import systemd-252-14.el9_2.3

i9c changed/i9c/systemd-252-14.el9_2.3
MSVSphere Packaging Team 1 year ago
parent 10f49b6466
commit c1e3f99157

@ -0,0 +1,69 @@
From ea011ddb65272c74d6378deae3f3a3365aadd77d Mon Sep 17 00:00:00 2001
From: Romain Geissler <romain.geissler@amadeus.com>
Date: Tue, 20 Jun 2023 16:06:31 +0000
Subject: [PATCH] elf-util: discard PT_LOAD segment early based on the start
address.
Indeed when iterating over all the PT_LOAD segment of the core dump
while trying to look for the elf headers of a given module, we iterate
over them all and try to use the first one for which we can parse a
package metadata, but the start address is never taken into account,
so absolutely nothing guarantees we actually parse the right ELF header
of the right module we are currently iterating on.
This was tested like this:
- Create a core dump using sleep on a fedora 37 container, with an
explicit LD_PRELOAD of a library having a valid package metadata:
podman run -t -i --rm -v $(pwd):$(pwd) -w $(pwd) fedora:37 bash -x -c \
'LD_PRELOAD=libreadline.so.8 sleep 1000 & SLEEP_PID="$!" && sleep 1 && kill -11 "${SLEEP_PID}" && mv "core.${SLEEP_PID}" the-core'
- Then from a fedora 38 container with systemd installed, the resulting
core dump has been passed to systemd-coredump with and without this
patch. Without this patch, we get:
Module /usr/bin/sleep from rpm bash-5.2.15-3.fc38.x86_64
Module /usr/lib64/libtinfo.so.6.3 from rpm coreutils-9.1-8.fc37.x86_64
Module /usr/lib64/libc.so.6 from rpm coreutils-9.1-8.fc37.x86_64
Module /usr/lib64/libreadline.so.8.2 from rpm coreutils-9.1-8.fc37.x86_64
Module /usr/lib64/ld-linux-x86-64.so.2 from rpm coreutils-9.1-8.fc37.x86_64
While with this patch we get:
Module /usr/bin/sleep from rpm bash-5.2.15-3.fc38.x86_64
Module /usr/lib64/libtinfo.so.6.3 from rpm ncurses-6.3-5.20220501.fc37.x86_64
Module /usr/lib64/libreadline.so.8.2 from rpm readline-8.2-2.fc37.x86_64
So the parsed package metadata reported by systemd-coredump when the module
files are not found on the host (ie the case of crash inside a container) are
now correct. The inconsistency of the first module in the above example
(sleep is indeed not provided by the bash package) can be ignored as it
is a consequence of how this was tested.
In addition to this, this also fixes the performance issue of
systemd-coredump in case of the crashing process uses a large number of
shared libraries and having no package metadata, as reported in
https://sourceware.org/pipermail/elfutils-devel/2023q2/006225.html.
(cherry picked from commit 21a2c735e2bfdc3bfdc42f894d6e3d00f4a38dcd)
Resolves: #2222259
---
src/shared/elf-util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
index 181735409d..d746f3ab3f 100644
--- a/src/shared/elf-util.c
+++ b/src/shared/elf-util.c
@@ -538,6 +538,10 @@ static int module_callback(Dwfl_Module *mod, void **userdata, const char *name,
if (!program_header || program_header->p_type != PT_LOAD)
continue;
+ /* This PT_LOAD segment doesn't contain the start address, so it can't be the module we are looking for. */
+ if (start < program_header->p_vaddr || start >= program_header->p_vaddr + program_header->p_memsz)
+ continue;
+
/* Now get a usable Elf reference, and parse the notes from it. */
data = sym_elf_getdata_rawchunk(elf,
program_header->p_offset,

@ -0,0 +1,40 @@
From 2fcb340ec5faf51a8d9b0cb2ddd8386b4db6a33d Mon Sep 17 00:00:00 2001
From: Romain Geissler <romain.geissler@amadeus.com>
Date: Thu, 22 Jun 2023 16:05:18 +0000
Subject: [PATCH] elf-util: check for overflow when computing end of core's
PT_LOAD segments
(cherry picked from commit 3965f173eae4701a014113cfaf4a28a6bb63bed7)
Resolves: #2222259
---
src/shared/elf-util.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
index d746f3ab3f..bde5013b92 100644
--- a/src/shared/elf-util.c
+++ b/src/shared/elf-util.c
@@ -532,14 +532,21 @@ static int module_callback(Dwfl_Module *mod, void **userdata, const char *name,
for (size_t i = 0; i < n_program_headers; ++i) {
GElf_Phdr mem, *program_header;
Elf_Data *data;
+ GElf_Addr end_of_segment;
/* The core file stores the ELF files in the PT_LOAD segment. */
program_header = sym_gelf_getphdr(elf, i, &mem);
if (!program_header || program_header->p_type != PT_LOAD)
continue;
+ /* Check that the end of segment is a valid address. */
+ if (__builtin_add_overflow(program_header->p_vaddr, program_header->p_memsz, &end_of_segment)) {
+ log_error("Abort due to corrupted core dump, end of segment address %#zx + %#zx overflows", (size_t)program_header->p_vaddr, (size_t)program_header->p_memsz);
+ return DWARF_CB_ABORT;
+ }
+
/* This PT_LOAD segment doesn't contain the start address, so it can't be the module we are looking for. */
- if (start < program_header->p_vaddr || start >= program_header->p_vaddr + program_header->p_memsz)
+ if (start < program_header->p_vaddr || start >= end_of_segment)
continue;
/* Now get a usable Elf reference, and parse the notes from it. */

@ -0,0 +1,64 @@
From 6c4090a8bdf54928e43c21d7443d2e6825ed6d1f Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 9 May 2023 13:15:06 +0200
Subject: [PATCH] manager: don't taint the host if cgroups v1 is used
In upstream of systemd, cgroups v1 are not considered as supported.
This is not true for RHEL, don't taint the host when cgroups v1 are enabled.
rhel-only
Resolves: #2196479
---
man/org.freedesktop.systemd1.xml | 6 ------
src/core/manager.c | 3 ---
src/test/test-manager.c | 5 -----
3 files changed, 14 deletions(-)
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index 40510c43eb..13a84af747 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -1589,12 +1589,6 @@ node /org/freedesktop/systemd1 {
<listitem><para>Support for cgroups is unavailable.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><literal>cgroupsv1</literal></term>
-
- <listitem><para>The system is using the old cgroup hierarchy.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><literal>local-hwclock</literal></term>
diff --git a/src/core/manager.c b/src/core/manager.c
index a59afafb58..657263eb73 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -4491,9 +4491,6 @@ char* manager_taint_string(const Manager *m) {
if (access("/proc/cgroups", F_OK) < 0)
stage[n++] = "cgroups-missing";
- if (cg_all_unified() == 0)
- stage[n++] = "cgroupsv1";
-
if (clock_is_localtime(NULL) > 0)
stage[n++] = "local-hwclock";
diff --git a/src/test/test-manager.c b/src/test/test-manager.c
index 89f9277b28..2faf715d76 100644
--- a/src/test/test-manager.c
+++ b/src/test/test-manager.c
@@ -14,11 +14,6 @@ TEST(manager_taint_string) {
* to test for them. Let's do just one. */
assert_se(!strstr(a, "split-usr"));
- if (cg_all_unified() == 0)
- assert_se(strstr(a, "cgroupsv1"));
- else
- assert_se(!strstr(a, "cgroupsv1"));
-
m.taint_usr = true;
_cleanup_free_ char *b = manager_taint_string(&m);
assert_se(b);

@ -21,7 +21,7 @@
Name: systemd Name: systemd
Url: https://systemd.io Url: https://systemd.io
Version: 252 Version: 252
Release: 14%{?dist}.1 Release: 14%{?dist}.3
# For a breakdown of the licensing, see README # For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+ License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager Summary: System and Service Manager
@ -323,6 +323,9 @@ Patch0242: 0242-sd-journal-allow-to-specify-compression-algorithm-th.patch
Patch0243: 0243-test-add-test-case-that-journal-file-is-created-with.patch Patch0243: 0243-test-add-test-case-that-journal-file-is-created-with.patch
Patch0244: 0244-ci-workflow-for-gathering-metadata-for-source-git-au.patch Patch0244: 0244-ci-workflow-for-gathering-metadata-for-source-git-au.patch
Patch0245: 0245-ci-first-part-of-the-source-git-automation-commit-li.patch Patch0245: 0245-ci-first-part-of-the-source-git-automation-commit-li.patch
Patch0246: 0246-elf-util-discard-PT_LOAD-segment-early-based-on-the-.patch
Patch0247: 0247-elf-util-check-for-overflow-when-computing-end-of-co.patch
Patch0248: 0248-manager-don-t-taint-the-host-if-cgroups-v1-is-used.patch
# Downstream-only patches (90009999) # Downstream-only patches (90009999)
@ -1144,6 +1147,13 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s
%files standalone-sysusers -f .file-list-standalone-sysusers %files standalone-sysusers -f .file-list-standalone-sysusers
%changelog %changelog
* Mon Jul 17 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-14.3
- manager: don't taint the host if cgroups v1 is used (#2196479)
* Thu Jul 13 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-14.2
- elf-util: discard PT_LOAD segment early based on the start address. (#2222259)
- elf-util: check for overflow when computing end of core's PT_LOAD segments (#2222259)
* Wed May 24 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-14.1 * Wed May 24 2023 systemd maintenance team <systemd-maint@redhat.com> - 252-14.1
- Bump version to 252-14.1 to make sure that NEVRA is higher than systemd-252-14.el9.rhaos4.13 (#2184929) - Bump version to 252-14.1 to make sure that NEVRA is higher than systemd-252-14.el9.rhaos4.13 (#2184929)

Loading…
Cancel
Save