Serious regression in systemd 215-17+deb8u10

2019-03-06 Thread Dan Poltawski 
Hello,

We have discovered that the latest version of systemd uploaded to jessie is 
causing systemd-journald to use an ever increasing amount of memory, eventually 
leading to all available memory being consumed. This has been observed on 
multiple different systems we use which are logging quite heavily and have 
upgraded to the latest systemd package. We have some systems which haven't had 
the new security patches applied and are not observing this behaviour - there 
is a clear correlation with the latest version of the systemd package.

It seems quite similar to situation described on Debian bug 920018 and hope 
that a fix can be found.

thanks for your efforts providing LTS to debian.

Dan

-

From: Michael Biebl 
Sent: 06 March 2019 13:18
To: Dan Poltawski; 920...@bugs.debian.org
Subject: Re: Bug#920018: Jessie Fix?


Am 06.03.19 um 13:17 schrieb Dan Poltawski:
> We are seeing this bug on the jessie ( systemd  215-17+deb8u10) and it's 
> extremely serious, leading to systemd-journald eventually consuming all 
> memory on the system. Is there a fix for jessie incoming?

jessie is oldstable and no longer officially supported directly by
Debian. There is a Debian LTS effort. You should probably contact them
for a jessie fix.

https://wiki.debian.org/LTS

Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?




The Networking People (NorthWest) Limited. Registered office: c/o Hanleys, 
Spring Court, Hale, Cheshire, WA14 2UQ. Registered in England & Wales with 
company number: 07667393

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

Re: Serious regression in systemd 215-17+deb8u10

2019-03-06 Thread Chris Lamb 
Hi Dan,

> We have discovered that the latest version of systemd uploaded to 
> jessie is causing systemd-journald to use an ever increasing amount of 
> memory, eventually leading to all available memory being consumed. This 
> has been observed on multiple different systems we use which are 
> logging quite heavily and have upgraded to the latest systemd package. 
> We have some systems which haven't had the new security patches applied 
> and are not observing this behaviour - there is a clear correlation 
> with the latest version of the systemd package.

So, this is the patch that was applied in systemd 215-17+deb8u10:

Description: journald: do not store the iovec entry for process commandline 
on stack
 This fixes a crash (CVE-2018-16864) where we
 would read the commandline, whose length is under control of the
 sending program, and then crash when trying to create a stack
 allocation for it.
 .
 This is a backport of 
https://github.com/systemd/systemd/commit/084eeb865ca63887098e0945fb4e93c852b91b0f
Author: Antoine Beaupré 
Bug-Debian: https://bugs.debian.org/918841
Origin: Debian
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1653855
Forwarded: not-needed
Last-Update: 2019-01-22

--- systemd-215.orig/src/journal/journald-server.c
+++ systemd-215/src/journal/journald-server.c
@@ -602,7 +602,10 @@ static void dispatch_message_real(
 
 r = get_process_cmdline(ucred->pid, 0, false, &t);
 if (r >= 0) {
-x = strappenda("_CMDLINE=", t);
+/* At most _SC_ARG_MAX (2MB usually), which is
+ * too much to put on stack. Let's use a heap
+ * allocation for this one. */ 
+x = strappend("_CMDLINE=", t);
 free(t);
 IOVEC_SET_STRING(iovec[n++], x);
 }
@@ -716,7 +719,9 @@ static void dispatch_message_real(
 
 r = get_process_comm(object_pid, &t);
 if (r >= 0) {
-x = strappenda("OBJECT_COMM=", t);
+/* See above for size limits, only ->cmdline
+ * may be large, so use a heap allocation for it. 
*/
+x = strappend("OBJECT_COMM=", t);
 free(t);
 IOVEC_SET_STRING(iovec[n++], x);
 }

I can't immediately see what's up, nor the direct relevance to the
upstream changes listed on #920018, however.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

Re: Serious regression in systemd 215-17+deb8u10

2019-03-06 Thread Attila Szalay 
Hi,

If I would have to guess, the difference is that strappenda use alloca,
which then use the stack to allocate the string. And the stack is freed
when the function exists, in contrast with allocating memory in heap. maybe
a free(x) is missing from after the IOVEC_SET_STRING

On Wed, Mar 6, 2019 at 8:57 PM Chris Lamb  wrote:

> Hi Dan,
>
> > We have discovered that the latest version of systemd uploaded to
> > jessie is causing systemd-journald to use an ever increasing amount of
> > memory, eventually leading to all available memory being consumed. This
> > has been observed on multiple different systems we use which are
> > logging quite heavily and have upgraded to the latest systemd package.
> > We have some systems which haven't had the new security patches applied
> > and are not observing this behaviour - there is a clear correlation
> > with the latest version of the systemd package.
>
> So, this is the patch that was applied in systemd 215-17+deb8u10:
>
> Description: journald: do not store the iovec entry for process
> commandline on stack
>  This fixes a crash (CVE-2018-16864) where we
>  would read the commandline, whose length is under control of the
>  sending program, and then crash when trying to create a stack
>  allocation for it.
>  .
>  This is a backport of
> https://github.com/systemd/systemd/commit/084eeb865ca63887098e0945fb4e93c852b91b0f
> Author: Antoine Beaupré 
> Bug-Debian: https://bugs.debian.org/918841
> Origin: Debian
> Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1653855
> Forwarded: not-needed
> Last-Update: 2019-01-22
>
> --- systemd-215.orig/src/journal/journald-server.c
> +++ systemd-215/src/journal/journald-server.c
> @@ -602,7 +602,10 @@ static void dispatch_message_real(
>
>  r = get_process_cmdline(ucred->pid, 0, false, &t);
>  if (r >= 0) {
> -x = strappenda("_CMDLINE=", t);
> +/* At most _SC_ARG_MAX (2MB usually), which is
> + * too much to put on stack. Let's use a heap
> + * allocation for this one. */
> +x = strappend("_CMDLINE=", t);
>  free(t);
>  IOVEC_SET_STRING(iovec[n++], x);
>  }
> @@ -716,7 +719,9 @@ static void dispatch_message_real(
>
>  r = get_process_comm(object_pid, &t);
>  if (r >= 0) {
> -x = strappenda("OBJECT_COMM=", t);
> +/* See above for size limits, only ->cmdline
> + * may be large, so use a heap allocation for
> it. */
> +x = strappend("OBJECT_COMM=", t);
>  free(t);
>  IOVEC_SET_STRING(iovec[n++], x);
>  }
>
> I can't immediately see what's up, nor the direct relevance to the
> upstream changes listed on #920018, however.
>
>
> Regards,
>
> --
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
>`-
>
>

Re: Serious regression in systemd 215-17+deb8u10

2019-03-06 Thread Sven Hartge 
Chris Lamb  wrote:
> Hi Dan,

>> We have discovered that the latest version of systemd uploaded to 
>> jessie is causing systemd-journald to use an ever increasing amount of 
>> memory, eventually leading to all available memory being consumed. This 
>> has been observed on multiple different systems we use which are 
>> logging quite heavily and have upgraded to the latest systemd package. 
>> We have some systems which haven't had the new security patches applied 
>> and are not observing this behaviour - there is a clear correlation 
>> with the latest version of the systemd package.

> So, this is the patch that was applied in systemd 215-17+deb8u10:

> Description: journald: do not store the iovec entry for process 
> commandline on stack
>  This fixes a crash (CVE-2018-16864) where we
>  would read the commandline, whose length is under control of the
>  sending program, and then crash when trying to create a stack
>  allocation for it.
>  .
>  This is a backport of 
> https://github.com/systemd/systemd/commit/084eeb865ca63887098e0945fb4e93c852b91b0f
> Author: Antoine Beaupré 
> Bug-Debian: https://bugs.debian.org/918841
> Origin: Debian
> Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1653855
> Forwarded: not-needed
> Last-Update: 2019-01-22

> --- systemd-215.orig/src/journal/journald-server.c
> +++ systemd-215/src/journal/journald-server.c
> @@ -602,7 +602,10 @@ static void dispatch_message_real(
>  
>  r = get_process_cmdline(ucred->pid, 0, false, &t);
>  if (r >= 0) {
> -x = strappenda("_CMDLINE=", t);
> +/* At most _SC_ARG_MAX (2MB usually), which is
> + * too much to put on stack. Let's use a heap
> + * allocation for this one. */ 
> +x = strappend("_CMDLINE=", t);
>  free(t);
>  IOVEC_SET_STRING(iovec[n++], x);
>  }
> @@ -716,7 +719,9 @@ static void dispatch_message_real(
>  
>  r = get_process_comm(object_pid, &t);
>  if (r >= 0) {
> -x = strappenda("OBJECT_COMM=", t);
> +/* See above for size limits, only ->cmdline
> + * may be large, so use a heap allocation for 
> it. */
> +x = strappend("OBJECT_COMM=", t);
>  free(t);
>  IOVEC_SET_STRING(iovec[n++], x);
>  }

> I can't immediately see what's up, nor the direct relevance to the
> upstream changes listed on #920018, however.

The problem with the change for Stretch was that it *always* allocated
2MB on the heap, even when then amount needed was much smaller, until
16384 journal cache entries where filled.

But using my test loop from
https://github.com/systemd/systemd/issues/11502#issuecomment-456407529 I
am not able to reproduce the problem on a Debian Jessie system (AMD64)
with 215-17+deb8u10.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Re: Serious regression in systemd 215-17+deb8u10

2019-03-11 Thread Dan Poltawski 
Thanks for your responses. One of my colleagues has been looking into this 
trying to get the bottom of it and we do seem to have identified a memory leak 
which isn't present on stretch. I note the report posted to the list 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924060.

Here are what my colleague Alan has documented about his findings, we're going 
into this without much knowledge of the area, sharing in the hope it helps 
someone more familiar with the situation:

We have run journald under Valgrind, putting system logs through logger - which 
has identified several memory leaks, for example:

==9577== 1,298,665 bytes in 21,103 blocks are definitely lost in loss record 11 
of 11
==9577== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==9577== by 0x1272F0: strappend (in /lib/systemd/systemd-journald)
==9577== by 0x112849: dispatch_message_real.lto_priv.175 (in 
/lib/systemd/systemd-journald)
==9577== by 0x131867: server_dispatch_message (in /lib/systemd/systemd-journald)
==9577== by 0x12F189: process_datagram.part.10.lto_priv.168 (in
==9577== by 0x12355F: source_dispatch (in /lib/systemd/systemd-journald)
==9577== by 0x12402E: sd_event_run (in /lib/systemd/systemd-journald)
==9577== by 0x10DFC3: main (in /lib/systemd/systemd-journald)

Note that CVE-2018-16864.patch applies to function "dispatch_message_real" in 
journald-server.c,
which matches the leak found by Valgrind.

This patch changes calls to "strappenda" to "strappend".

"strappenda" calls "alloca(3)" which allocates memory on the stack, to be freed 
on function return.

"strappend" calls internal function "new()", which ends up calling 
"malloc_multiply()" and then "malloc(3)"

"malloc" normally allocates memory from the heap.

There are no corresponding calls to "free(3)" in the patch.

Red Hat's initial fix for CVE-2018-16864 introduced the same bug,
which has been assigned CVE-2019-3815

See
https://access.redhat.com/security/cve/cve-2019-3815
and
https://bugzilla.redhat.com/show_bug.cgi?id=146 (currently "Access Denied")

Centos has applied the RH patch in
0669-journald-free-cmdline-buffers-owned-by-iovec.patch from
http://vault.centos.org/7.6.1810/updates/Source/SPackages/systemd-219-62.el7_6.5.src.rpm

although the RH/Centos code is rather different in that they have backported 
"set_iovec_field_free" from systemd v233

----------
From: Chris Lamb 
Sent: 06 March 2019 19:40
To: Dan Poltawski; debian-lts@lists.debian.org
Subject: Re: Serious regression in systemd 215-17+deb8u10

Hi Dan,

> We have discovered that the latest version of systemd uploaded to
> jessie is causing systemd-journald to use an ever increasing amount of
> memory, eventually leading to all available memory being consumed. This
> has been observed on multiple different systems we use which are
> logging quite heavily and have upgraded to the latest systemd package.
> We have some systems which haven't had the new security patches applied
> and are not observing this behaviour - there is a clear correlation
> with the latest version of the systemd package.

So, this is the patch that was applied in systemd 215-17+deb8u10:

Description: journald: do not store the iovec entry for process commandline 
on stack
 This fixes a crash (CVE-2018-16864) where we
 would read the commandline, whose length is under control of the
 sending program, and then crash when trying to create a stack
 allocation for it.
 .
 This is a backport of 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsystemd%2Fsystemd%2Fcommit%2F084eeb865ca63887098e0945fb4e93c852b91b0f&data=02%7C01%7Cdan.poltawski%40tnp.net.uk%7Caa9f27e2dcc5426fff0e08d6a26b8bad%7C925e5e137a8344cbb28144e1c700f7e5%7C1%7C0%7C636874980116819527&sdata=eXxpHC6N5HvqMm%2FANrXSTgJ%2B4TrmoXFouYnT8DYHbVg%3D&reserved=0
Author: Antoine Beaupré 
Bug-Debian: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.debian.org%2F918841&data=02%7C01%7Cdan.poltawski%40tnp.net.uk%7Caa9f27e2dcc5426fff0e08d6a26b8bad%7C925e5e137a8344cbb28144e1c700f7e5%7C1%7C0%7C636874980116819527&sdata=Nc%2FhVL6OtNP9xDC%2FDNd13UBCbGlJQQ%2Fpc5HcTeYegyM%3D&reserved=0
Origin: Debian
Bug: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1653855&data=02%7C01%7Cdan.poltawski%40tnp.net.uk%7Caa9f27e2dcc5426fff0e08d6a26b8bad%7C925e5e137a8344cbb28144e1c700f7e5%7C1%7C0%7C636874980116819527&sdata=dxW4DrP2EZkKB2KwDIGp4ujl2j9GP0aGVDFlkco6k%2FY%3D&reserved=0
Forwarded: not-needed
Last-Update: 2019-01-22

--- systemd-215.orig/src/journal/journald-server.c
+++ systemd-215/src/journal/journald-server.c
@@ -602,7 +602,10 @@ static void dispatch_message_real(

 r = get_proc

Re: Serious regression in systemd 215-17+deb8u10

2019-03-11 Thread Markus Koschany 

Am 11.03.19 um 15:51 schrieb Dan Poltawski:
> Thanks for your responses. One of my colleagues has been looking into this 
> trying to get the bottom of it and we do seem to have identified a memory 
> leak which isn't present on stretch. I note the report posted to the list 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924060.

[...]

Thank you for sharing your analysis with us. I will prepare a regression update 
shortly.
It appears the confusion stems from the fact that CVE-2018-16864 was already 
addressed
by version 215-17+deb8u9. Thus nobody saw a connection between the memory leak 
and the recent
upload which deals with another issue.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

Re: Serious regression in systemd 215-17+deb8u10

2019-03-11 Thread Michael Biebl 
Am 11.03.19 um 19:17 schrieb Markus Koschany:
> 
> Am 11.03.19 um 15:51 schrieb Dan Poltawski:
>> Thanks for your responses. One of my colleagues has been looking into this 
>> trying to get the bottom of it and we do seem to have identified a memory 
>> leak which isn't present on stretch. I note the report posted to the list 
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924060.
> 
> [...]
> 
> Thank you for sharing your analysis with us. I will prepare a regression 
> update shortly.
> It appears the confusion stems from the fact that CVE-2018-16864 was already 
> addressed
> by version 215-17+deb8u9. Thus nobody saw a connection between the memory 
> leak and the recent
> upload which deals with another issue.

Thanks, Markus.

Also big thanks to the debian-lts team in general for backporting those
security fixes for the systemd package in old-stable.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Re: Serious regression in systemd 215-17+deb8u10

2019-03-13 Thread Markus Koschany 
Control: tags -1 pending

Hi,

Am 11.03.19 um 23:16 schrieb Michael Biebl:
[...]
> 
> Thanks, Markus.
> 
> Also big thanks to the debian-lts team in general for backporting those
> security fixes for the systemd package in old-stable.

I could reproduce the memory leak with valgrind following the steps
provided by Dan. Indeed this issue is also known as CVE-2019-3815. I am
going to upload a new revision of systemd in Jessie now. Thank you all
for your feedback.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature