project-lakitu: Fixed CVE-2021-33910

The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

upstream patch:

RELEASE_NOTE=Fixed CVE-2021-33910

Change-Id: I4c56e3fd98d0c28b3989ef497cd6afd65b52a755
Reviewed-by: Vaibhav Rustagi <>
Tested-by: Cusky Presubmit Bot <>
3 files changed