1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

logind: fix crash in logind on user-specified message string

This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:

<action id="org.freedesktop.login1.set-wall-message">
         <description gettext-domain="systemd">Set a wall message</description>
         <message gettext-domain="systemd">Authentication is required to set a wall message</message>
         <defaults>
                <allow_any>auth_admin_keep</allow_any>
                <allow_inactive>auth_admin_keep</allow_inactive>
                <allow_active>auth_admin_keep</allow_active>
        </defaults>
</action>

Bug introduced in 9ef15026c0
('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15).

Based on 0cb09bcb82.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2022-05-08 17:21:09 +02:00
parent 16b95a18e7
commit 95058a435e

View File

@ -1492,12 +1492,13 @@ _printf_(2, 0)
static int log_with_wall_message(Manager *m, const char *d, const char *p, const char *q) { static int log_with_wall_message(Manager *m, const char *d, const char *p, const char *q) {
assert(m); assert(m);
if (isempty(m->wall_message)) if (isempty(m->wall_message)) {
p = strjoina(p, "."); p = strjoina(p, ".");
else return log_struct(LOG_NOTICE, d, p, q);
p = strjoina(p, " (", m->wall_message, ")."); } else {
p = strjoina(p, " (%s).");
return log_struct(LOG_NOTICE, d, p, q); return log_struct(LOG_NOTICE, d, p, m->wall_message, q);
}
} }
static int bus_manager_log_shutdown( static int bus_manager_log_shutdown(