From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 6 Mar 2026 19:32:35 +0000 (+0000)
Subject: [PATCH] udev: check for invalid chars in various fields received from the kernel
X-Git-Tag: archive/raspbian/252.39-1_deb12u2+rpi1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=98776ea6100fac4f57bae44854b78691009e05e3;p=systemd.git

[PATCH] udev: check for invalid chars in various fields received from the kernel

(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)

Origin: backport, https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc

Gbp-Pq: Name CVE-2026-40225.patch
---

diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
index 4793c0f0..8f170d60 100644
--- a/src/udev/dmi_memory_id/dmi_memory_id.c
+++ b/src/udev/dmi_memory_id/dmi_memory_id.c
@@ -51,6 +51,7 @@
 #include "udev-util.h"
 #include "unaligned.h"
 #include "version.h"
+#include "utf8.h"
 
 #define SUPPORTED_SMBIOS_VER 0x030300
 
@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
 
         str = strdupa_safe(dmi_string(h, s));
         str = strstrip(str);
-        if (!isempty(str))
+        if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
                 printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
 }
 
diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
index 364d5677..f689582b 100644
--- a/src/udev/scsi_id/scsi_id.c
+++ b/src/udev/scsi_id/scsi_id.c
@@ -27,6 +27,7 @@
 #include "strxcpyx.h"
 #include "udev-util.h"
 #include "version.h"
+#include "utf8.h"
 
 static const struct option options[] = {
         { "device",             required_argument, NULL, 'd' },
@@ -441,7 +442,7 @@ static int scsi_id(char *maj_min_dev) {
                 }
                 if (dev_scsi.tgpt_group[0] != '\0')
                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
-                if (dev_scsi.unit_serial_number[0] != '\0')
+                if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
                         printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
                 goto out;
         }
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index 6425494f..3587a1da 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -39,6 +39,7 @@
 #include "strv.h"
 #include "strxcpyx.h"
 #include "udev-builtin.h"
+#include "utf8.h"
 
 #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
 #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
@@ -220,7 +221,13 @@ static int dev_pci_onboard(sd_device *dev, const LinkInfo *info, NetNames *names
                          special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(names->pci_onboard));
 
         if (sd_device_get_sysattr_value(names->pcidev, "label", &names->pci_onboard_label) >= 0)
-                log_device_debug(dev, "Onboard label from PCI device: %s", names->pci_onboard_label);
+        {
+                if (!utf8_is_valid(names->pci_onboard_label) || string_has_cc(names->pci_onboard_label, /* ok= */ NULL)) {
+                        names->pci_onboard_label = NULL;
+                        log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
+                } else
+                        log_device_debug(dev, "Onboard label from PCI device: %s", names->pci_onboard_label);
+        }
         else
                 names->pci_onboard_label = NULL;
 
@@ -1083,6 +1090,12 @@ static int get_link_info(sd_device *dev, LinkInfo *info) {
                 return r;
 
         (void) sd_device_get_sysattr_value(dev, "phys_port_name", &info->phys_port_name);
+        if (!isempty(info->phys_port_name)) {
+                if (!utf8_is_valid(info->phys_port_name) || string_has_cc(info->phys_port_name, /* ok= */ NULL)) {
+                        info->phys_port_name = NULL;
+                        log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+                }
+        }
 
         r = sd_device_get_sysattr_value(dev, "address", &s);
         if (r < 0 && r != -ENOENT)
diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
index c2312c79..f363441d 100644
--- a/src/udev/v4l_id/v4l_id.c
+++ b/src/udev/v4l_id/v4l_id.c
@@ -28,6 +28,8 @@
 
 #include "fd-util.h"
 #include "util.h"
+#include "string-util.h"
+#include "utf8.h"
 
 int main(int argc, char *argv[]) {
         static const struct option options[] = {
@@ -66,7 +68,8 @@ int main(int argc, char *argv[]) {
         if (ioctl(fd, VIDIOC_QUERYCAP, &v2cap) == 0) {
                 int capabilities;
                 printf("ID_V4L_VERSION=2\n");
-                printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+                if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
+                        printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
                 printf("ID_V4L_CAPABILITIES=:");
                 if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
                         capabilities = v2cap.device_caps;