From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 6 Mar 2026 19:32:35 +0000 (+0000)
Subject: [PATCH] udev: check for invalid chars in various fields received from the kernel
X-Git-Tag: archive/raspbian/247.3-7+rpi1+deb11u8^2~3
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22mailto:kde%40ewsoftware.de/%22style.css//%22Programmet/%22http:/www.example.com/%22mailto:kde%40ewsoftware.de/%22style.css/%22Programmet?a=commitdiff_plain;h=7beabc7a143b83d2f30eabd0fcd59a6dff373352;p=systemd.git

[PATCH] udev: check for invalid chars in various fields received from the kernel

(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)

Origin: backport, https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc

Gbp-Pq: Name CVE-2026-40225.patch
---

diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
index 57202564..72e4ee40 100644
--- a/src/udev/scsi_id/scsi_id.c
+++ b/src/udev/scsi_id/scsi_id.c
@@ -24,6 +24,7 @@
 #include "string-util.h"
 #include "strxcpyx.h"
 #include "udev-util.h"
+#include "utf8.h"
 
 static const struct option options[] = {
         { "device",             required_argument, NULL, 'd' },
@@ -519,7 +520,7 @@ static int scsi_id(char *maj_min_dev) {
                 }
                 if (dev_scsi.tgpt_group[0] != '\0')
                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
-                if (dev_scsi.unit_serial_number[0] != '\0')
+                if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
                         printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
                 goto out;
         }
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index d06a8c71..1da16dad 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -35,6 +35,7 @@
 #include "strv.h"
 #include "strxcpyx.h"
 #include "udev-builtin.h"
+#include "utf8.h"
 
 #define ONBOARD_INDEX_MAX (16*1024-1)
 
@@ -198,6 +199,9 @@ static int dev_pci_onboard(sd_device *dev, struct netnames *names) {
         /* kernel provided front panel port name for multiple port PCI device */
         (void) sd_device_get_sysattr_value(dev, "phys_port_name", &port_name);
 
+        if (port_name && (!utf8_is_valid(port_name) || string_has_cc(port_name, /* ok= */ NULL)))
+                port_name = NULL;
+
         s = names->pci_onboard;
         l = sizeof(names->pci_onboard);
         l = strpcpyf(&s, l, "o%lu", idx);
@@ -210,6 +214,8 @@ static int dev_pci_onboard(sd_device *dev, struct netnames *names) {
 
         if (sd_device_get_sysattr_value(names->pcidev, "label", &names->pci_onboard_label) < 0)
                 names->pci_onboard_label = NULL;
+        else if (!utf8_is_valid(names->pci_onboard_label) || string_has_cc(names->pci_onboard_label, /* ok= */ NULL))
+                names->pci_onboard_label = NULL;
 
         return 0;
 }
@@ -310,6 +316,9 @@ static int dev_pci_slot(sd_device *dev, struct netnames *names) {
         /* kernel provided front panel port name for multi-port PCI device */
         (void) sd_device_get_sysattr_value(dev, "phys_port_name", &port_name);
 
+        if (port_name && (!utf8_is_valid(port_name) || string_has_cc(port_name, /* ok= */ NULL)))
+                port_name = NULL;
+
         /* compose a name based on the raw kernel's PCI bus, slot numbers */
         s = names->pci_path;
         l = sizeof(names->pci_path);
@@ -773,6 +782,9 @@ static int names_netdevsim(sd_device *dev, struct netnames *names) {
         if (r < 0)
                 return r;
 
+        if (!utf8_is_valid(port_name) || string_has_cc(port_name, /* ok= */ NULL))
+                return -EINVAL;
+
         ok = snprintf_ok(names->netdevsim_path, sizeof(names->netdevsim_path), "i%un%s", addr, port_name);
         if (!ok)
                 return -ENOBUFS;
diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
index 932446b7..10299227 100644
--- a/src/udev/v4l_id/v4l_id.c
+++ b/src/udev/v4l_id/v4l_id.c
@@ -28,6 +28,8 @@
 
 #include "fd-util.h"
 #include "util.h"
+#include "string-util.h"
+#include "utf8.h"
 
 int main(int argc, char *argv[]) {
         static const struct option options[] = {
@@ -66,7 +68,8 @@ int main(int argc, char *argv[]) {
         if (ioctl(fd, VIDIOC_QUERYCAP, &v2cap) == 0) {
                 int capabilities;
                 printf("ID_V4L_VERSION=2\n");
-                printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+                if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
+                        printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
                 printf("ID_V4L_CAPABILITIES=:");
                 if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
                         capabilities = v2cap.device_caps;