resolved: use strv_extend_with_size() to avoid slow parsing of /etc/hosts
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43942 is a simple case
where a repeated entry generates a timeout. I didn't import that case, but
generated a simpler one by hand.
$ time build/fuzz-etc-hosts test/fuzz/fuzz-etc-hosts/timeout-many-entries
test/fuzz/fuzz-etc-hosts/timeout-many-entries... ok
build/fuzz-etc-hosts test/fuzz/fuzz-etc-hosts/timeout-many-entries 3.17s (old)
↓
build/fuzz-etc-hosts test/fuzz/fuzz-etc-hosts/timeout-many-entries 0.11s (new)
I considered simply disallowing too many aliases. E.g. microsoft appearently
sometimes ignores entries after the ninth [1], and other systems set stringent
limits [2,3], but the recommended way to get around that is to simply use more
lines (as is done in the sample), so this wouldn't change anything.
Even if we cannot put all those names in a reply packet, the resolution from
the alias to the address should work. I think cases where people define lots
and lots of aliases through some programmatic interface is realistic, for
example for a blocklist, and such a file shouldn't bring resolved down to its
knees.
basic/strv: add optimizable version of strv_push/consume/extend
This will be helpful in cases where we are repeatedly adding entries
to a long strv and want to skip the iteration over old entries leading
to quadratic behaviour.
Note that we don't want to calculate the length if not necessary, so
the calculation is delayed until after we've checked that value is not
NULL.
The SBAT section was included in a special section in the EFI code, but
the contents weren't directly visible in any way. Let's add a "test" that
prints them for visual inspection.
If there's some external linter for this format, we could hook it up in the
future.
docs: copy the page about network-online.target from the wiki
From https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/.
I changed the order in the page, but didn't change the text too much. Now the
discussion of the different targets is at the top, and they are ordered like
during boot (network-pre.target first, then network.target, and
network-online.target last). The parts about LSB and $network are pushed down a
bit. I think it is still useful to have them, but not as the main entry point
into the discussion. I tried to clean up the grammar and wording a bit.
One meanigful change is that we now don't say that network-online.target means
interfaces are up and IP addresses have been assigned. In other places we were
saying that the actual implementation is provided by
NetworkManager-wait-online.service, so the actual meaning is not under our
control. The text is changed to say "usually".
The last paragraph is new, I think it's good to say that
"dnf-makecache.service" is fine to use "network-online.target".
rpm: remove check if systemd is running in a few cases
rpms can be installed in two different modes: into a chroot, where the system
is not running, and onto a live system. In the first mode, where should create
all changes that are "permanent", and in the second mode, all changes which are
"permanent" but also those which only affect the running system. Thus, changes
like new modprobe rules, tmpfiles rules, binfmt rules, udev rules, etc., are
guarded by 'test -d "/run/systemd/system"' which is the official way to check
if systemd is running, so that they are *not* executed when installed into a
chroot. But the same logic does not apply to sysusers, hwdb, and the journal
catalog: all those files can and should result in changes being performed
immediately to the system. This makes the creation of immutable images possible
(because there are no permanent changes to executed after a reboot), and allows
other packages to depend on the the effect of those changes.
Thus, the guard to check if we're not in a chroot is dropped from triggers for
sysusers, hwdb, and the journal catalog. This means that those triggers will
execute, and no subsequent work is needed. systemd-sysusers.service,
systemd-journal-catalog-update.service, and systemd-hwdb-update.service.in all
have ConditionNeedsUpdate= so they they generally won't be invoked after a
reboot. (systemd.rpm does not touch /usr to trigger the condition, because the
%transfiletriggers make that unnecessary.)
Pablo Ceballos [Fri, 13 May 2022 23:33:07 +0000 (23:33 +0000)]
hwdb: Add Google Hangouts Meet speakermic
This device implements the phone mute HID usage as a toggle switch,
where 1 indicates muted, and 0 indicates unmuted. However, for a key
event 1 indicates that the key has been pressed and 0 indicates it has
been released. This mismatch causes issues, so prevent key events from
being generated for this HID usage.
"left from <something>" is not correct. "left <something>" would be the
usual form, but "left master interface" is not clear at all. So reword
those messages totally.
Yu Watanabe [Sun, 15 May 2022 19:44:27 +0000 (04:44 +0900)]
fuzz: drop too large input
The original issue oss-fuzz#10734 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10734)
is that just the file size is too large, and not a issue in functions
tested by the fuzzer. It is not necessary to include the testcase.
Yu Watanabe [Sun, 15 May 2022 09:10:25 +0000 (18:10 +0900)]
meson: use boolean for configuration_data.set10()
Setting with number is deprecated:
```
meson.build:1008: DEPRECATION: configuration_data.set10 with number. the `set10` method should only be used with booleans
```
Eli Schwartz [Sun, 15 May 2022 15:11:24 +0000 (11:11 -0400)]
meson: use better shellscript argument passing
Passing potentially arbitrary data into a shellscript is potentially
very broken if you do not correctly quote it for use. This quoting must
be done as part of the interpretation of the data itself, e.g. python's
shlex.quote; simply formatting it into a string with double quotes is
NOT sufficient.
An alternative is to communicate the data reliably via argv to the shell
process, and allow the shell to internally handle it via `"$1"`, which
is quote-safe and will expand the data from argv as a single tokenized
word.
Yu Watanabe [Thu, 12 May 2022 19:43:37 +0000 (04:43 +0900)]
network: do not update interface group by default
This fixes a minor bug introduced by 10af8bb24b39a815079f6bf31b449c6e5aaa2adf.
Before the commit, the interface group was set only when Group= is explicitly
specified, otherwise the interface group was kept. However, after the commit,
we need to specify Group= with an empty string to keep the current interface
group.
fileio: propagate original error if we notice AF_UNIX connect() is not going to work
let's not make up new errors in these checks that validate if connect()
work at all. After all, we don't really know if the ENXIO we saw earlier
actually is really caused by the inode being an AF_UNIX socket, we just
have the suspicion...
core/device: ignore DEVICE_FOUND_UDEV bit on switching root
The issue #12953 is caused by the following:
On switching root,
- deserialized_found == DEVICE_FOUND_UDEV | DEVICE_FOUND_MOUNT,
- deserialized_state == DEVICE_PLUGGED,
- enumerated_found == DEVICE_FOUND_MOUNT,
On switching root, most devices are not found by the enumeration process.
Hence, the device state is set to plugged by device_coldplug(), and then
changed to the dead state in device_catchup(). So the corresponding
mount point is unmounted. Later when the device is processed by udevd, it
will be changed to plugged state again.
The issue #23208 is caused by the fact that generated udev database in
initramfs and the main system are often different.
So, the two issues have the same root; we should not honor
DEVICE_FOUND_UDEV bit in the deserialized_found on switching root.
Yu Watanabe [Tue, 10 May 2022 14:05:04 +0000 (23:05 +0900)]
sd-device: always translate sysname to sysfs filename
Previously, in sd_device_new_from_subsystem_sysname(), '/' in sysname
was replaced '!' for several limited subsystems. This was based on a wrong
assumption that no sysname in e.g. driver subsystem does not contain '!'.
And the assumption is actually wrong, and trigger issue #23327.
In device_set_sysname_and_sysnum() we unconditionally replace '!' in the
filename. Hence, the translation in sd_device_new_from_subsystem_sysname()
must be also done unconditionally.
Yu Watanabe [Thu, 30 Dec 2021 19:30:43 +0000 (04:30 +0900)]
fuzzers: add input size limits, always configure limits in two ways
Without the size limits, oss-fuzz creates huge samples that time out. Usually
this is because some of our code has bad algorithmic complexity. For data like
configuration samples we don't need to care about this: non-rogue configs are
rarely more than a few items, and a bit of a slowdown with a few hundred items
is acceptable. This wouldn't be OK for processing of untrusted data though.
We need to set the limit in two ways: through .options and in the code. The
first because it nicely allows libFuzzer to avoid wasting time, and the second
because fuzzers like hongfuzz and afl don't support .options.
While at it, let's fix an off-by-one (65535 is the largest offset for a
power-of-two size, but we're checking the size here).
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
There are memory leaks there https://github.com/bus1/dbus-broker/issues/289
and it crashes from time to time
https://github.com/matusmarhefka/dfuzzer/issues/20#issuecomment-1114097840
so let's just skip it by analogy with dbus-daemon to avoid
reports that have nothing to do with systemd itself.
It's kind of a part of https://github.com/systemd/systemd/pull/22547
Luca Boccassi [Wed, 11 May 2022 14:19:58 +0000 (15:19 +0100)]
man: improve VtableExample
The methods published by the example have a reply in the signature, but
the code was not sending any, so the client gets stuck waiting for a
response that doesn't arrive. Echo back the input string.
Update the object path to follow what would be the canonical format.
Request a service name on the bus, so that the code can be dropped in a
service and it can be dbus-activatable. It also makes it easier to see
on busctl list.
Luca Boccassi [Wed, 11 May 2022 11:24:10 +0000 (12:24 +0100)]
test: ignore LXC filesystem when checking for writable locations
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
logind: fix crash in logind on user-specified message string
This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:
<action id="org.freedesktop.login1.set-wall-message">
<description gettext-domain="systemd">Set a wall message</description>
<message gettext-domain="systemd">Authentication is required to set a wall message</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
projects / thirdparty / systemd.git / log
