Ubuntu
systemd package

unprivileged user can freeze journald

Bug #1514141 reported by Guillaume Knispel on 2015-11-08

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	systemd (Ubuntu)	Fix Released	Medium	Martin Pitt

Bug Description

On default installs of Ubuntu 15.10, both server and desktop, an unprivileged user can freeze journald using the attached program. (Journald is then eventually killed and restarted by systemd after a 1 min timeout is detected - but nothing prevent the unprivileged user to DOS in a loop if he feels so inclined.)

The reason is that journald uses inappropriate rules to decide if a file descriptor sent by a user is safe to read.

[ IMO that such a "feature" (passing messages to log to journald by fd to regular files) exists at all should be questioned anyway, given the kind of impacts it can have on various aspects of the whole system (e.g.: the fd is completely read in a malloc'ed area, up to 750 MB) ]

Revision history for this message

Guillaume Knispel (xilun0) wrote on 2015-11-08:

#1

program to freeze journald Edit (1.5 KiB, text/x-csrc)

information type:

Private Security → Public Security

Revision history for this message

Guillaume Knispel (xilun0) wrote on 2015-11-08:

#2

Fedora 23 misbehaves identically with its default conf:
https://bugzilla.redhat.com/show_bug.cgi?id=1279251

Revision history for this message

Guillaume Knispel (xilun0) wrote on 2015-11-10:

#3

OpenSUSE 42.1 bug: https://bugzilla.opensuse.org/show_bug.cgi?id=954374
upstream bug: https://github.com/systemd/systemd/issues/1822

Revision history for this message

Martin Pitt (pitti) wrote on 2015-11-10:

#4

Thanks for your report! Let's discuss/fix that on the upstream side to get the relevant developers.

Changed in systemd (Ubuntu):
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Martin Pitt (pitti) wrote on 2015-11-11:

#5

This got fixed/worked around upstream in https://github.com/systemd/systemd/commit/1e603a482f57edb and will be in 228.

Changed in systemd (Ubuntu):
status:	Triaged → Fix Committed
assignee:	nobody → Martin Pitt (pitti)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-20:

#6

This bug was fixed in the package systemd - 228-1ubuntu2

---------------
systemd (228-1ubuntu2) xenial; urgency=medium

* Merge with Debian to fix FTBFS.

systemd (228-3) UNRELEASED; urgency=medium

  * debian/rules: Remove temporary debug output from test failures again. All
    Debian buildd kernels are recent enough now, but add a check for kernels
    older than 3.13 and ignore test failures for those.

systemd (228-2) unstable; urgency=medium

  * Remove wrong endianess conversion in test-siphash24 to fix FTBFS on
    big-endian machines.
  * Bump libseccomp-dev build dependency to indicate required versions for
    backporting to jessie. (Closes: #805497)

-- Martin Pitt <email address hidden> Thu, 19 Nov 2015 12:41:25 +0100

Changed in systemd (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

program to freeze journald Edit

Add attachment

Remote bug watches

redhat-bugs #1279251
[CLOSED EOL] Edit
auto-bugzilla.opensuse.org #954374 Edit

Bug watches keep track of this bug in other bug trackers.