1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00

logind: fix crash in logind on user-specified message string

This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:

<action id="org.freedesktop.login1.set-wall-message">
         <description gettext-domain="systemd">Set a wall message</description>
         <message gettext-domain="systemd">Authentication is required to set a wall message</message>
         <defaults>
                <allow_any>auth_admin_keep</allow_any>
                <allow_inactive>auth_admin_keep</allow_inactive>
                <allow_active>auth_admin_keep</allow_active>
        </defaults>
</action>

Bug introduced in 9ef15026c0
('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15).
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2022-05-08 17:21:09 +02:00
parent 4e5f4733c5
commit 0cb09bcb82

View File

@ -1515,32 +1515,20 @@ static int have_multiple_sessions(
static int bus_manager_log_shutdown(
Manager *m,
const HandleActionData *a) {
const char *message, *log_message;
assert(m);
assert(a);
message = a->message;
log_message = a->log_message;
if (message)
message = strjoina("MESSAGE=", message);
else
message = "MESSAGE=System is shutting down";
if (isempty(m->wall_message))
message = strjoina(message, ".");
else
message = strjoina(message, " (", m->wall_message, ").");
if (log_message)
log_message = strjoina("SHUTDOWN=", log_message);
const char *message = a->message ?: "System is shutting down";
const char *log_message = a->log_message ? strjoina("SHUTDOWN=", a->log_message) : NULL;
return log_struct(LOG_NOTICE,
"MESSAGE_ID=%s", a->message_id ? a->message_id : SD_MESSAGE_SHUTDOWN_STR,
message,
log_message);
"MESSAGE_ID=%s", a->message_id ?: SD_MESSAGE_SHUTDOWN_STR,
LOG_MESSAGE("%s%s%s%s.",
message,
m->wall_message ? " (" : "",
strempty(m->wall_message),
m->wall_message ? ")" : ""),
log_message);
}
static int lid_switch_ignore_handler(sd_event_source *e, uint64_t usec, void *userdata) {