[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Launchpad Bug Tracker]

This bug was fixed in the package systemd - 229-4ubuntu11

---
systemd (229-4ubuntu11) xenial; urgency=medium

  * 73-usb-net-by-mac.rules: Split kernel command line import line.
Reportedly this makes the rule actually work on some platforms. Thanks
Alp Toker! (LP: #1593379)
  * fsckd: Do not exit on idle timeout if there are still clients connected
(Closes: #788050, LP: #1547844)
  * libnss-*.prerm: Remove possible [key=value] options from NSS modules as
well. (LP: #1625584)
  * Backport networkd 231. Compared to 229 this has a lot of fixes, some of
which we need for good netplan support. Backporting them individually
would be a lot more work and a lot less robust, and we did not use/support
networkd in 16.04 so far. Drop the other network related patches as they
are included in this backport now. (LP: #1627641)
  * debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
behaviour is fixed with the above backport now.
  * pid1: process zero-length notification messages again. Just remove the
assertion, the "n" value was not used anyway. This fixes a local DoS due
to unprocessed/unclosed fds which got introduced by the previous fix.
(LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd(). If
manager_dispatch_notify_fd() fails and returns an error then the handling
of service notifications will be disabled entirely leading to a
compromised system. (side issue of LP: #1628687)

 -- Martin Pitt   Tue, 04 Oct 2016 21:43:04
+0200

** Changed in: systemd (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

I verified that with the -proposed version you cannot create orphaned
notify FDs any more in pid 1 using the test case I just added.

** Description changed:

  Environment:
  
  Xenial 16.04.1
  Amd64
  
  Description.
  
  Systemd fails an assertion in manager_invoke_notify_message when a zero-
  length message is received over /run/systemd/notify. This allows a local
  user to perform a denial-of-service attack against PID 1.
  
  How to trigger the bug:
  
  $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify "";
  done
  
  The following entries are written into /var/log/syslog, at this point
  systemd is crashed.
  
  Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
  Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at 
../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
  Sep 28 20:57:29 ubuntu systemd[1]: Caught , dumped core as pid 1307.
  Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.
  
+ Public bug: https://github.com/systemd/systemd/issues/4234
  
- Public bug: https://github.com/systemd/systemd/issues/4234
+ The original USN/security fix in
+ https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced
+ another local DoS due to fd exhaustion:
+ 
+   NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import
+ daemon; daemon.notify("", fds=[0]*100)'
+ 
+ Run this a few times and watch "sudo ls -l /proc/1/fd" grow.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Chris Halse Rogers]

Hello Jorge, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu11
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: systemd (Ubuntu Xenial)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

> Martin, if you can point me at the xenial branch, we can push this
through the security pocket.

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=1aa1f84c
(this just cleans up the original -security update to still work with gbp pq)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=a80398c79
https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=0f6614488

I'm fine with landing this as part of the next SRU (I'll get it into
-proposed today). A local DoS (the original and this new one) isn't
particularly exciting after all. If you rather want to to handle this as
a security update, then you can grab these three patches, and I'll
rebase the branch/re-do the SRU again.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Steve Beattie]

Martin, if you can point me at the xenial branch, we can push this
through the security pocket. I wanted to wait and see if there were any
further issues addressed (and to not release an update on a Friday).
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

I added the two patches to the xenial branch, and will test/upload the
SRU tomorrow.

** Changed in: systemd (Ubuntu Xenial)
 Assignee: (unassigned) => Martin Pitt (pitti)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Emanuele Aina]

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7795

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Bug Watch Updater]

** Changed in: systemd
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Launchpad Bug Tracker]

This bug was fixed in the package systemd - 231-9

---
systemd (231-9) unstable; urgency=medium

  * pid1: process zero-length notification messages again.
Just remove the assertion, the "n" value was not used anyway. This fixes
a local DoS due to unprocessed/unclosed fds which got introduced by the
previous fix. (Closes: #839171) (LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd()
  * test/networkd-test.py: Add missing writeConfig() helper function.

 -- Martin Pitt   Thu, 29 Sep 2016 23:39:24
+0200

** Changed in: systemd (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

For a follow-up xenial -security update we need:
  https://github.com/systemd/systemd/commit/8523bf7dd5
  https://github.com/systemd/systemd/commit/9987750e7

which I just cherry-picked into the Debian packaging tree (for yakkety
too):

  https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=64196d509b
  https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=c172afdd2

** Changed in: systemd (Ubuntu Yakkety)
   Status: In Progress => Fix Committed

** Changed in: systemd (Ubuntu Yakkety)
 Assignee: (unassigned) => Martin Pitt (pitti)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

That initial fix just changed a DoS through assert() into a DoS through
fd exhaustion. This is being handled in
https://github.com/systemd/systemd/pull/4242 .

Please let's handle this upstream first and not put out another USN in
haste -- after all, this is just a local DoS, so far from being a
catastrophe (you can DoS the machine as user in lots of other ways).

** Changed in: systemd (Ubuntu Xenial)
   Status: Fix Released => In Progress

** Changed in: systemd (Ubuntu Yakkety)
   Status: Fix Committed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

** Changed in: systemd (Ubuntu Yakkety)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Bug Watch Updater]

** Changed in: systemd
   Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Launchpad Bug Tracker]

This bug was fixed in the package systemd - 229-4ubuntu10

---
systemd (229-4ubuntu10) xenial-security; urgency=medium

  * SECURITY UPDATE: zero-length notify message triggers abort/denial of
service
- systemd-dont_assert_on_zero_length_message-lp1628687.patch: change
  assert to simple return + log (LP: #1628687)
- Thanks to Jorge Niedbalski  for
  the patch.

 -- Steve Beattie   Wed, 28 Sep 2016 14:21:42 -0700

** Changed in: systemd (Ubuntu Xenial)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Steve Beattie]

FYI, I've pushed xenial and yakkety systemd packages with Jorge's
proposed fix from https://github.com/systemd/systemd/pull/4237 in the
ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/ for people to test.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Martin Pitt]

** Bug watch added: github.com/systemd/systemd/issues #4234
   https://github.com/systemd/systemd/issues/4234

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/4234
   Importance: Unknown
   Status: Unknown

** Changed in: systemd (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: systemd (Ubuntu Yakkety)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Seth Arnold]

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Steve Beattie]

CVE request: http://www.openwall.com/lists/oss-security/2016/09/28/9

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Steve Beattie]

** Also affects: systemd (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Yakkety)
   Importance: Undecided
   Status: Confirmed

** Changed in: systemd (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket

[Emily Ratliff]

** Changed in: systemd (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628687

Title:
  Assertion failure when PID 1 receives a zero-length message over
  notify socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs