-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overrun in format_timespan #23928
Labels
bug 🐛
Programming errors, that need preferential fixing
Comments
yuwata
added a commit
to yuwata/systemd
that referenced
this issue
Jul 7, 2022
yuwata
added a commit
to yuwata/systemd
that referenced
this issue
Jul 7, 2022
poettering
pushed a commit
that referenced
this issue
Jul 8, 2022
tewarid
pushed a commit
to tewarid/systemd
that referenced
this issue
Aug 23, 2022
Fixes systemd#23928. (cherry picked from commit 9102c62)
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Nov 20, 2022
Fixes the following security issue: - CVE-2022-3821: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. systemd/systemd#23928 Drop now upstream 0001-missing-syscall-define-MOVE_MOUNT_T_EMPTY_PATH-if-mi.patch Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Nov 23, 2022
Fixes the following security issue: - CVE-2022-3821: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. systemd/systemd#23928 Drop now upstream 0001-missing-syscall-define-MOVE_MOUNT_T_EMPTY_PATH-if-mi.patch Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e24033f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Nov 23, 2022
Fixes the following security issue: - CVE-2022-3821: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. systemd/systemd#23928 Drop now upstream 0001-missing-syscall-define-MOVE_MOUNT_T_EMPTY_PATH-if-mi.patch Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e24033f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tomoms
added a commit
to Tomoms/oniro
that referenced
this issue
Dec 1, 2022
Simple exploit based on the one provided here: systemd/systemd#23928 with additional prints to check that buf has been modified.
bluca
pushed a commit
to bluca/systemd
that referenced
this issue
Jan 27, 2023
Fixes systemd#23928. (cherry picked from commit 9102c62) (cherry picked from commit 72d4c15)
bluca
pushed a commit
to bluca/systemd
that referenced
this issue
Apr 21, 2023
Fixes systemd#23928. (cherry picked from commit 9102c62) (cherry picked from commit 72d4c15) (cherry picked from commit c32530f) (cherry picked from commit b2a25b5) (cherry picked from commit 858dc1a) CVE:CVE-2022-3821 Upstream-Status: Backport [systemd/systemd-stable@5ca1a8c] Signed-off-by: Nandakumar Raghavan <naraghavan@microsoft.com>
Werkov
pushed a commit
to Werkov/systemd
that referenced
this issue
Nov 1, 2023
Fixes systemd#23928. (cherry picked from commit 9102c62) [fbui: adjust context] [fbui: fixes bsc#1204968] [fbui: fixes CVE-2022-3821]
Werkov
pushed a commit
to Werkov/systemd
that referenced
this issue
Nov 1, 2023
Fixes systemd#23928. (cherry picked from commit 9102c62) (cherry picked from commit 72d4c15) (cherry picked from commit c32530f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
systemd version the issue has been seen with
251
Used distribution
No response
Linux kernel version used
No response
CPU architectures issue was seen on
No response
Component
No response
Expected behaviour you didn't see
No response
Unexpected behaviour you saw
In the file
time-util.c
, the functionformat_timespan
has the following code:The problem of the above code is that
n = MIN((size_t) k, l);
can assign the buffer sizel
ton
. Thenp += n;
will causep
to point to one byte after the bufferbuf
, leading to a buffer overwrite in*p=0
(an off-by-one error).Steps to reproduce the problem
To reproduce the buffer overrun, just run the following test code
format_timespan
will write tobuf[5]
, which is an error.Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: