New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-run can crash pid 1 #8056
Comments
Interestingly, I can crash |
I forgot to mention that, sorry. I'm using the current master ( Note, though, that the strings have to be of certain length. If, for example, instead of saying "привет", I say "привет сыстемд", the problem doesn't reproduce, since the assertion holds again. At least that was my case. |
That's true that the commit where |
The function `strv_join_quoted()` is now not used except for test-strv.c. Also, the function had the bug systemd#8056. So, let's remove it from the basic library.
The function `strv_join_quoted()` is now not used, and has a bug in the buffer size calculation when the strings needs to escaped, as reported in systemd#8056. So, let's remove the function. Closes systemd#8056.
The function `strv_join_quoted()` is now not used, and has a bug in the buffer size calculation when the strings needs to escaped, as reported in systemd#8056. So, let's remove the function. Closes systemd#8056.
I must have confused the versions... The |
The function `strv_join_quoted()` is now not used, and has a bug in the buffer size calculation when the strings needs to escaped, as reported in systemd#8056. So, let's remove the function. Closes systemd#8056. (cherry picked from commit e7b2ea7)
Fixes systemd#8056. [fbui: the affected function was removed since v236+ (by commit 2e59b24) so the patch is not needed by upstream which was at v237+ when the issue was found.]
Fixes systemd#8056. [fbui: the affected function was removed since v236+ (by commit 2e59b24) so the patch is not needed by upstream which was at v237+ when the issue was found.]
Taken from systemd/systemd#8056 (comment). rhel-only Related: #1989245
Taken from systemd/systemd#8056 (comment). rhel-only Related: #1989245
Since this requires privileges to be set up correctly in order to be run, I don't really consider it a DoS.
Using the following command crashes pid 1:
That's because a failed assertion gets triggered in
strv_join_quoted
insrc/basic/strv.c:419
. That function doesn't really make much sense to me, including the assertion, so I leave this to someone more knowledgeable to fix correctly. The following patch might help you with testing this:I've tried fixing this by removing the assertion and making the algorithm allocate more space, but even then, when trying to
streq
the result with what I expected, it didn't work.As a side note, there are probably more assumptions throughout the code base that simply assume that a character is one byte long, which don't hold.
The text was updated successfully, but these errors were encountered: