kernel-packages team mailing list archive

Thread
Date

[Bug 1381005] Re: Long stdin from terminal can result in code execution

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Joseph Salisbury <joseph.salisbury@xxxxxxxxxxxxx>
Date: Wed, 12 Nov 2014 17:23:40 -0000
Reply-to: Bug 1381005 <1381005@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Would it be possible for you to test the latest upstream kernel? Refer
to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest
v3.18 kernel[0].

If this bug is fixed in the mainline kernel, please add the following
tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag:
'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".


Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.18-rc4-vivid/

** Changed in: linux (Ubuntu)
   Importance: Undecided => High

** Changed in: linux (Ubuntu)
       Status: Confirmed => Incomplete

** Tags added: kernel-da-key trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1381005

Title:
  Long stdin from terminal can result in code execution

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  Under certain conditions, the input entered from a terminal with a
  foreground process waiting for stdin, can be interpreted and executed
  by the shell.

  Steps to reproduce:
  1) Open a terminal
  2) Run a simple program that waits for stdin (like cat, tee, head, tail, ...) or even the bash-builtin command read. No need to specify arguments
  3) Type or paste exactly 4096 ASCII characters into the terminal (see sample attachment)
  4) Press Enter

  What should happen:
  The program in foreground reads 4097 characters (the last one is new line).

  What actually happens:
  Instead of reading the input, the current program exits (read() only reads one character before EOF) and the shell executes the same input starting from the second character.

  I believe that the issue can be reproduced with:
  - any terminal (tested on xterm, gnome-terminal, tty)
  - any shell (tested on bash, zsh)
  - any program that reads stdin from terminal (not attached to a pipe)

  Debugging the shell with gdb suggests that the bug is in the implementation of read(), hence libc6 or under (kernel).
  Specifically, the bug is caused by read() reading only one character (new line) when entering a text of 4096 characters in stdin on the terminal. It looks like read() is then closing the stdin descriptor.
  If the input is 4097 characters long, read() will read two characters and the shell will interpret from the 3rd character, and so on.

  Verified on:
  Ubuntu 14.04.1 LTS

  Kernel:
  3.13.0-24-generic x86_64
  3.13.0-32-generic x86_64
  3.13.0-36-generic x86_64

  libc6:
  2.19-0ubuntu6
  2.19-0ubuntu6.1
  2.19-0ubuntu6.3

  I'm happy to provide more information if it helps.
  Angelo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1381005/+subscriptions