← Back to team overview

kernel-packages team mailing list archive

[Bug 1381005] Re: Long stdin from terminal can result in code execution


I was able to reproduce this in Trusty.  However, this seems to be fixed
in mainline as early as v4.0-rc1.  I'll figure out which commit fixes
this and then have is SRU'd and request it in upstream stable, if it
wasn't already.

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Long stdin from terminal can result in code execution

Status in linux package in Ubuntu:

Bug description:
  Under certain conditions, the input entered from a terminal with a
  foreground process waiting for stdin, can be interpreted and executed
  by the shell.

  Steps to reproduce:
  1) Open a terminal
  2) Run a simple program that waits for stdin (like cat, tee, head, tail, ...) or even the bash-builtin command read. No need to specify arguments
  3) Type or paste exactly 4096 ASCII characters into the terminal (see sample attachment)
  4) Press Enter

  What should happen:
  The program in foreground reads 4097 characters (the last one is new line).

  What actually happens:
  Instead of reading the input, the current program exits (read() only reads one character before EOF) and the shell executes the same input starting from the second character.

  I believe that the issue can be reproduced with:
  - any terminal (tested on xterm, gnome-terminal, tty)
  - any shell (tested on bash, zsh)
  - any program that reads stdin from terminal (not attached to a pipe)

  Debugging the shell with gdb suggests that the bug is in the implementation of read(), hence libc6 or under (kernel).
  Specifically, the bug is caused by read() reading only one character (new line) when entering a text of 4096 characters in stdin on the terminal. It looks like read() is then closing the stdin descriptor.
  If the input is 4097 characters long, read() will read two characters and the shell will interpret from the 3rd character, and so on.

  Verified on:
  Ubuntu 14.04.1 LTS

  3.13.0-24-generic x86_64
  3.13.0-32-generic x86_64
  3.13.0-36-generic x86_64


  I'm happy to provide more information if it helps.

To manage notifications about this bug go to: