logind: fix crash in logind on user-specified message string

This is trivially exploitable (in the sense of causing a crash from SEGV) e.g. by 'shutdown now "Message %s %s %n"'. The message is settable through polkit, but is limited to auth_admin: <action id="org.freedesktop.login1.set-wall-message"> <description gettext-domain="systemd">Set a wall message</description> <message gettext-domain="systemd">Authentication is required to set a wall message</message> <defaults> <allow_any>auth_admin_keep</allow_any> <allow_inactive>auth_admin_keep</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> </action> Bug introduced in 9ef15026c0 ('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15).
2024-10-15 04:24:19 +00:00 · 2022-05-08 17:21:09 +02:00 · 2022-05-08 17:21:09 +02:00 · 0cb09bcb82
parent 4e5f4733c5
commit 0cb09bcb82
1 changed files with 9 additions and 21 deletions
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@ -1515,32 +1515,20 @@ static int have_multiple_sessions(
 static int bus_manager_log_shutdown(
                Manager *m,
                const HandleActionData *a) {
-
-        const char *message, *log_message;
-
        assert(m);
        assert(a);

-        message = a->message;
-        log_message = a->log_message;
-
-        if (message)
-                message = strjoina("MESSAGE=", message);
-        else
-                message = "MESSAGE=System is shutting down";
-
-        if (isempty(m->wall_message))
-                message = strjoina(message, ".");
-        else
-                message = strjoina(message, " (", m->wall_message, ").");
-
-        if (log_message)
-                log_message = strjoina("SHUTDOWN=", log_message);
+        const char *message = a->message ?: "System is shutting down";
+        const char *log_message = a->log_message ? strjoina("SHUTDOWN=", a->log_message) : NULL;

        return log_struct(LOG_NOTICE,
-                        "MESSAGE_ID=%s", a->message_id ? a->message_id : SD_MESSAGE_SHUTDOWN_STR,
-                        message,
-                        log_message);
+                          "MESSAGE_ID=%s", a->message_id ?: SD_MESSAGE_SHUTDOWN_STR,
+                          LOG_MESSAGE("%s%s%s%s.",
+                                      message,
+                                      m->wall_message ? " (" : "",
+                                      strempty(m->wall_message),
+                                      m->wall_message ? ")" : ""),
+                          log_message);
 }

 static int lid_switch_ignore_handler(sd_event_source *e, uint64_t usec, void *userdata) {