From 06e8d0823e3327a59d8d3a4137147cf0bf7be65c Mon Sep 17 00:00:00 2001 From: hanjinpeng Date: Sun, 8 Jun 2025 22:19:50 +0800 Subject: [PATCH] fix CVE-2025-4598 --- ...o-add-macro-to-iterate-variadic-args.patch | 32 +++++ ...oredump-get-rid-of-a-bogus-assertion.patch | 48 +++++++ ...re-compatibility-with-older-patterns.patch | 88 ++++++++++++ ...edump-get-rid-of-_META_MANDATORY_MAX.patch | 102 +++++++++++++ ...oredump-use-d-in-kernel-core-pattern.patch | 136 ++++++++++++++++++ systemd.spec | 11 +- 6 files changed, 416 insertions(+), 1 deletion(-) create mode 100644 backport-0001-basic-macro-add-macro-to-iterate-variadic-args.patch create mode 100644 backport-0001-coredump-get-rid-of-a-bogus-assertion.patch create mode 100644 backport-0001-coredump-restore-compatibility-with-older-patterns.patch create mode 100644 backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch create mode 100644 backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch diff --git a/backport-0001-basic-macro-add-macro-to-iterate-variadic-args.patch b/backport-0001-basic-macro-add-macro-to-iterate-variadic-args.patch new file mode 100644 index 0000000..a7466df --- /dev/null +++ b/backport-0001-basic-macro-add-macro-to-iterate-variadic-args.patch @@ -0,0 +1,32 @@ +From 9f3c69782573bd22f2ac37aba7e0711a1b146011 Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Thu, 2 Feb 2023 15:58:10 -0500 +Subject: [PATCH] basic/macro: add macro to iterate variadic args + +(cherry picked from commit e179f2d89c9f0c951636d74de00136b4075cd1ac) +(cherry picked from commit cd4f43bf378ff33ce5cfeacd96f7f3726603bddc) +--- + src/basic/macro.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/basic/macro.h b/src/basic/macro.h +index 5a3027a..d8a9bbb 100644 +--- a/src/basic/macro.h ++++ b/src/basic/macro.h +@@ -482,4 +482,13 @@ static inline size_t size_add(size_t x, size_t y) { + return y >= SIZE_MAX - x ? SIZE_MAX : x + y; + } + ++/* Iterate through each variadic arg. All must be the same type as 'entry' or must be implicitly ++ * convertable. The iteration variable 'entry' must already be defined. */ ++#define VA_ARGS_FOREACH(entry, ...) \ ++ _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__) ++#define _VA_ARGS_FOREACH(entry, _entries_, _current_, ...) \ ++ for (typeof(entry) _entries_[] = { __VA_ARGS__ }, *_current_ = _entries_; \ ++ ((long)(_current_ - _entries_) < (long)ELEMENTSOF(_entries_)) && ({ entry = *_current_; true; }); \ ++ _current_++) ++ + #include "log.h" +-- +2.33.0 + diff --git a/backport-0001-coredump-get-rid-of-a-bogus-assertion.patch b/backport-0001-coredump-get-rid-of-a-bogus-assertion.patch new file mode 100644 index 0000000..8e4891a --- /dev/null +++ b/backport-0001-coredump-get-rid-of-a-bogus-assertion.patch @@ -0,0 +1,48 @@ +From 7c9b17c9343e143465b6649d021a68a8c16b9a6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 May 2025 15:24:04 +0200 +Subject: [PATCH] coredump: get rid of a bogus assertion + +The check looks plausible, but when I started checking whether it needs +to be lowered for the recent changes, I realized that it doesn't make +much sense. + +context_parse_iovw() is called from a few places, e.g.: +- process_socket(), where the other side controls the contents of the + message. We already do other checks on the correctness of the message + and this assert is not needed. +- gather_pid_metadata_from_argv(), which is called after + inserting MESSAGE_ID= and PRIORITY= into the array, so there is no + direct relation between _META_ARGV_MAX and the number of args in the + iovw. +- gather_pid_metadata_from_procfs(), where we insert a bazillion fields, + but without any relation to _META_ARGV_MAX. + +Since we already separately check if the required stuff was set, drop this +misleading check. + +(cherry picked from commit 13902e025321242b1d95c6d8b4e482b37f58cdef) +(cherry picked from commit 4c424072b3cc6a68265345cef2d29a6903081dcf) +(cherry picked from commit e1afd271b5a297873008dcf54d3ce45fe2965984) +(cherry picked from commit 32c4237a2bc8a29ceefbc277356e72e36889bedd) +(cherry picked from commit 8f21d057e4a216cd60340660e4e9c8f32aab6e00) +(cherry picked from commit e507f508a7e9096dbf8bde689e3eb43f3be4c91b) +--- + src/coredump/coredump.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 1c17b0b842..460fa3303d 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -1085,7 +1085,6 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + + assert(context); + assert(iovw); +- assert(iovw->count >= _META_ARGV_MAX); + + /* The context does not allocate any memory on its own */ + +-- +2.27.0 + diff --git a/backport-0001-coredump-restore-compatibility-with-older-patterns.patch b/backport-0001-coredump-restore-compatibility-with-older-patterns.patch new file mode 100644 index 0000000..693b254 --- /dev/null +++ b/backport-0001-coredump-restore-compatibility-with-older-patterns.patch @@ -0,0 +1,88 @@ +From 53c1f0517d3db43887ce308f7815f665baadf8fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH] coredump: restore compatibility with older patterns + +This was broken in f45b8015513d38ee5f7cc361db9c5b88c9aae704. Unfortunately +the review does not talk about backward compatibility at all. There are +two places where it matters: +- During upgrades, the replacement of kernel.core_pattern is asynchronous. + For example, during rpm upgrades, it would be updated a post-transaction + file trigger. In other scenarios, the update might only happen after + reboot. We have a potentially long window where the old pattern is in + place. We need to capture coredumps during upgrades too. +- With --backtrace. The interface of --backtrace, in hindsight, is not + great. But there are users of --backtrace which were written to use + a specific set of arguments, and we can't just break compatiblity. + One example is systemd-coredump-python, but there are also reports of + users using --backtrace to generate coredump logs. + +Thus, we require the original set of args, and will use the additional args if +found. + +A test is added to verify that --backtrace works with and without the optional +args. + +(cherry picked from commit ded0aac389e647d35bce7ec4a48e718d77c0435b) +(cherry picked from commit f9b8b75c11bba9b63096904be98cc529c304eb97) +(cherry picked from commit 385a33b043406ad79a7207f3906c3b15192a3333) +(cherry picked from commit c6f79626b6d175c6a5b62b8c5d957a83eb882301) +(cherry picked from commit 9f02346d50e33c24acf879ce4dd5937d56473325) +(cherry picked from commit ac0aa5d1fdc21db1ef035fce562cb6fc8602b544) +--- + src/coredump/coredump.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 71a8e7e..9dbd64c 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -88,8 +88,12 @@ enum { + META_ARGV_SIGNAL, /* %s: number of signal causing dump */ + META_ARGV_TIMESTAMP, /* %t: time of dump, expressed as seconds since the Epoch (we expand this to µs granularity) */ + META_ARGV_RLIMIT, /* %c: core file size soft resource limit */ +- META_ARGV_HOSTNAME, /* %h: hostname */ ++ _META_ARGV_REQUIRED, ++ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ ++ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ + _META_ARGV_MAX, ++ /* If new fields are added, they should be added here, to maintain compatibility ++ * with callers which don't know about the new fields. */ + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -100,7 +104,7 @@ enum { + _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of +- * them is missing. */ ++ * them is missing in a message sent over the socket. */ + + META_EXE = _META_MANDATORY_MAX, + META_UNIT, +@@ -1274,14 +1278,17 @@ static int gather_pid_metadata_from_argv( + char *t; + + /* We gather all metadata that were passed via argv[] into an array of iovecs that +- * we'll forward to the socket unit */ ++ * we'll forward to the socket unit. ++ * ++ * We require at least _META_ARGV_REQUIRED args, but will accept more. ++ * We know how to parse _META_ARGV_MAX args. The rest will be ignored. */ + +- if (argc < _META_ARGV_MAX) ++ if (argc < _META_ARGV_REQUIRED) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "Not enough arguments passed by the kernel (%i, expected %i).", +- argc, _META_ARGV_MAX); ++ "Not enough arguments passed by the kernel (%i, expected between %i and %i).", ++ argc, _META_ARGV_REQUIRED, _META_ARGV_MAX); + +- for (int i = 0; i < _META_ARGV_MAX; i++) { ++ for (int i = 0; i < MIN(argc, _META_ARGV_MAX); i++) { + + t = argv[i]; + +-- +2.33.0 + diff --git a/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch b/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch new file mode 100644 index 0000000..1e78897 --- /dev/null +++ b/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch @@ -0,0 +1,102 @@ +From 2c81e60fe0b8c506a4fe902e45bed6f58f482b39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 May 2025 12:04:44 +0200 +Subject: [PATCH] coredump: get rid of _META_MANDATORY_MAX + +No functional change. This change is done in preparation for future changes. +Currently, the list of fields which are received on the command line is a +strict subset of the fields which are always expected to be received on a +socket. But when we add new kernel args in the future, we'll have two +non-overlapping sets and this approach will not work. Get rid of the variable +and enumerate the required fields. This set will never change, so this is +actually more maintainable. + +The message with the hint where to add new fields is switched with +_META_ARGV_MAX. The new order is more correct. + +(cherry-picked from 49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69) +(cherry-picked from aea6a631bca93e8b04a11aaced694f25f4da155e) +(cherry picked from cf16b6b6b2e0a656531bfd73ad66be3817b155cd) + +(cherry picked from commit b46a4f023cd80b24c8f1aa7a95700bc0cb828cdc) +(cherry picked from commit 5855552310ed279180c21cb803408aa2ce36053d) +(cherry picked from commit cc31f2d4146831b9f2fe7bf584468908ff9c4de5) +--- + src/coredump/coredump.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index b2d5197bab..19857775d9 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -79,7 +79,7 @@ + * size. See DATA_SIZE_MAX in journal-importer.h. */ + assert_cc(JOURNAL_SIZE_MAX <= DATA_SIZE_MAX); + +-enum { ++typedef enum { + /* We use these as array indexes for our process metadata cache. + * + * The first indices of the cache stores the same metadata as the ones passed by +@@ -95,9 +95,9 @@ enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ +- _META_ARGV_MAX, + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ ++ _META_ARGV_MAX, + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -105,16 +105,15 @@ enum { + * environment. */ + + META_COMM = _META_ARGV_MAX, +- _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of + * them is missing in a message sent over the socket. */ + +- META_EXE = _META_MANDATORY_MAX, ++ META_EXE, + META_UNIT, + META_PROC_AUXV, + _META_MAX +-}; ++} meta_argv_t; + + static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_PID] = "COREDUMP_PID=", +@@ -1200,12 +1199,24 @@ static int process_socket(int fd) { + if (r < 0) + goto finish; + +- /* Make sure we received at least all fields we need. */ +- for (int i = 0; i < _META_MANDATORY_MAX; i++) ++ /* Make sure we received all the expected fields. We support being called by an *older* ++ * systemd-coredump from the outside, so we require only the basic set of fields that ++ * was being sent when the support for sending to containers over a socket was added ++ * in a108c43e36d3ceb6e34efe37c014fc2cda856000. */ ++ meta_argv_t i; ++ VA_ARGS_FOREACH(i, ++ META_ARGV_PID, ++ META_ARGV_UID, ++ META_ARGV_GID, ++ META_ARGV_SIGNAL, ++ META_ARGV_TIMESTAMP, ++ META_ARGV_RLIMIT, ++ META_ARGV_HOSTNAME, ++ META_COMM) + if (!context.meta[i]) { + r = log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "A mandatory argument (%i) has not been sent, aborting.", +- i); ++ "Mandatory argument %s not received on socket, aborting.", ++ meta_field_names[i]); + goto finish; + } + +-- +2.27.0 + diff --git a/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch b/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch new file mode 100644 index 0000000..2c4b2b9 --- /dev/null +++ b/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch @@ -0,0 +1,136 @@ +From 5b0625f63aa518fe50b71b7ad6ed6ee980294a2c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH] coredump: use %d in kernel core pattern +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The kernel provides %d which is documented as +"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE". + +We already query /proc/pid/auxv for this information, but unfortunately this +check is subject to a race, because the crashed process may be replaced by an +attacker before we read this data, for example replacing a SUID process that +was killed by a signal with another process that is not SUID, tricking us into +making the coredump of the original process readable by the attacker. + +With this patch, we effectively add one more check to the list of conditions +that need be satisfied if we are to make the coredump accessible to the user. + +Reportedy-by: Qualys Security Advisory + +(cherry-picked from commit 0c49e0049b7665bb7769a13ef346fef92e1ad4d6) +(cherry-picked from commit c58a8a6ec9817275bb4babaa2c08e0e35090d4e3) +(cherry picked from commit 19d439189ab85dd7222bdd59fd442bbcc8ea99a7) +(cherry picked from commit 254ab8d2a7866679cee006d844d078774cbac3c9) +(cherry picked from commit 7fc7aa5a4d28d7768dfd1eb85be385c3ea949168) +(cherry picked from commit 19b228662e0fcc6596c0395a0af8486a4b3f1627) +--- + man/systemd-coredump.xml | 10 ++++++++++ + src/coredump/coredump.c | 21 ++++++++++++++++++--- + sysctl.d/50-coredump.conf.in | 2 +- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-coredump.xml b/man/systemd-coredump.xml +index bb84cf5..3ecde59 100644 +--- a/man/systemd-coredump.xml ++++ b/man/systemd-coredump.xml +@@ -259,6 +259,16 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst + + + ++ ++ COREDUMP_DUMPABLE= ++ ++ The PR_GET_DUMPABLE field as reported by the kernel, see ++ prctl2. ++ ++ ++ ++ + + COREDUMP_OPEN_FDS= + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 9a1ce36..d9679b6 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -91,6 +91,7 @@ typedef enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ ++ META_ARGV_DUMPABLE, /* %d: as set by the kernel */ + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ + _META_ARGV_MAX, +@@ -119,6 +120,7 @@ static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", + [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", + [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", ++ [META_ARGV_DUMPABLE] = "COREDUMP_DUMPABLE=", + [META_COMM] = "COREDUMP_COMM=", + [META_EXE] = "COREDUMP_EXE=", + [META_UNIT] = "COREDUMP_UNIT=", +@@ -129,6 +131,7 @@ typedef struct Context { + const char *meta[_META_MAX]; + size_t meta_size[_META_MAX]; + pid_t pid; ++ unsigned dumpable; + bool is_pid1; + bool is_journald; + } Context; +@@ -475,14 +478,16 @@ static int grant_user_access(int core_fd, const Context *context) { + if (r < 0) + return r; + +- /* We allow access if we got all the data and at_secure is not set and +- * the uid/gid matches euid/egid. */ ++ /* We allow access if dumpable on the command line was exactly 1, we got all the data, ++ * at_secure is not set, and the uid/gid match euid/egid. */ + bool ret = ++ context->dumpable == 1 && + at_secure == 0 && + uid != UID_INVALID && euid != UID_INVALID && uid == euid && + gid != GID_INVALID && egid != GID_INVALID && gid == egid; +- log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ log_debug("Will %s access (dumpable=%u uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", + ret ? "permit" : "restrict", ++ context->dumpable, + uid, euid, gid, egid, yes_no(at_secure)); + return ret; + } +@@ -1098,6 +1103,16 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + if (r < 0) + return log_error_errno(r, "Failed to parse PID \"%s\": %m", context->meta[META_ARGV_PID]); + ++ /* The value is set to contents of /proc/sys/fs/suid_dumpable, which we set to 2, ++ * if the process is marked as not dumpable, see PR_SET_DUMPABLE(2const). */ ++ if (context->meta[META_ARGV_DUMPABLE]) { ++ r = safe_atou(context->meta[META_ARGV_DUMPABLE], &context->dumpable); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse dumpable field \"%s\": %m", context->meta[META_ARGV_DUMPABLE]); ++ if (context->dumpable > 2) ++ log_notice("Got unexpected %%d/dumpable value %u.", context->dumpable); ++ } ++ + unit = context->meta[META_UNIT]; + context->is_pid1 = streq(context->meta[META_ARGV_PID], "1") || streq_ptr(unit, SPECIAL_INIT_SCOPE); + context->is_journald = streq_ptr(unit, SPECIAL_JOURNALD_SERVICE); +diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in +index 5fb551a..9c10a89 100644 +--- a/sysctl.d/50-coredump.conf.in ++++ b/sysctl.d/50-coredump.conf.in +@@ -13,7 +13,7 @@ + # the core dump. + # + # See systemd-coredump(8) and core(5). +-kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h ++kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h %d + + # Allow 16 coredumps to be dispatched in parallel by the kernel. + # We collect metadata from /proc/%P/, and thus need to make sure the crashed +-- +2.33.0 + diff --git a/systemd.spec b/systemd.spec index 118130c..3ed4e10 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,7 @@ Name: systemd Url: https://systemd.io/ Version: 249 -Release: 80 +Release: 81 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -646,6 +646,12 @@ Patch6593: backport-CVE-2023-50387.patch Patch6594: backport-CVE-2023-50868.patch Patch6595: backport-login-user-runtime-dir-properly-check-for-mount-poin.patch Patch6596: backport-user-util-validate-the-right-field.patch +#fix CVE-2025-4598 +Patch6597: backport-0001-basic-macro-add-macro-to-iterate-variadic-args.patch +Patch6598: backport-0001-coredump-restore-compatibility-with-older-patterns.patch +Patch6599: backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch +Patch6600: backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch +Patch6601: backport-0001-coredump-get-rid-of-a-bogus-assertion.patch Patch9001: update-rtc-with-system-clock-when-shutdown.patch Patch9002: udev-add-actions-while-rename-netif-failed.patch @@ -2160,6 +2166,9 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && /usr/bin/systemd-cryptenroll %changelog +* Sun Jun 8 2025 Han Jinpeng - 249-81 +- Fix CVE-2025-4598 + * Fri Jun 14 2024 peng.zou - 249-80 - init support for ppc64le -- Gitee