group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1628687@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Oct 2016 08:37:09 -0000
Reply-to: Bug 1628687 <1628687@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package systemd - 229-4ubuntu11

---------------
systemd (229-4ubuntu11) xenial; urgency=medium

  * 73-usb-net-by-mac.rules: Split kernel command line import line.
    Reportedly this makes the rule actually work on some platforms. Thanks
    Alp Toker! (LP: #1593379)
  * fsckd: Do not exit on idle timeout if there are still clients connected
    (Closes: #788050, LP: #1547844)
  * libnss-*.prerm: Remove possible [key=value] options from NSS modules as
    well. (LP: #1625584)
  * Backport networkd 231. Compared to 229 this has a lot of fixes, some of
    which we need for good netplan support. Backporting them individually
    would be a lot more work and a lot less robust, and we did not use/support
    networkd in 16.04 so far. Drop the other network related patches as they
    are included in this backport now. (LP: #1627641)
  * debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
    behaviour is fixed with the above backport now.
  * pid1: process zero-length notification messages again. Just remove the
    assertion, the "n" value was not used anyway. This fixes a local DoS due
    to unprocessed/unclosed fds which got introduced by the previous fix.
    (LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd(). If
    manager_dispatch_notify_fd() fails and returns an error then the handling
    of service notifications will be disabled entirely leading to a
    compromised system. (side issue of LP: #1628687)

 -- Martin Pitt <martin.pitt@xxxxxxxxxx>  Tue, 04 Oct 2016 21:43:04
+0200

** Changed in: systemd (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

Status in systemd:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Fix Released
Status in systemd source package in Yakkety:
  Fix Released

Bug description:
  Environment:

  Xenial 16.04.1
  Amd64

  Description.

  Systemd fails an assertion in manager_invoke_notify_message when a
  zero-length message is received over /run/systemd/notify. This allows
  a local user to perform a denial-of-service attack against PID 1.

  How to trigger the bug:

  $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify "";
  done

  The following entries are written into /var/log/syslog, at this point
  systemd is crashed.

  Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
  Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
  Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307.
  Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.

  Public bug: https://github.com/systemd/systemd/issues/4234

  The original USN/security fix in
  https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced
  another local DoS due to fd exhaustion:

    NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import
  daemon; daemon.notify("", fds=[0]*100)'

  Run this a few times and watch "sudo ls -l /proc/1/fd" grow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions