KEY_76=f21                                    # Fn+F4 Toggle touchpad, sends meta+ctrl+toggle
 KEYBOARD_KEY_91=prog1                                  # Fn+F7 Creation Center, sometime F7
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
 }

 int unit_name_path_escape(const char *f, char **ret) {
-        char *p, *s;
+        _cleanup_free_ char *p = NULL;
+        char *s;

        assert(f);
        assert(ret);

-        p = strdupa(f);
+        p = strdup(f);
        if (!p)
                return -ENOMEM;

@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
                if (!path_is_normalized(p))
                        return -EINVAL;

-                /* Truncate trailing slashes */
+                /* Truncate trailing slashes and skip leading slashes */
                delete_trailing_chars(p, "/");
-
-                /* Truncate leading slashes */
-                p = skip_leading_chars(p, "/");
-
-                s = unit_name_escape(p);
+                s = unit_name_escape(skip_leading_chars(p, "/"));
        }
        if (!s)
                return -ENOMEM;
@ -531,7 +528,7 @@ int unit_name_from_path(const char *path, const char *suffix, char **ret) {
        if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
                return -ENAMETOOLONG;

-        /* Refuse this if this got too long or for some other reason didn't result in a valid name */
+        /* Refuse if this for some other reason didn't result in a valid name */
        if (!unit_name_is_valid(s, UNIT_NAME_PLAIN))
                return -EINVAL;

@ -565,7 +562,7 @@ int unit_name_from_path_instance(const char *prefix, const char *path, const cha
        if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
                return -ENAMETOOLONG;

-        /* Refuse this if this got too long or for some other reason didn't result in a valid name */
+        /* Refuse if this for some other reason didn't result in a valid name */
        if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
                return -EINVAL;
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	b34a4f0e67	Merge pull request #20256 from keszybz/one-alloca-too-many basic/unit-name: do not use strdupa() on a path	2021-07-20 14:39:23 +02:00
Aakash Singh	30c9faff0d	hwdb: 60-keyboard::remove hardcoded definition for KEYBOARD_KEY_56 for MSI Prestige And Modern	2021-07-20 09:42:04 +01:00
Zbigniew Jędrzejewski-Szmek	4e2544c30b	basic/unit-name: adjust comments We already checked for "too long" right above…	2021-06-23 17:25:30 +02:00
Zbigniew Jędrzejewski-Szmek	441e011564	basic/unit-name: do not use strdupa() on a path The path may have unbounded length, for example through a fuse mount. CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo and each mountpoint is passed to mount_setup_unit(), which calls unit_name_path_escape() underneath. A local attacker who is able to mount a filesystem with a very long path can crash systemd and the whole system. https://bugzilla.redhat.com/show_bug.cgi?id=1970887 The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we can't easily check the length after simplification before doing the simplification, which in turns uses a copy of the string we can write to. So we can't reject paths that are too long before doing the duplication. Hence the most obvious solution is to switch back to strdup(), as before 7410616cd9dbbec97cf98d75324da5cda2b2f7a2.	2021-06-23 17:25:30 +02:00