← Back to team overview

kernel-packages team mailing list archive

[Bug 1381005] [NEW] Long stdin from terminal can result in code execution

 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Under certain conditions, the input entered from a terminal with a
foreground process waiting for stdin, can be interpreted and executed by
the shell.

Steps to reproduce:
1) Open a terminal
2) Run a simple program that waits for stdin (like cat, tee, head, tail, ...) or even the bash-builtin command read. No need to specify arguments
3) Type or paste exactly 4096 ASCII characters into the terminal (see sample attachment)
4) Press Enter

What should happen:
The program in foreground reads 4097 characters (the last one is new line).

What actually happens:
Instead of reading the input, the current program exits (read() only reads one character before EOF) and the shell executes the same input starting from the second character.

I believe that the issue can be reproduced with:
- any terminal (tested on xterm, gnome-terminal, tty)
- any shell (tested on bash, zsh)
- any program that reads stdin from terminal (not attached to a pipe)

Debugging the shell with gdb suggests that the bug is in the implementation of read(), hence libc6 or under (kernel).
Specifically, the bug is caused by read() reading only one character (new line) when entering a text of 4096 characters in stdin on the terminal. It looks like read() is then closing the stdin descriptor.
If the input is 4097 characters long, read() will read two characters and the shell will interpret from the 3rd character, and so on.

Verified on:
Ubuntu 14.04.1 LTS

Kernel:
3.13.0-24-generic x86_64
3.13.0-32-generic x86_64
3.13.0-36-generic x86_64

libc6:
2.19-0ubuntu6
2.19-0ubuntu6.1
2.19-0ubuntu6.3

I'm happy to provide more information if it helps.
Angelo

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed

-- 
Long stdin from terminal can result in code execution
https://bugs.launchpad.net/bugs/1381005
You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu.