[Bug 954374] New: unprivileged user can freeze journald
http://bugzilla.opensuse.org/show_bug.cgi?id=954374 Bug ID: 954374 Summary: unprivileged user can freeze journald Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: xilun0@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 655273 --> http://bugzilla.opensuse.org/attachment.cgi?id=655273&action=edit program to freeze journald On default installs of OpenSUSE 42.1, both server and desktop, an unprivileged user can freeze journald using the attached program. (Journald is then eventually killed and restarted by systemd after a 1 min timeout is detected - but nothing prevent the unprivileged user to DOS in a loop if he feels so inclined.) The reason is that journald uses inappropriate rules to decide if a file descriptor sent by a user is safe to read. [ IMO that such a "feature" (passing messages to log to journald by fd to regular files) exists at all should be questioned anyway, given the kind of impacts it can have on various aspects of the whole system (e.g.: the fd is completely read in a malloc'ed area, up to 750 MB) ] Steps to Reproduce: build & run attached program 1. gcc -O2 -Wall -Wextra -std=gnu99 -o lol lol.c 2. ./lol Actual Results: journald freezes on a pread system call trying to read the mandatory locked regular file. It won't be unblocked until killed or the "./lol" program is stopped. Expected Results: journald does not freeze. Build Date & Hardware: systemd-210-84.1.x86_64 (from Leap 42.1) Additional Builds and Platforms: Same vuln exists on Fedora 23 and Ubuntu 15.10 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1514141 https://bugzilla.redhat.com/show_bug.cgi?id=1279251 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954374
http://bugzilla.opensuse.org/show_bug.cgi?id=954374#c1
--- Comment #1 from Guillaume Knispel
participants (1)
-
bugzilla_noreply@novell.com