Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
Processing control commands: > retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when splice()ing > from /dev/null Bug #854421 {Done: Ben Hutchings } [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Changed Bug title to '[CVE-2017-5550] kernel dumps arbitrary memory when splice()ing from /dev/null' from 'kernel dumps arbitrary memory when splice()ing from /dev/null'. -- 854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
Control: retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when splice()ing from /dev/null On Tue 2017-02-07 20:21:31 -0500, Ben Hutchings wrote: > Control: reassign -1 src:linux 4.9.2-2 > Control: close -1 4.9.6-3 > Control: severity -1 serious > Control: tag -1 security > > On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote: >> On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote: >> > git clone https://0xacab.org/dkg/debian-bug-854421 >> > cd debian-bug-854421 >> > make >> >> interestingly, on at least one machine i try this on, getting it to >> reproduce is very infrequent with plain "make", even with the 20 tries >> on kernel version 4.9.2-2. > > It's much less likely to happen if there's only one CPU. > >> however, "make strace" seems to tickle the bug further, and makes it >> much more likely to reproduce on 4.9.2-2, even though it's only one >> try. >> >> with kernel 4.9.6-3 i haven't been able to reproduce it with either >> "make" or "make strace". > > This is CVE-2017-5550, fixed by: > https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb Thanks for tracking that down, Ben. I can confirm that it's an infoleak of the worst kind, unfortunately -- i filled the RAM of a root-owned userspace process with an arbitrary string, and then triggered the dump From a non-privileged process and managed to get copies of the arbitrary string :( --dkg signature.asc Description: PGP signature
Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
Processing control commands: > reassign -1 src:linux 4.9.2-2 Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when splice()ing from /dev/null Bug reassigned from package 'linux-image-4.9.0-1-amd64' to 'src:linux'. No longer marked as found in versions linux-signed/4. No longer marked as fixed in versions linux-signed/4.1. Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Marked as found in versions linux/4.9.2-2. > close -1 4.9.6-3 Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Marked as fixed in versions linux/4.9.6-3. Bug #854421 [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Marked Bug as done > severity -1 serious Bug #854421 {Done: Ben Hutchings } [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Severity set to 'serious' from 'normal' > tag -1 security Bug #854421 {Done: Ben Hutchings } [src:linux] kernel dumps arbitrary memory when splice()ing from /dev/null Added tag(s) security. -- 854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
Control: reassign -1 src:linux 4.9.2-2 Control: close -1 4.9.6-3 Control: severity -1 serious Control: tag -1 security On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote: > On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote: > > git clone https://0xacab.org/dkg/debian-bug-854421 > > cd debian-bug-854421 > > make > > interestingly, on at least one machine i try this on, getting it to > reproduce is very infrequent with plain "make", even with the 20 tries > on kernel version 4.9.2-2. It's much less likely to happen if there's only one CPU. > however, "make strace" seems to tickle the bug further, and makes it > much more likely to reproduce on 4.9.2-2, even though it's only one > try. > > with kernel 4.9.6-3 i haven't been able to reproduce it with either > "make" or "make strace". This is CVE-2017-5550, fixed by: https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote: > git clone https://0xacab.org/dkg/debian-bug-854421 > cd debian-bug-854421 > make interestingly, on at least one machine i try this on, getting it to reproduce is very infrequent with plain "make", even with the 20 tries on kernel version 4.9.2-2. however, "make strace" seems to tickle the bug further, and makes it much more likely to reproduce on 4.9.2-2, even though it's only one try. with kernel 4.9.6-3 i haven't been able to reproduce it with either "make" or "make strace". --dkg
Processed: Re: Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null
Processing control commands: > retitle 854421 kernel dumps arbitrary memory when splice()ing from /dev/null Bug #854421 [systemd] systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null Changed Bug title to 'kernel dumps arbitrary memory when splice()ing from /dev/null' from 'systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null'. > reassign 854421 linux-image-4.9.0-1-amd64 4.9.2-2 Bug #854421 [systemd] kernel dumps arbitrary memory when splice()ing from /dev/null Bug reassigned from package 'systemd' to 'linux-image-4.9.0-1-amd64'. No longer marked as found in versions systemd/232-15. Ignoring request to alter fixed versions of bug #854421 to the same values previously set Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when splice()ing from /dev/null Marked as found in versions linux-signed/4. > fixed 854421 4.9.6-3 Bug #854421 [linux-image-4.9.0-1-amd64] kernel dumps arbitrary memory when splice()ing from /dev/null Marked as fixed in versions linux-signed/4.1. -- 854421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854421 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems