journald: set a limit on the number of fields (1k)

We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.

CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861

What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.

(cherry-picked from commit 052c57f132f04a3cf4148f87561618da1a6908b4)

Resolves: #1664977

diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
index c8114ee2d0ab7235e57c901d77a32f84ab9565c2..cd8a48a364c54380f5d598149d65829e618e34d1 100644 (file)
--- a/src/journal/journal-file.h
+++ b/src/journal/journal-file.h
@@ -165,6 +165,9 @@ int journal_file_open_reliably(
  * files without adding too many zeros. */
 #define OFSfmt "%06"PRIx64
 
+/* The maximum number of fields in an entry */
+#define ENTRY_FIELD_COUNT_MAX 1024
+
 static inline bool VALID_REALTIME(uint64_t u) {
         /* This considers timestamps until the year 3112 valid. That should be plenty room... */
         return u > 0 && u < (1ULL << 55);

diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index 5ff22a10af67e8a85132bca5adaf1e0729d7260d..951d0920538164d7b32738e5300b9ff0cf12c187 100644 (file)
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -140,6 +140,11 @@ static int server_process_entry(
                 }
 
                 /* A property follows */
+                if (n > ENTRY_FIELD_COUNT_MAX) {
+                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
+                        r = 1;
+                        goto finish;
+                }
 
                 /* n existing properties, 1 new, +1 for _TRANSPORT */
                 if (!GREEDY_REALLOC(iovec, m,