From 95058a435e8267146e6d44f65237dfe45a113d60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 8 May 2022 17:21:09 +0200 Subject: [PATCH] logind: fix crash in logind on user-specified message string This is trivially exploitable (in the sense of causing a crash from SEGV) e.g. by 'shutdown now "Message %s %s %n"'. The message is settable through polkit, but is limited to auth_admin: Set a wall message Authentication is required to set a wall message auth_admin_keep auth_admin_keep auth_admin_keep Bug introduced in 9ef15026c0e7e6600372056c43442c99ec53746e ('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15). Based on 0cb09bcb825ab86ba4ca70be4e6322eaf9baee95. --- src/login/logind-dbus.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index c05c0d02cc..faae546404 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -1492,12 +1492,13 @@ _printf_(2, 0) static int log_with_wall_message(Manager *m, const char *d, const char *p, const char *q) { assert(m); - if (isempty(m->wall_message)) + if (isempty(m->wall_message)) { p = strjoina(p, "."); - else - p = strjoina(p, " (", m->wall_message, ")."); - - return log_struct(LOG_NOTICE, d, p, q); + return log_struct(LOG_NOTICE, d, p, q); + } else { + p = strjoina(p, " (%s)."); + return log_struct(LOG_NOTICE, d, p, m->wall_message, q); + } } static int bus_manager_log_shutdown(