From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Fri, 16 Nov 2018 22:32:31 +0000 (+0100)
Subject: journald: check whether sscanf has changed the value corresponding to %n
X-Git-Tag: v240~291^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1dab14aba749b9c5ab8176c5730107b70834240b;p=thirdparty%2Fsystemd.git

journald: check whether sscanf has changed the value corresponding to %n

It's possible for sscanf to receive strings containing all three fields
and not matching the template at the same time. When this happens the
value of k doesn't change, which basically means that process_audit_string
tries to access memory randomly. Sometimes it works and sometimes it doesn't :-)

See also https://bugzilla.redhat.com/show_bug.cgi?id=1059314.
---

diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 94484f5d01c..345e43ef44f 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -341,11 +341,12 @@ void process_audit_string(Server *s, int type, const char *data, size_t size) {
         if (!p)
                 return;
 
+        k = 0;
         if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
                    &seconds,
                    &msec,
                    &id,
-                   &k) != 3)
+                   &k) != 3 || k == 0)
                 return;
 
         p += k;
diff --git a/test/fuzz/fuzz-journald-audit/crash b/test/fuzz/fuzz-journald-audit/crash
new file mode 100644
index 00000000000..91bd85ca6ed
--- /dev/null
+++ b/test/fuzz/fuzz-journald-audit/crash
@@ -0,0 +1 @@
+audit(1542398162.211:744) pid=7376 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="vagrant" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'