subject:"Bug#854421\: systemd\: \"systemctl \-\-user cat dirmngr.socket\" produced garbage beyond # \/dev\/null"

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-08 Thread Debian Bug Tracking System

Processing control commands:

> retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when splice()ing 
> from /dev/null
Bug #854421 {Done: Ben Hutchings } [src:linux] kernel 
dumps arbitrary memory when splice()ing from /dev/null
Changed Bug title to '[CVE-2017-5550] kernel dumps arbitrary memory when 
splice()ing from /dev/null' from 'kernel dumps arbitrary memory when 
splice()ing from /dev/null'.

-- 
854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-08 Thread Daniel Kahn Gillmor

Control: retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when 
splice()ing from /dev/null

On Tue 2017-02-07 20:21:31 -0500, Ben Hutchings wrote:
> Control: reassign -1 src:linux 4.9.2-2
> Control: close -1 4.9.6-3
> Control: severity -1 serious
> Control: tag -1 security
>
> On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote:
>> On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote:
>> > git clone https://0xacab.org/dkg/debian-bug-854421
>> > cd debian-bug-854421
>> > make
>> 
>> interestingly, on at least one machine i try this on, getting it to
>> reproduce is very infrequent with plain "make", even with the 20 tries
>> on kernel version 4.9.2-2.
>
> It's much less likely to happen if there's only one CPU.
>
>> however, "make strace" seems to tickle the bug further, and makes it
>> much more likely to reproduce on 4.9.2-2, even though it's only one
>> try.
>> 
>> with kernel 4.9.6-3 i haven't been able to reproduce it with either
>> "make" or "make strace".
>
> This is CVE-2017-5550, fixed by:
> https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb

Thanks for tracking that down, Ben.  I can confirm that it's an infoleak
of the worst kind, unfortunately -- i filled the RAM of a root-owned
userspace process with an arbitrary string, and then triggered the dump
From a non-privileged process and managed to get copies of the arbitrary
string :(

   --dkg


signature.asc
Description: PGP signature

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-07 Thread Debian Bug Tracking System

Processing control commands:

> reassign -1 src:linux 4.9.2-2
Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when 
splice()ing from /dev/null
Bug reassigned from package 'linux-image-4.9.0-1-amd64' to 'src:linux'.
No longer marked as found in versions linux-signed/4.
No longer marked as fixed in versions linux-signed/4.1.
Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from 
/dev/null
Marked as found in versions linux/4.9.2-2.
> close -1 4.9.6-3
Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from 
/dev/null
Marked as fixed in versions linux/4.9.6-3.
Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from 
/dev/null
Marked Bug as done
> severity -1 serious
Bug #854421 {Done: Ben Hutchings } [src:linux] kernel 
dumps arbitrary memory when splice()ing from /dev/null
Severity set to 'serious' from 'normal'
> tag -1 security
Bug #854421 {Done: Ben Hutchings } [src:linux] kernel 
dumps arbitrary memory when splice()ing from /dev/null
Added tag(s) security.

-- 
854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-07 Thread Ben Hutchings

Control: reassign -1 src:linux 4.9.2-2
Control: close -1 4.9.6-3
Control: severity -1 serious
Control: tag -1 security

On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote:
> On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote:
> > git clone https://0xacab.org/dkg/debian-bug-854421
> > cd debian-bug-854421
> > make
> 
> interestingly, on at least one machine i try this on, getting it to
> reproduce is very infrequent with plain "make", even with the 20 tries
> on kernel version 4.9.2-2.

It's much less likely to happen if there's only one CPU.

> however, "make strace" seems to tickle the bug further, and makes it
> much more likely to reproduce on 4.9.2-2, even though it's only one
> try.
> 
> with kernel 4.9.6-3 i haven't been able to reproduce it with either
> "make" or "make strace".

This is CVE-2017-5550, fixed by:
https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of
them.


signature.asc
Description: This is a digitally signed message part

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-07 Thread Daniel Kahn Gillmor

On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote:
> git clone https://0xacab.org/dkg/debian-bug-854421
> cd debian-bug-854421
> make

interestingly, on at least one machine i try this on, getting it to
reproduce is very infrequent with plain "make", even with the 20 tries
on kernel version 4.9.2-2.

however, "make strace" seems to tickle the bug further, and makes it
much more likely to reproduce on 4.9.2-2, even though it's only one try.

with kernel 4.9.6-3 i haven't been able to reproduce it with either
"make" or "make strace".

 --dkg

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

2017-02-07 Thread Debian Bug Tracking System

Processing control commands:

> retitle 854421 kernel dumps arbitrary memory when splice()ing from /dev/null
Bug #854421 [systemd] systemd: "systemctl --user cat dirmngr.socket" produced 
garbage beyond # /dev/null
Changed Bug title to 'kernel dumps arbitrary memory when splice()ing from 
/dev/null' from 'systemd: "systemctl --user cat dirmngr.socket" produced 
garbage beyond # /dev/null'.
> reassign 854421 linux-image-4.9.0-1-amd64 4.9.2-2
Bug #854421 [systemd] kernel dumps arbitrary memory when splice()ing from 
/dev/null
Bug reassigned from package 'systemd' to 'linux-image-4.9.0-1-amd64'.
No longer marked as found in versions systemd/232-15.
Ignoring request to alter fixed versions of bug #854421 to the same values 
previously set
Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when 
splice()ing from /dev/null
Marked as found in versions linux-signed/4.
> fixed 854421 4.9.6-3
Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when 
splice()ing from /dev/null
Marked as fixed in versions linux-signed/4.1.

-- 
854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

6 matches

Site Navigation

Mail list logo

Footer information