Page MenuHomePhabricator

Figure out a patched backport of systemd 241 for stretch
Closed, ResolvedPublic

Description

On the toolforge bastions, we use a stretch backport of systemd241 in order to make our cgroups system work (part of the trusty deprecation project). The systemd crash bug requires a patch, which is available in buster, but we don't have a package available for the toolforge bastions to use at this time.

Stretch backports does not include this patch yet. https://packages.debian.org/stretch-backports/systemd

Event Timeline

Bstorm added a subscriber: aborrero.

@aborrero do you think we can expect a patched backport from the official repo eventually?

How far are we from moving the bastions to buster? Maybe it makes sense to do the last push?

@aborrero do you think we can expect a patched backport from the official repo eventually?

@MoritzMuehlenhoff on IRC:

I'll backport the fix on top of 241-5~bpo9+1  tomorrow, stretch-backports isn't updated in Debian any longer, but I can push an updated deb to apt.wikimedia.org

How far are we from moving the bastions to buster? Maybe it makes sense to do the last push?

I believe all the heavy lifting work for stretch is basically done (grid support, see T277653 and subtasks). The last push is mostly community migration and such.

I've built a backported systemd package on top of the last version in stretch-backports. It can be fetched from deneb.eqiad.wmnet:/var/cache/pbuilder/result/stretch-amd64/*241-5~bpo9+wmf1*
This needs to be imported to some component which is limited to Toolforge and not stretch-wikimedia/main (since the other stretch hosts use the default systemd version in Debian). Can someone take it from here?

Debdiff below:

diff -Nru systemd-241/debian/changelog systemd-241/debian/changelog
--- systemd-241/debian/changelog	2019-06-07 20:51:26.000000000 +0000
+++ systemd-241/debian/changelog	2021-07-21 11:46:16.000000000 +0000
@@ -1,3 +1,9 @@
+systemd (241-5~bpo9+wmf1) stretch-wikimedia; urgency=medium
+
+  * Fix CVE-2021-33910 in systemd 241 (as used by Toolforge)  T287036
+
+ -- Moritz Mühlenhoff <mmuhlenhoff@wikimedia.org>  Wed, 21 Jul 2021 13:46:16 +0200
+
 systemd (241-5~bpo9+1) stretch-backports; urgency=medium
 
   * Rebuild for stretch-backports.
diff -Nru systemd-241/debian/patches/CVE-2021-33910.patch systemd-241/debian/patches/CVE-2021-33910.patch
--- systemd-241/debian/patches/CVE-2021-33910.patch	1970-01-01 00:00:00.000000000 +0000
+++ systemd-241/debian/patches/CVE-2021-33910.patch	2021-07-21 11:46:08.000000000 +0000
@@ -0,0 +1,61 @@
+Backport to 241 as found in stretch-backports.
+
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, ch
+ }
+ 
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
++        _cleanup_free_ char *p = NULL;
++        char *s;
+ 
+         assert(f);
+         assert(ret);
+ 
+-        p = strdupa(f);
++        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+ 
+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f,
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+ 
+-                /* Truncate trailing slashes */
++                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
++                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
diff -Nru systemd-241/debian/patches/series systemd-241/debian/patches/series
--- systemd-241/debian/patches/series	2019-06-07 20:51:26.000000000 +0000
+++ systemd-241/debian/patches/series	2021-07-21 11:46:16.000000000 +0000
@@ -36,3 +36,4 @@
 debian/Add-env-variable-for-machine-ID-path.patch
 debian/Drop-seccomp-system-call-filter-for-udev.patch
 debian/Revert-build-sys-require-libmount-2.30-6795.patch
+CVE-2021-33910.patch

This needs to be imported to some component which is limited to Toolforge and not stretch-wikimedia/main (since the other stretch hosts use the default systemd version in Debian).

I imagine we'll want it in stretch-wikimedia/component/systemd241.

This needs to be imported to some component which is limited to Toolforge and not stretch-wikimedia/main (since the other stretch hosts use the default systemd version in Debian).

I imagine we'll want it in stretch-wikimedia/component/systemd241.

Ah, indeed. I'll import it there.

Change 705891 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add component/systemd241 to Udebcomponents

https://gerrit.wikimedia.org/r/705891

Change 705891 merged by Muehlenhoff:

[operations/puppet@production] Add component/systemd241 to Udebcomponents

https://gerrit.wikimedia.org/r/705891

Mentioned in SAL (#wikimedia-operations) [2021-07-21T14:01:37Z] <moritzm> imported systemd 241-5~bpo9+wmf1 to component/systemd241 T287036

Mentioned in SAL (#wikimedia-cloud) [2021-07-21T14:35:17Z] <majavah> updating systemd on toolforge stretch bastions T287036

Majavah assigned this task to MoritzMuehlenhoff.

Updated version rolled out. Thanks!