| Commit message (Collapse) | Author | Age |
|
|
|
| |
(cherry picked from commit 0307ea49c70b1ed4f3af3c80566c8c098dc080bb)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For non-`seat0` seats, attaching a graphics card to a seat can
lead to it getting created. This is because the graphics device
is a "master device" which means that device is a seat-defining
device.
`seat0` may get created, even before the graphics driver is loaded,
though. This is because the graphics driver is loaded
asynchronously at startup, and `seat0` is the primary seat of
system, associated with the system VTs.
When a graphics card is attached to a seat the `CanGraphical`
property on that seat will flip to `true`.
For seats that haven't been created yet (non-`seat0` seats), this
leads to `seat_start` getting called which ultimately causes the
seat to get serialized to `/run/systemd/seats`.
For `seat0`, which is already created, `seat_start` will return
immediately, which means the updated `CanGraphical` state will
never get written to `/run/systemd/seats`.
The end result is that clients querying `sd_seat_can_graphical`
won't get the correct answer for `seat0` in cases where the
graphics device takes a long time to load until some other peice
of seat state is updated.
This commit fixes the problem by calling `seat_save` explicitly
for already running seats at the time a graphics device is
attached.
(cherry picked from commit ad1bf59c67e8d05629a4db00bbbe4d4c1c37fe46)
|
|
|
|
| |
(cherry picked from commit 14ee72b7d8de34a6b02767b865c3c49ceef2ed84)
|
|
|
|
| |
(cherry picked from commit eaa680c09e5701a62e8ac819211e5969eda84f2d)
|
|
|
|
|
|
|
|
|
| |
LGTM was complaining:
> Multiplication result may overflow 'int' before it is converted to 'long'.
Fix this by changing all types to ssize_t and add a check for overflow
while at it.
(cherry picked from commit 3d6c1844744f631995af72867d5f293430d8015b)
|
|
|
|
|
|
|
|
|
|
| |
We would read (-1), and then add 1 to it, call message_peek_body(..., 0, ...),
and when trying to make use of the data.
The fuzzer test case is just for one site, but they all look similar.
v2: fix two UINT8_MAX/UINT32_MAX mismatches founds by LGTM
(cherry picked from commit 902000c19830f5e5a96e8948d691b42e91ecb1e7)
|
|
|
|
| |
(cherry picked from commit d831fb6f2bde829f9309aea242f502587662d1cc)
|
|
|
|
|
|
|
| |
The change is similar to that in the previous commit, but I don't have
a reproducer / test case case for this one, so I'm keeping it seperate.
(cherry picked from commit 3d338a302f56c0ef0445660d9856794abe1af8b5)
|
|
|
|
|
|
|
|
|
| |
We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
(cherry picked from commit 73777ddba5100fe6c0791cd37a91f24a515f3202)
|
|
|
|
|
|
|
|
|
|
| |
This is similar to the grandparent commit 'fix calculation of offsets table',
except that now the change is for array elements. Same story as before: we need
to make sure that the offsets increase enough taking alignment into account.
While at it, rename 'p' to 'previous' to match similar code in other places.
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The offsets specify the ends of variable length data. We would trust the
incoming data, putting the offsets specified in our message
into the offsets tables after doing some superficial verification.
But when actually reading the data we apply alignment, so we would take
the previous offset, align it, making it bigger then current offset, and
then we'd try to read data of negative length.
In the attached example, the message specifies the following offsets:
[1, 4]
but the alignment of those items is
[1, 8]
so we'd calculate the second item as starting at 8 and ending at 4.
(cherry picked from commit 12603b84d2fb07603e2ea94b240c6b78ad17510e)
|
|
|
|
|
|
|
| |
We'd calculate the "real" length of the string as 'item_size - 1', which does
not work out well when item_size == 0.
(cherry picked from commit 81b6e63029eefcb0ec03a3a7c248490e38106073)
|
|
|
|
|
|
|
| |
-EINVAL means the arguments were somehow wrong, so translate the code we get
internally into -EBADMSG when returning.
(cherry picked from commit 69bd42ca072dfb2f7603b1f82053063293ab54b5)
|
|
|
|
|
|
|
|
|
|
| |
The alternative would be to treat gvariant and !gvariant messages differently.
But this is a problem because we check signatures is variuos places before we
have an actual message, for example in sd_bus_add_object_vtable(). It seems
better to treat things consistent (i.e. follow the lowest common denominator)
and disallow empty structures everywhere.
(cherry picked from commit ec6bda56cbca9509b1abde1122645630caca877c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We didn't free one of the fields in two of the places.
$ valgrind --show-leak-kinds=all --leak-check=full \
build/fuzz-bus-message \
test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
...
==14457== HEAP SUMMARY:
==14457== in use at exit: 3 bytes in 1 blocks
==14457== total heap usage: 509 allocs, 508 frees, 51,016 bytes allocated
==14457==
==14457== 3 bytes in 1 blocks are definitely lost in loss record 1 of 1
==14457== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
==14457== by 0x53AFE79: strndup (in /usr/lib64/libc-2.27.so)
==14457== by 0x4F52EB8: free_and_strndup (string-util.c:1039)
==14457== by 0x4F8E1AB: sd_bus_message_peek_type (bus-message.c:4193)
==14457== by 0x4F76CB5: bus_message_dump (bus-dump.c:144)
==14457== by 0x108F12: LLVMFuzzerTestOneInput (fuzz-bus-message.c:24)
==14457== by 0x1090F7: main (fuzz-main.c:34)
==14457==
==14457== LEAK SUMMARY:
==14457== definitely lost: 3 bytes in 1 blocks
(cherry picked from commit 6d1e0f4fcba8d6f425da3dc91805db95399b3c8b)
|
|
|
|
|
|
|
|
|
| |
As far as I can see, we would either reuse some values from a previously exited
container or just random bytes from the heap.
Should fix #10127.
(cherry picked from commit cf81c68e96aa29d0c28b5d3a26d1de9aa1b53b85)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2: fix error in free_and_strndup()
When the orignal and copied message were the same, but shorter than specified
length l, memory read past the end of the buffer would be performed. A test
case is included: a string that had an embedded NUL ("q\0") is used to replace
"q".
v3: Fix one more bug in free_and_strndup and add tests.
v4: Some style fixed based on review, one more use of free_and_replace, and
make the tests more comprehensive.
(cherry picked from commit 7f546026abbdc56c453a577e52d57159458c3e9c)
|
|
|
|
|
|
|
| |
This function logs about all errors, but one case was forgotten. Fix
that.
(cherry picked from commit 653d469519f78d3931c0bc9fe5597d18454bef3d)
|
|
|
|
|
|
|
|
|
| |
Just paranoia, as putenv() can fail and we should catch it, like we
catch all other errors.
Follow-up for #10073
(cherry picked from commit ed689f7894e56024a11bd02327b2bdfce5636dfd)
|
|
|
|
| |
(cherry picked from commit 78ec1bb436fb18df3b56212c442cc4775a136d1a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quoting https://github.com/systemd/systemd/issues/10074:
> detect_vm_uml() reads /proc/cpuinfo with read_full_file()
> read_full_file() has a file max limit size of READ_FULL_BYTES_MAX=(4U*1024U*1024U)
> Unfortunately, the size of my /proc/cpuinfo is bigger, approximately:
> echo $(( 4* $(cat /proc/cpuinfo | wc -c)))
> 9918072
> This causes read_full_file() to fail and the Condition test fallout.
Let's just read line by line until we find an intersting line. This also
helps if not running under UML, because we avoid reading as much data.
(cherry picked from commit 6058516a14ada1748313af6783f5b4e7e3006654)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SO_RCVBUF/SO_SNDBUF fails
Both SO_SNDBUFFORCE and SO_RCVBUFFORCE requires capability 'net_admin'.
If this capability is not granted to the service the first attempt to increase
the recv/snd buffers (via sd_notify()) with SO_RCVBUFFORCE/SO_SNDBUFFORCE will
fail, even if the requested size is lower than the limit enforced by the
kernel.
If apparmor is used, the DENIED logs for net_admin will show up. These log
entries are seen as red warning light, because they could indicate that a
program has been hacked and tries to compromise the system.
It would be nicer if they can be avoided without giving services (relying on
sd_notify) net_admin capability or dropping DENIED logs for all such services
via their apparmor profile.
I'm not sure if sd_notify really needs to forcibly increase the buffer sizes,
but at least if the requested size is below the kernel limit, the capability
(hence the log entries) should be avoided.
Hence let's first ask politely for increasing the buffers and only if it fails
then ignore the kernel limit if we have sufficient privileges.
(cherry picked from commit 10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c)
|
|
|
|
|
|
|
| |
Pass 0 as leader PID to CreateSession to let logind use the PID from the
D-Bus credentials. This allows use of pam_systemd in PID namespaces.
(cherry picked from commit da0da5eccf5f20874111e0681b111704bf9a1c92)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to RFC2616[1], HTTP header names are case-insensitive. So
it's totally valid to have a header starting with either `Date:` or
`date:`.
However, when systemd-importd pulls an image from an HTTP server, it
parses HTTP headers by comparing header names as-is, without any
conversion. That causes failures when some HTTP servers return headers
with different combinations of upper-/lower-cases.
An example:
https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_developer_container.bin.bz2 returns `Etag: "pe89so9oir60"`,
while https://alpha.release.core-os.net/amd64-usr/current/coreos_developer_container.bin.bz2
returns `ETag: "f03372edea9a1e7232e282c346099857"`.
Since systemd-importd expects to see `ETag`, the etag for the Container Linux image
is correctly interpreted as a part of the hidden file name.
However, it cannot parse etag for Flatcar Linux, so the etag the Flatcar Linux image
is not appended to the hidden file name.
```
$ sudo ls -al /var/lib/machines/
-r--r--r-- 1 root root 3303014400 Aug 21 20:07 '.raw-https:\x2f\x2falpha\x2erelease\x2ecore-os\x2enet\x2famd64-usr\x2fcurrent\x2fcoreos_developer_container\x2ebin\x2ebz2.\x22f03372edea9a1e7232e282c346099857\x22.raw'
-r--r--r-- 1 root root 3303014400 Aug 17 06:15 '.raw-https:\x2f\x2falpha\x2erelease\x2eflatcar-linux\x2enet\x2famd64-usr\x2fcurrent\x2fflatcar_developer_container\x2ebin\x2ebz2.raw'
```
As a result, when the Flatcar image is removed and downloaded again,
systemd-importd is not able to determine if the file has been already
downloaded, so it always download it again. Then it fails to rename it
to an expected name, because there's already a hidden file.
To fix this issue, let's introduce a new helper function
`memory_startswith_no_case()`, which compares memory regions in a
case-insensitive way. Use this function in `curl_header_strdup()`.
See also https://github.com/kinvolk/kube-spawn/issues/304
[1]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
(cherry picked from commit 21224070e802878f81c342835364880ef1a63e88)
|
|
|
|
|
|
|
|
|
|
| |
Fix #9993. When this code was split out to user-runtime-dir, it forgot to
include the call to mac_selinux_init(). So mkdir_label() stopped working.
Fixes: a9f0f5e50104 ("logind: split %t directory creation to a helper
unit")
(cherry picked from commit 81375d802672f34205bef9f301c58854af5fc568)
|
|
|
|
|
|
|
|
|
|
| |
This replaces strndupa() by strndup() in socket_address_parse(),
as input string may be too long.
Fixes issue 10007 by ClusterFuzz-External:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10007
(cherry picked from commit 8d30fcb9b51b1d102a589171b6e28f5f370236f6)
|
|
|
|
|
|
| |
Fixes #9773.
(cherry picked from commit 68c597e9e4bb36ade966d9df54dfaa9f956230e9)
|
|
|
|
|
|
|
|
|
|
|
| |
As the comments already say it might be quite likely that
$XDG_RUNTIME_DIR is not set up as mount, and we shouldn't complain about
that.
Moreover, let's make this idempotent, so that a runtime dir that is
already gone and is removed again doesn't cause failure.
(cherry picked from commit 3a13442bbf72e7ebdd0b4d60c2922ea7c5cc9496)
|
|
|
|
|
|
|
|
| |
We would verify destination e.g. in sd_bus_message_new_call, but allow setting
any value later on with sd_bus_message_set_destination. I assume this check was
omitted not on purpose.
(cherry picked from commit 3d51a011f11523694f03c74cdd011c89beba05cc)
|
|
|
|
| |
(cherry picked from commit 1595b257df98b361d178b3ce3e4ca5ac463be0cd)
|
|
|
|
|
|
|
| |
This fixes something I think was basically a typo introduced in
db69869f264af2d1afcdd3e573e0e9fdd5bef065.
(cherry picked from commit 3dea6886c20a32d832971e589cbc1807c549b66f)
|
|
|
|
|
|
|
|
| |
On a host with sufficiently large zram but with no actual swap, logind will
respond to CanHibernate() with yes. With this patch, it will correctly respond
no, unless there are other swap devices to consider.
(cherry picked from commit 411ae92b407bd7b4549b205ad754bcd0e3dfd81f)
|
|
|
|
|
|
|
|
|
|
| |
If 'v' is negative, it's wrong to add the decimal to it, as we'd
actually need to subtract it in this case. But given that we don't want
to allow negative vaues anyway, simply check earlier whether what we
have parsed so far was negative, and react to that before adding the
decimal to it.
(cherry picked from commit 8cbc92d5975b603002c3141364a7709a9c66e23a)
|
|
|
|
| |
(cherry picked from commit ace5e3111c0b8d8bfd84b32f2c689b0a4d92c061)
|
|
|
|
|
|
|
|
|
|
| |
Currently to set the flag to reboot into the firmware setup an
authentication by an administrative user is required. Since we are
already enabling active users to reboot the system, it is advisable to
let the user decide if he wants to boot into the firmware setup without
any more hassle.
(cherry picked from commit ba9778d9b7e8c33acc0d9f41e747b1066196a201)
|
|
|
|
|
|
|
|
| |
Follow-up for 3cb9b42af3b205fba176ebf51ce0e07739698278 (#9516).
Fixes oss-fuzz-9532.
(cherry picked from commit ba323bbead1dda558a5bbe42846cdee5c8b0fc85)
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately this needs libshared to link to libkmod. Before it was linked
into systemd-udevd, udevadm, and systemd each seperately. On most systems this
doesn't make much difference, because at least systemd would be installed, but
it might not be in small chroots. It is a small library, so I hope this is not
a big issue.
(cherry picked from commit 3cb9b42af3b205fba176ebf51ce0e07739698278)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The switch to memory_startswith() changed the logic to only look for a space or
NUL byte after the matched word, but matching the full size should also be
acceptable.
This changed the behavior of parsing of "AUTH\r\n", where m will be set to 4,
since even though the word will match, the check for it being followed by ' '
or NUL will make line_begins() return false.
Tested:
- Using netcat to connect to the private socket directly:
$ echo -ne '\0AUTH\r\n' | sudo nc -U /run/systemd/private
REJECTED EXTERNAL ANONYMOUS
- Running the Ignition blackbox test:
$ sudo sh -c 'PATH=$PWD/bin/amd64:$PATH ./tests.test'
PASS
Fixes: d27b725abf64a19a6b2f99332b663f17ad046771
(cherry picked from commit 3f10c66270b74530339b3f466c43874bb40c210f)
|
|
|
|
|
|
| |
Reported in #9590.
(cherry picked from commit 948f7ce4fbbb393e3c6a12ab3fbc7023b4124e43)
|
|
|
|
| |
(cherry picked from commit 475d8599b0821eefb6e6c283f4f9847cffbb4b7b)
|
|
|
|
| |
(cherry picked from commit a6e964712c53b877543cf18aff59ae99cffc1f50)
|
|
|
|
|
|
| |
Fixes #9549.
(cherry picked from commit a26db0bc5d4011de24e5930af6fd9051deeb46be)
|
|
|
|
|
|
|
|
|
|
|
| |
When unmounting user runtime directory, only UID is necessary,
and the corresponding user may not exist anymore.
This makes first try to parse the input by parse_uid(), and only if it
fails, prase the input by get_user_creds().
Fixes #9541.
(cherry picked from commit 86d18f3b09ec984ef3732567af992adb2dc77a8a)
|
|
|
|
|
|
|
|
|
|
|
| |
When a slot is disconnected, then slot->match_callback.install_slot
is also disconnected. So, bus_slot_disconnect() removes the install_slot
from the list of slots in bus, although it is a floating object.
This makes install_slot unreffed from bus when it is disconnected.
Fixes #9505 and #9510.
(cherry picked from commit 20d4ee2cbc21e0c4d2dd6c01d5a18a4cf0d98222)
|
|
|
|
|
|
| |
ENABLE_GSHADOW is defined to be 0 or 1. So #if should be used instead of #ifdef.
(cherry picked from commit 4f07ffa8f5ab85011422bb7114f1cddf49d4923d)
|
|
|
|
|
|
| |
Fixes: 96f64eb5741b157f26a9089816fdd992e959792e
Closes: https://github.com/systemd/systemd/issues/9444
(cherry picked from commit 358248caa3eca525751694de7c34b16bb46d5a9c)
|
|
|
|
|
|
| |
Fixes #9442.
(cherry picked from commit 04e075b572b168a183cde29480dbb30d027d4fe7)
|
|
|
|
| |
(cherry picked from commit affaed1e55685e8e248db1afd50b3e0f466ce5cc)
|
|
|
|
| |
(cherry picked from commit 0ceff9068d4def8895929ba8c201a23502a7f941)
|
|
|
|
|
|
| |
Fixes #10290.
(cherry picked from commit c250bf671b89768ed27984defe9b5af262618e42)
|