Re: [Touch-packages] [Bug 1795921] Re: Out-of-Bounds write in systemd-networkd dhcpv6 option handling
On Tue, Oct 30, 2018 at 08:16:27PM -, Clemens Fuchslocher wrote: > Are there any workarounds for Ubuntu 16.04? > > Can I set /proc/sys/net/ipv6/conf/all/accept_ra to 0 to ignore the > Router Advertisements? There are two settings: the accept_ra sysctl in the kernel, and IPv6AcceptRa= in systemd. The second setting can override the kernel setting, but it defaults to "use the kernel default". The kernel defaults to "enabled if local forwarding is disabled". So accept_ra=0 is honoured as long as IPv6AcceptRa= is *not* set to true. But the code where the error is is in the dhcpv6 client part. It can be triggered in two different ways: upon reception of a RA, or explicitly by using DHCP=yes or DHCP=ipv6. So both settings (accept_ra=/IPv6AcceptRa= and DHCP=) have to be set to 0/no to mitigate the issue. (Note though DHCP=no is the default.) This is my understanding, but I'm not too familiar with this code, so it'd be great if somebody could confirm. Zbyszek -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1795921 Title: Out-of-Bounds write in systemd-networkd dhcpv6 option handling Status in systemd package in Ubuntu: Confirmed Bug description: systemd-networkd contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisement are received: "Note that DHCPv6 will by default be triggered by Router Advertisement, if that is enabled, regardless of this parameter. By enabling DHCPv6 support explicitly, the DHCPv6 client will be started regardless of the presence of routers on the link, or what flags the routers pass" (https://www.freedesktop.org/software/systemd/man/systemd.network.html) The function dhcp6_option_append_ia function is used to encode Identity Associations received by the server into the options buffer of an outgoing DHCPv6 packet: // https://github.com/systemd/systemd/blob/master/src/libsystemd-network/dhcp6-option.c#L82 int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { uint16_t len; uint8_t *ia_hdr; size_t iaid_offset, ia_buflen, ia_addrlen = 0; DHCP6Address *addr; int r; assert_return(buf && *buf && buflen && ia, -EINVAL); switch (ia->type) { case SD_DHCP6_OPTION_IA_NA: len = DHCP6_OPTION_IA_NA_LEN; iaid_offset = offsetof(DHCP6IA, ia_na); break; case SD_DHCP6_OPTION_IA_TA: len = DHCP6_OPTION_IA_TA_LEN; iaid_offset = offsetof(DHCP6IA, ia_ta); break; default: return -EINVAL; } A: if (*buflen < len) return -ENOBUFS; ia_hdr = *buf; ia_buflen = *buflen; *buf += sizeof(DHCP6Option); B: *buflen -= sizeof(DHCP6Option); C: memcpy(*buf, (char*) ia + iaid_offset, len); *buf += len; D: *buflen -= len; E:LIST_FOREACH(addresses, addr, ia->addresses) { r = option_append_hdr(buf, buflen, SD_DHCP6_OPTION_IAADDR, sizeof(addr->iaaddr)); if (r < 0) return r; memcpy(*buf, &addr->iaaddr, sizeof(addr->iaaddr)); *buf += sizeof(addr->iaaddr); *buflen -= sizeof(addr->iaaddr); ia_addrlen += sizeof(DHCP6Option) + sizeof(addr->iaaddr); } r = option_append_hdr(&ia_hdr, &ia_buflen, ia->type, len + ia_addrlen); if (r < 0) return r; return 0; } The function receives a pointer to the option buffer buf, it's remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E). The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long. This will trigger the following code once the client tries to create a REQUEST message: //https://github.com/systemd/systemd/blob/7bcf8123c0305131ace02480763377af974924ef/src/libsystemd-network/sd-dhcp6-client.c#L493 case DHCP6_STATE_REQUEST: case DHCP6_STATE_RENEW: if (client->state == DHCP6_STATE_REQUEST) message->type = DHCP6_REQUE
[Touch-packages] [Bug 1725348] Re: Systemd - Bypassing MemoryDenyWriteExecution policy
Upstream commits: https://github.com/systemd/systemd/commit/b835eeb4ec1dd122b6feff2b70881265c529fcdd https://github.com/systemd/systemd/commit/91691f1d3e3c66122fd0fc564ea3f20f566c2698 https://github.com/systemd/systemd/commit/213f2883c006d785e033597d2f46a110d85eb54b -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1725348 Title: Systemd - Bypassing MemoryDenyWriteExecution policy Status in systemd package in Ubuntu: New Status in systemd source package in Xenial: New Status in systemd source package in Zesty: New Status in systemd source package in Artful: New Status in systemd source package in Bionic: New Bug description: Hello, We would like to report to you a vulnerability about systemd which allows to bypass the MemoryDenyWriteExecution policy on Linux 4.9+. The vulnerability is described in the attached PDF file. Sincerely, Thomas IMBERT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725348/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1611945] Re: /dev/disk/by-path not properly populated for (e)SATA port multiplier disks
Feel free to file the bug directly upstream at https://github.com/systemd/systemd/issues/new. This is not ubuntu specific in any way. (In the future, the same general rule applies: the "two releases" rule is intended to let us avoid dealing with long-fixed bugs and versions of systemd that we're no longer actively working on. But if the code is obviously unchanged between some distro version and upstream, just file the bug and say so in the bug.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1611945 Title: /dev/disk/by-path not properly populated for (e)SATA port multiplier disks Status in systemd package in Ubuntu: New Bug description: We have a just-installed Ubuntu 16.04 LTS machine with a number of disks behind port-multiplier eSATA ports, all of them driven by a SiI 3124 controller (sata_sil24 kernel driver). Our machine sees all disks on all channels, however under 16.04 only one disk from each channel shows up in /dev/disk/by-path/ (all disks show up in /dev/disk/by-id and /dev/disk/by-uuid). For our usage this is a severe defect because we rotate disks in and out of the external enclosure and rely on mounting specific slots in the external enclosure through /dev/disk /by-path. This did not happen in Ubuntu 12.04 LTS, the release that this machine was previously running. According to 'udevadm info --export-db' and 'udevadm test-builtin path_id' and so on, systemd's udev stuff is assigning all drives behind the same port the same disk/by-path data (ID_PATH et al). In 'udevadm info /sys/block/sdX', the 'P:' and 'E: DEVPATH=' values show a difference in the target portion of PCI path, eg: P: /devices/pci:00/:00:01.0/:01:00.0/:02:00.0/ata1/host0/target0:0:0/0:0:0:0/block/sda P: /devices/pci:00/:00:01.0/:01:00.0/:02:00.0/ata1/host0/target0:1:0/0:1:0:0/block/sdb However the 'S: disk/by-path', 'E: DEVLINKS=', and 'E: ID_PATH' portions do not. For both devices above, we see: S: disk/by-path/pci-:02:00.0-ata-1 E: ID_PATH=pci-:02:00.0-ata-1 Naturally only one device can have a /dev/disk/by- path/pci-:02:00.0-ata-1 symlink, so instead of four disks per channel in /dev/disk/by-path we see one. Ubuntu release: 16.04 Package versions from 'apt-cache policy udev systemd': udev: Installed: 229-4ubuntu7 systemd: Installed: 229-4ubuntu7 'journalctl -b' reports that during boot systemd does report some 'appeared twice with different sysfs paths' notes, eg: Aug 10 13:34:21 verdandi systemd[1]: dev-disk-by\x2dpath- pci\x2d:02:00.0\x2data\x2d1\x2dpart1.device: Dev dev-disk-by \x2dpath-pci\x2d:02:00.0\x2data\x2d1\x2dpart1.device appeared twice with different sysfs paths /sys/devices/pci:00/:00:01.0/:01:00.0/:02:00.0/ata1/host0/target0:3:0/0:3:0:0/block/sdd/sdd1 and /sys/devices/pci:00/:00:01.0/:01:00.0/:02:00.0/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda1 However it doesn't seem to be reporting this for all port-multiplier drives and their partitions. If it would be useful I can attach full 'udevadm info --export-db' output or the like. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1611945/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1426588]
This seems to be Debian/Ubuntu specific patch to support update-rc.d. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1426588 Title: systemctl assert failure: *** Error in `systemctl': double free or corruption (fasttop): 0x7fa04bf00910 *** Status in systemd: Won't Fix Status in systemd package in Ubuntu: New Bug description: root@file-control:~# systemctl disable vmware-USBArbitrator Synchronizing state for vmware-USBArbitrator.service with sysvinit using update-rc.d... Executing /usr/sbin/update-rc.d vmware-USBArbitrator defaults insserv: Service localfs has to be enabled to start service vmware-USBArbitrator insserv: exiting now! update-rc.d: error: insserv rejected the script header *** Error in `systemctl': double free or corruption (fasttop): 0x7f4ad5bff910 *** Aborted (core dumped) ProblemType: Crash DistroRelease: Ubuntu 15.04 Package: systemd 219-4ubuntu1 Uname: Linux 4.0.0-04rc1-generic x86_64 NonfreeKernelModules: openafs ApportVersion: 2.16.1-0ubuntu2 Architecture: amd64 AssertionMessage: *** Error in `systemctl': double free or corruption (fasttop): 0x7fa04bf00910 *** Date: Fri Feb 27 18:12:48 2015 ExecutablePath: /bin/systemctl InstallationDate: Installed on 2014-08-22 (189 days ago) InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Alpha amd64 (20140730) MachineType: LENOVO 20349 ProcCmdline: systemctl disable vmware-USBArbitrator ProcKernelCmdLine: BOOT_IMAGE=/@/boot/vmlinuz-4.0.0-04rc1-generic root=/dev/mapper/fcntl-ubuntu ro rootflags=subvol=@ quiet splash init=/lib/systemd/systemd vt.handoff=7 Signal: 6 SourcePackage: systemd StacktraceTop: __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7fa049a247a0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 malloc_printerr (ptr=, str=0x7fa049a24968 "double free or corruption (fasttop)", action=1) at malloc.c:4996 _int_free (av=, p=, have_lock=0) at malloc.c:3840 ?? () ?? () Title: systemctl assert failure: *** Error in `systemctl': double free or corruption (fasttop): 0x7fa04bf00910 *** UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: sbuild dmi.bios.date: 08/18/2014 dmi.bios.vendor: LENOVO dmi.bios.version: 9ECN31WW(V1.14) dmi.board.asset.tag: 31900058Std dmi.board.name: Lenovo Y50-70 Touch dmi.board.vendor: LENOVO dmi.board.version: 31900058Std dmi.chassis.asset.tag: 31900058Std dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo Y50-70 Touch dmi.modalias: dmi:bvnLENOVO:bvr9ECN31WW(V1.14):bd08/18/2014:svnLENOVO:pn20349:pvrLenovoY50-70Touch:rvnLENOVO:rnLenovoY50-70Touch:rvr31900058Std:cvnLENOVO:ct10:cvrLenovoY50-70Touch: dmi.product.name: 20349 dmi.product.version: Lenovo Y50-70 Touch dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1426588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp