Bug#854421: systemd: "systemctl --user cat dirmngr.socket" produced garbage beyond # /dev/null

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 7 15:49:39 GMT 2017 

Control: retitle 854421 kernel dumps arbitrary memory when splice()ing from /dev/null
Control: reassign 854421 linux-image-4.9.0-1-amd64 4.9.2-2
Control: fixed 854421 4.9.6-3

i've been able to replicate the misbehavior described in
https://bugs.debian.org/854421 on two different machines, each running
linux-image-4.9.0-1-amd64 4.9.2-2.

I find i'm able to reproduce it with the same series of syscalls that
"systemctl cat" used, so i can conclusively say this is not a systemctl
bug.

Attached is a Makefile and a reproducer C program.

I've also published the same thing via git so you should be able to try
reproducing with:

    git clone https://0xacab.org/dkg/debian-bug-854421
    cd debian-bug-854421
    make

I find that it's not reliably reproducible -- sometimes the 4.9.2-2
kernel does the right thing, which is why my test tries 20 times in a
row -- to be likely to catch it happening at least once.

I note that the data dumped seems arbitrary -- sometimes it's
highly-structured, other times just a string of NUL characters.

I tried upgrading one of the 4.9.2-2 machines to 4.9.6-3 and was unable
to get the reproducer to run after the upgrade, but i don't know whether
that means the underlying problem has been robustly fixed or just
somehow hidden.

Regards,

        --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile
Type: text/x-makefile
Size: 353 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20170207/848861b0/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: splicenull.c
Type: text/x-csrc
Size: 1336 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20170207/848861b0/attachment-0002.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20170207/848861b0/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list