Bug ID 954374
Summary unprivileged user can freeze journald
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee bnc-team-screening@forge.provo.novell.com
Reporter xilun0@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 655273 [details]
program to freeze journald

On default installs of OpenSUSE 42.1, both server and desktop, an unprivileged
user can freeze journald using the attached program. (Journald is then
eventually killed and restarted by systemd after a 1 min timeout is detected -
but nothing prevent the unprivileged user to DOS in a loop if he feels so
inclined.)

The reason is that journald uses inappropriate rules to decide if a file
descriptor sent by a user is safe to read.

[ IMO that such a "feature" (passing messages to log to journald by fd to
regular files) exists at all should be questioned anyway, given the kind of
impacts it can have on various aspects of the whole system (e.g.: the fd is
completely read in a malloc'ed area, up to 750 MB) ]

Steps to Reproduce:

  build & run attached program
  1. gcc -O2 -Wall -Wextra -std=gnu99 -o lol lol.c
  2. ./lol

Actual Results:

  journald freezes on a pread system call trying to read the mandatory locked
regular file. It won't be unblocked until killed or the "./lol" program is
stopped.

Expected Results: 

  journald does not freeze.

Build Date & Hardware:

  systemd-210-84.1.x86_64    (from Leap 42.1)

Additional Builds and Platforms:

  Same vuln exists on Fedora 23 and Ubuntu 15.10

  https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1514141
  https://bugzilla.redhat.com/show_bug.cgi?id=1279251

You are receiving this mail because: