diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-07-10 23:40:16 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-07-10 23:40:16 +0100 |
| commit | 51af5f0eb4cddbe6aa7953717873691d77aae9ff (patch) | |
| tree | 1541525274162b033ebbc3ed38abaf335fbbd49a /sys-apps/systemd/files | |
| parent | 7014a5a3ea0feffab9701fdd6b64cc7667a985af (diff) | |
gentoo resync : 11.07.2019
Diffstat (limited to 'sys-apps/systemd/files')
| -rw-r--r-- | sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch | 76 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-network-domains.patch | 57 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-networkd-ipv6-token.patch | 152 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-rdrand-ryzen.patch | 353 | ||||
| -rw-r--r-- | sys-apps/systemd/files/CVE-2019-6454.patch | 198 |
5 files changed, 638 insertions, 198 deletions
diff --git a/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch new file mode 100644 index 000000000000..e337b4f4ca52 --- /dev/null +++ b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch @@ -0,0 +1,76 @@ +From c322f379e6ca972f1c4d3409ac97828b1b838d5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Fri, 22 Feb 2019 13:07:00 +0100 +Subject: [PATCH] Add wrapper for __msan_unpoinson() to reduce #ifdeffery + +This isn't really necessary for the subsequent commit, but I expect that we'll +need to unpoison more often once we turn on msan in CI, so I think think this +change makes sense in the long run. +--- + src/basic/alloc-util.h | 10 ++++++++++ + src/basic/random-util.c | 11 ++--------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h +index 893a1238ff..78ee34bb71 100644 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -8,6 +8,10 @@ + + #include "macro.h" + ++#if HAS_FEATURE_MEMORY_SANITIZER ++# include <sanitizer/msan_interface.h> ++#endif ++ + typedef void (*free_func_t)(void *p); + + /* If for some reason more than 4M are allocated on the stack, let's abort immediately. It's better than +@@ -160,3 +164,9 @@ void* greedy_realloc0(void **p, size_t *allocated, size_t need, size_t size); + (ptr) = NULL; \ + _ptr_; \ + }) ++ ++#if HAS_FEATURE_MEMORY_SANITIZER ++# define msan_unpoison(r, s) __msan_unpoison(r, s) ++#else ++# define msan_unpoison(r, s) ++#endif +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index f7decf60b6..ca25fd2420 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -23,16 +23,13 @@ + # include <linux/random.h> + #endif + ++#include "alloc-util.h" + #include "fd-util.h" + #include "io-util.h" + #include "missing.h" + #include "random-util.h" + #include "time-util.h" + +-#if HAS_FEATURE_MEMORY_SANITIZER +-#include <sanitizer/msan_interface.h> +-#endif +- + int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) +@@ -58,11 +55,7 @@ int rdrand(unsigned long *ret) { + "setc %1" + : "=r" (*ret), + "=qm" (err)); +- +-#if HAS_FEATURE_MEMORY_SANITIZER +- __msan_unpoison(&err, sizeof(err)); +-#endif +- ++ msan_unpoison(&err, sizeof(err)); + if (!err) + return -EAGAIN; + +-- +2.22.0 + diff --git a/sys-apps/systemd/files/242-network-domains.patch b/sys-apps/systemd/files/242-network-domains.patch new file mode 100644 index 000000000000..166a8ee5b76f --- /dev/null +++ b/sys-apps/systemd/files/242-network-domains.patch @@ -0,0 +1,57 @@ +From fe0e16db093a7da09fcb52a2bc7017197047443d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Mon, 13 May 2019 05:40:31 +0900 +Subject: [PATCH] network: do not use ordered_set_printf() for DOMAINS= or + ROUTE_DOMAINS= + +This partially reverts 5e2a51d588dde4b52c6017ea80b75c16e6e23431. + +Fixes #12531. +--- + src/network/networkd-link.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index f8ee48802cb..1dc10c65a1b 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -3495,12 +3495,11 @@ int link_save(Link *link) { + admin_state, oper_state); + + if (link->network) { +- bool space; ++ char **dhcp6_domains = NULL, **dhcp_domains = NULL; ++ const char *dhcp_domainname = NULL, *p; + sd_dhcp6_lease *dhcp6_lease = NULL; +- const char *dhcp_domainname = NULL; +- char **dhcp6_domains = NULL; +- char **dhcp_domains = NULL; + unsigned j; ++ bool space; + + fprintf(f, "REQUIRED_FOR_ONLINE=%s\n", + yes_no(link->network->required_for_online)); +@@ -3617,7 +3616,10 @@ int link_save(Link *link) { + (void) sd_dhcp6_lease_get_domains(dhcp6_lease, &dhcp6_domains); + } + +- ordered_set_print(f, "DOMAINS=", link->network->search_domains); ++ fputs("DOMAINS=", f); ++ space = false; ++ ORDERED_SET_FOREACH(p, link->network->search_domains, i) ++ fputs_with_space(f, p, NULL, &space); + + if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_YES) { + NDiscDNSSL *dd; +@@ -3635,7 +3637,10 @@ int link_save(Link *link) { + + fputc('\n', f); + +- ordered_set_print(f, "ROUTE_DOMAINS=", link->network->route_domains); ++ fputs("ROUTE_DOMAINS=", f); ++ space = false; ++ ORDERED_SET_FOREACH(p, link->network->route_domains, i) ++ fputs_with_space(f, p, NULL, &space); + + if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_ROUTE) { + NDiscDNSSL *dd; diff --git a/sys-apps/systemd/files/242-networkd-ipv6-token.patch b/sys-apps/systemd/files/242-networkd-ipv6-token.patch new file mode 100644 index 000000000000..87a85f6f6ab0 --- /dev/null +++ b/sys-apps/systemd/files/242-networkd-ipv6-token.patch @@ -0,0 +1,152 @@ +From 4eb086a38712ea98faf41e075b84555b11b54362 Mon Sep 17 00:00:00 2001 +From: Susant Sahani <ssahani@gmail.com> +Date: Thu, 9 May 2019 07:35:35 +0530 +Subject: [PATCH] networkd: fix link_up() (#12505) + +Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up. + +Fixes the following error: +``` +dummy-test: Could not bring up interface: Invalid argument +``` + +After reading the kernel code when we do a link up +``` +net/core/rtnetlink.c +IFLA_AF_SPEC + af_ops->set_link_af(dev, af); + inet6_set_link_af + if (tb[IFLA_INET6_ADDR_GEN_MODE]) + Here it looks for IFLA_INET6_ADDR_GEN_MODE +``` +Since link up we didn't filling up that it's failing. + +Closes #12504. +--- + src/network/networkd-link.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 3c8b5c5cb43..4db9f3f980f 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -2031,6 +2031,8 @@ static int link_up(Link *link) { + } + + if (link_ipv6_enabled(link)) { ++ uint8_t ipv6ll_mode; ++ + r = sd_netlink_message_open_container(req, IFLA_AF_SPEC); + if (r < 0) + return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); +@@ -2046,6 +2048,19 @@ static int link_up(Link *link) { + return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m"); + } + ++ if (!link_ipv6ll_enabled(link)) ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE; ++ else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0) ++ /* The file may not exist. And event if it exists, when stable_secret is unset, ++ * reading the file fails with EIO. */ ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64; ++ else ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ ++ r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode); ++ if (r < 0) ++ return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m"); ++ + r = sd_netlink_message_close_container(req); + if (r < 0) + return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m"); +From 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 9 May 2019 14:39:46 +0900 +Subject: [PATCH] network: do not send ipv6 token to kernel + +We disabled kernel RA support. Then, we should not send +IFLA_INET6_TOKEN. +Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice. + +Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and +4eb086a38712ea98faf41e075b84555b11b54362. +--- + src/network/networkd-link.c | 51 +++++-------------------------------- + 1 file changed, 6 insertions(+), 45 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 2b6ff2b6c58..b6da4ea70b7 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1954,6 +1954,9 @@ static int link_configure_addrgen_mode(Link *link) { + assert(link->manager); + assert(link->manager->rtnl); + ++ if (!socket_ipv6_is_supported()) ++ return 0; ++ + log_link_debug(link, "Setting address genmode for link"); + + r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex); +@@ -2047,46 +2050,6 @@ static int link_up(Link *link) { + return log_link_error_errno(link, r, "Could not set MAC address: %m"); + } + +- if (link_ipv6_enabled(link)) { +- uint8_t ipv6ll_mode; +- +- r = sd_netlink_message_open_container(req, IFLA_AF_SPEC); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); +- +- /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */ +- r = sd_netlink_message_open_container(req, AF_INET6); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m"); +- +- if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) { +- r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m"); +- } +- +- if (!link_ipv6ll_enabled(link)) +- ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE; +- else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0) +- /* The file may not exist. And event if it exists, when stable_secret is unset, +- * reading the file fails with EIO. */ +- ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64; +- else +- ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; +- +- r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m"); +- +- r = sd_netlink_message_close_container(req); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m"); +- +- r = sd_netlink_message_close_container(req); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m"); +- } +- + r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler, + link_netlink_destroy_callback, link); + if (r < 0) +@@ -3226,11 +3189,9 @@ static int link_configure(Link *link) { + if (r < 0) + return r; + +- if (socket_ipv6_is_supported()) { +- r = link_configure_addrgen_mode(link); +- if (r < 0) +- return r; +- } ++ r = link_configure_addrgen_mode(link); ++ if (r < 0) ++ return r; + + return link_configure_after_setting_mtu(link); + } diff --git a/sys-apps/systemd/files/242-rdrand-ryzen.patch b/sys-apps/systemd/files/242-rdrand-ryzen.patch new file mode 100644 index 000000000000..ec690c1b3f6c --- /dev/null +++ b/sys-apps/systemd/files/242-rdrand-ryzen.patch @@ -0,0 +1,353 @@ +From d351699739471734666230ae3c6f9ba56ce5ce45 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 16:18:13 -0400 +Subject: [PATCH 1/6] =?UTF-8?q?random-util:=20rename=20RANDOM=5FDONT=5FDRA?= + =?UTF-8?q?IN=20=E2=86=92=20RANDOM=5FMAY=5FFAIL?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The old flag name was a bit of a misnomer, as /dev/urandom cannot be +"drained". Once it's initialized it's initialized and then is good +forever. (Only /dev/random has a concept of 'draining', but we never use +that, as it's an obsolete interface). + +The flag is still useful though, since it allows us to suppress accesses +to the random pool while it is not initialized, as that trips up the +kernel and it logs about any such attempts, which we really don't want. + +(cherry picked from commit 1a0ffa1e737e65312abac63dcf4b44e1ac0e1642) +--- + src/basic/random-util.c | 36 +++++++++++++++++++----------------- + src/basic/random-util.h | 4 ++-- + 2 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index ca25fd2420..de29e07549 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -71,21 +71,22 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + bool got_some = false; + int r; + +- /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't +- * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random +- * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether +- * the random pool is fully initialized or not. */ ++ /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This ++ * call won't block, unless the RANDOM_BLOCK flag is set. If RANDOM_MAY_FAIL is set, an error is ++ * returned if the random pool is not initialized. Otherwise it will always return some data from the ++ * kernel, regardless of whether the random pool is fully initialized or not. */ + + if (n == 0) + return 0; + + if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND)) +- /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not +- * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here, +- * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's +- * because we don't really care about the quality here. We generally prefer using RDRAND if the caller +- * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the +- * pool's entropy is scarce. */ ++ /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is ++ * not required, as we don't trust it (who does?). Note that we only do a single iteration of ++ * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10 ++ * invocations or so. That's because we don't really care about the quality here. We ++ * generally prefer using RDRAND if the caller allows us to, since this way we won't upset ++ * the kernel's random subsystem by accessing it before the pool is initialized (after all it ++ * will kmsg log about every attempt to do so)..*/ + for (;;) { + unsigned long u; + size_t m; +@@ -153,12 +154,13 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + break; + + } else if (errno == EAGAIN) { +- /* The kernel has no entropy whatsoever. Let's remember to use the syscall the next +- * time again though. ++ /* The kernel has no entropy whatsoever. Let's remember to use the syscall ++ * the next time again though. + * +- * If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some +- * pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty, +- * but the kernel will produce some bytes for us on a best-effort basis. */ ++ * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can ++ * produce some pseudo-random bytes instead. Otherwise, fall back to ++ * /dev/urandom, which we know is empty, but the kernel will produce some ++ * bytes for us on a best-effort basis. */ + have_syscall = true; + + if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { +@@ -167,7 +169,7 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + return 0; + } + +- if (FLAGS_SET(flags, RANDOM_DONT_DRAIN)) ++ if (FLAGS_SET(flags, RANDOM_MAY_FAIL)) + return -ENODATA; + + /* Use /dev/urandom instead */ +@@ -250,7 +252,7 @@ void pseudo_random_bytes(void *p, size_t n) { + + void random_bytes(void *p, size_t n) { + +- if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0) ++ if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND) >= 0) + return; + + /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */ +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index 3e8c288d3d..148b6c7813 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -8,11 +8,11 @@ + typedef enum RandomFlags { + RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */ + RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */ +- RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */ ++ RANDOM_MAY_FAIL = 1 << 2, /* If we can't get any randomness at all, return early with -ENODATA */ + RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */ + } RandomFlags; + +-int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */ ++int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled up with pseudo random, if not enough is available */ + void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */ + void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */ + +-- +2.22.0 + + +From 1f492b9ecc31aa3782f9ce82058d8fb72a5c323f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 16:21:44 -0400 +Subject: [PATCH 2/6] random-util: use gcc's bit_RDRND definition if it exists + +(cherry picked from commit cc28145d51f62711fdc4b4c229aecd5778806419) +--- + src/basic/random-util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index de29e07549..205d5501e5 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -45,7 +45,12 @@ int rdrand(unsigned long *ret) { + return -EOPNOTSUPP; + } + +- have_rdrand = !!(ecx & (1U << 30)); ++/* Compat with old gcc where bit_RDRND didn't exist yet */ ++#ifndef bit_RDRND ++#define bit_RDRND (1U << 30) ++#endif ++ ++ have_rdrand = !!(ecx & bit_RDRND); + } + + if (have_rdrand == 0) +-- +2.22.0 + + +From 6460c540e6183dd19de89b7f0672b3b47c4d41cc Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 17:26:55 -0400 +Subject: [PATCH 3/6] random-util: hash AT_RANDOM getauxval() value before + using it + +Let's be a bit paranoid and hash the 16 bytes we get from getauxval() +before using them. AFter all they might be used by other stuff too (in +particular ASLR), and we probably shouldn't end up leaking that seed +though our crappy pseudo-random numbers. + +(cherry picked from commit 80eb560a5bd7439103036867d5e09a5e0393e5d3) +--- + src/basic/random-util.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 205d5501e5..40f1928936 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -28,6 +28,7 @@ + #include "io-util.h" + #include "missing.h" + #include "random-util.h" ++#include "siphash24.h" + #include "time-util.h" + + int rdrand(unsigned long *ret) { +@@ -203,14 +204,19 @@ void initialize_srand(void) { + return; + + #if HAVE_SYS_AUXV_H +- /* The kernel provides us with 16 bytes of entropy in auxv, so let's +- * try to make use of that to seed the pseudo-random generator. It's +- * better than nothing... */ ++ /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed ++ * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder ++ * to recover the original value by watching any pseudo-random bits we generate. After all the ++ * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't ++ * leak the seed for that. */ + +- auxv = (const void*) getauxval(AT_RANDOM); ++ auxv = ULONG_TO_PTR(getauxval(AT_RANDOM)); + if (auxv) { +- assert_cc(sizeof(x) <= 16); +- memcpy(&x, auxv, sizeof(x)); ++ static const uint8_t auxval_hash_key[16] = { ++ 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f ++ }; ++ ++ x = (unsigned) siphash24(auxv, 16, auxval_hash_key); + } else + #endif + x = 0; +-- +2.22.0 + + +From 17d52f6320b45d1728af6007b4df4aaccc6fdaf4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 18:51:26 -0400 +Subject: [PATCH 4/6] random-util: rename "err" to "success" + +After all rdrand returns 1 on success, and 0 on failure, hence let's +name this accordingly. + +(cherry picked from commit 328f850e36e86d14ab06d11fa8f2397e9575a7f9) +--- + src/basic/random-util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 40f1928936..7c64857592 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -35,7 +35,7 @@ int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) + static int have_rdrand = -1; +- unsigned char err; ++ uint8_t success; + + if (have_rdrand < 0) { + uint32_t eax, ebx, ecx, edx; +@@ -60,9 +60,9 @@ int rdrand(unsigned long *ret) { + asm volatile("rdrand %0;" + "setc %1" + : "=r" (*ret), +- "=qm" (err)); +- msan_unpoison(&err, sizeof(err)); +- if (!err) ++ "=qm" (success)); ++ msan_unpoison(&success, sizeof(sucess)); ++ if (!success) + return -EAGAIN; + + return 0; +-- +2.22.0 + + +From a6c72245ba5ba688cd6544650b9c6e313b39b53e Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Wed, 8 May 2019 15:50:53 +0200 +Subject: [PATCH 5/6] util-lib: fix a typo in rdrand + +Otherwise, the fuzzers will fail to compile with MSan: +``` +../../src/systemd/src/basic/random-util.c:64:40: error: use of undeclared identifier 'sucess'; did you mean 'success'? + msan_unpoison(&success, sizeof(sucess)); + ^~~~~~ + success +../../src/systemd/src/basic/alloc-util.h:169:50: note: expanded from macro 'msan_unpoison' + ^ +../../src/systemd/src/basic/random-util.c:38:17: note: 'success' declared here + uint8_t success; + ^ +1 error generated. +[80/545] Compiling C object 'src/basic/a6ba3eb@@basic@sta/process-util.c.o'. +ninja: build stopped: subcommand failed. +Fuzzers build failed +``` + +(cherry picked from commit 7f2cdceaed4d37c4e601e531c7d863fca1bd1460) +--- + src/basic/random-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 7c64857592..b8bbf2d418 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -61,7 +61,7 @@ int rdrand(unsigned long *ret) { + "setc %1" + : "=r" (*ret), + "=qm" (success)); +- msan_unpoison(&success, sizeof(sucess)); ++ msan_unpoison(&success, sizeof(success)); + if (!success) + return -EAGAIN; + +-- +2.22.0 + + +From 47eec0ae61c887cb8cc05ce8d49b8d151bc4ef25 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Fri, 10 May 2019 15:16:16 -0400 +Subject: [PATCH 6/6] random-util: eat up bad RDRAND values seen on AMD CPUs + +An ugly, ugly work-around for #11810. And no, we shouldn't have to do +this. This is something for AMD, the firmware or the kernel to +fix/work-around, not us. But nonetheless, this should do it for now. + +Fixes: #11810 +(cherry picked from commit 1c53d4a070edbec8ad2d384ba0014d0eb6bae077) +--- + src/basic/random-util.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index b8bbf2d418..0561f0cb22 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -35,6 +35,7 @@ int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) + static int have_rdrand = -1; ++ unsigned long v; + uint8_t success; + + if (have_rdrand < 0) { +@@ -59,12 +60,24 @@ int rdrand(unsigned long *ret) { + + asm volatile("rdrand %0;" + "setc %1" +- : "=r" (*ret), ++ : "=r" (v), + "=qm" (success)); + msan_unpoison(&success, sizeof(success)); + if (!success) + return -EAGAIN; + ++ /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success ++ * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be ++ * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking ++ * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around ++ * only however and something AMD really should fix properly. The Linux kernel should probably work ++ * around this issue by turning off RDRAND altogether on those CPUs. See: ++ * https://github.com/systemd/systemd/issues/11810 */ ++ if (v == 0 || v == ULONG_MAX) ++ return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v); ++ ++ *ret = v; + return 0; + #else + return -EOPNOTSUPP; +-- +2.22.0 + diff --git a/sys-apps/systemd/files/CVE-2019-6454.patch b/sys-apps/systemd/files/CVE-2019-6454.patch deleted file mode 100644 index 97b7d635e7d6..000000000000 --- a/sys-apps/systemd/files/CVE-2019-6454.patch +++ /dev/null @@ -1,198 +0,0 @@ ---- a/src/libsystemd/sd-bus/bus-internal.c -+++ b/src/libsystemd/sd-bus/bus-internal.c -@@ -45,7 +45,7 @@ - if (slash) - return false; - -- return true; -+ return (q - p) <= BUS_PATH_SIZE_MAX; - } - - char* object_path_startswith(const char *a, const char *b) { ---- a/src/libsystemd/sd-bus/bus-internal.h -+++ b/src/libsystemd/sd-bus/bus-internal.h -@@ -333,6 +333,10 @@ - - #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) - #define BUS_AUTH_SIZE_MAX (64*1024) -+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one -+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, -+ * to not clash unnecessarily with real-life applications. */ -+#define BUS_PATH_SIZE_MAX (64*1024) - - #define BUS_CONTAINER_DEPTH 128 - ---- a/src/libsystemd/sd-bus/bus-objects.c -+++ b/src/libsystemd/sd-bus/bus-objects.c -@@ -1134,7 +1134,8 @@ - const char *path, - sd_bus_error *error) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -1150,7 +1151,12 @@ - return 0; - - /* Second, add fallback vtables registered for any of the prefixes */ -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_manager_serialize_path(bus, reply, prefix, path, true, error); - if (r < 0) -@@ -1346,6 +1352,7 @@ - } - - int bus_process_object(sd_bus *bus, sd_bus_message *m) { -+ _cleanup_free_ char *prefix = NULL; - int r; - size_t pl; - bool found_object = false; -@@ -1370,9 +1377,12 @@ - assert(m->member); - - pl = strlen(m->path); -- do { -- char prefix[pl+1]; -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; - -+ do { - bus->nodes_modified = false; - - r = object_find_and_run(bus, m, m->path, false, &found_object); -@@ -1499,9 +1509,15 @@ - - n = hashmap_get(bus->nodes, path); - if (!n) { -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; -+ -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; - -- prefix = alloca(strlen(path) + 1); - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - n = hashmap_get(bus->nodes, prefix); - if (n) -@@ -2091,8 +2107,9 @@ - char **names) { - - BUS_DONT_DESTROY(bus); -+ _cleanup_free_ char *prefix = NULL; - bool found_interface = false; -- char *prefix; -+ size_t pl; - int r; - - assert_return(bus, -EINVAL); -@@ -2111,6 +2128,12 @@ - if (names && names[0] == NULL) - return 0; - -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - do { - bus->nodes_modified = false; - -@@ -2120,7 +2143,6 @@ - if (bus->nodes_modified) - continue; - -- prefix = alloca(strlen(path) + 1); - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); - if (r != 0) -@@ -2252,7 +2274,8 @@ - - static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2297,7 +2320,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_added_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2436,7 +2464,8 @@ - - static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2468,7 +2497,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2618,7 +2652,8 @@ - const char *path, - const char *interface) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2632,7 +2667,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); - if (r != 0) - - - |