Bug#929726: ask-password: prevent buffer overrow when reading from keyring

Dan Streetman dan.streetman at canonical.com
Wed May 29 16:50:43 BST 2019 

Package: systemd
Version: 241-5
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu eoan ubuntu-patch

Dear Maintainer,

When we read from keyring, a temporary buffer is allocated in order to
determine the size needed for the entire data. However, when zeroing that area,
we use the data size returned by the read instead of the lesser size allocate
for the buffer.

That will cause memory corruption that causes systemd-cryptsetup to crash
either when a single large password is used or when multiple passwords have
already been pushed to the keyring

  * d/p/ask-password-prevent-buffer-overrow-when-reading-fro.patch:
    - prevent buffer overflow when reading keyring (LP: #1814373)


Thanks for considering the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers disco-updates
  APT policy: (500, 'disco-updates'), (500, 'disco-security'), (500, 'disco'), (100, 'disco-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-13-generic (SMP w/24 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.131ubuntu19
ii  udev             240-6ubuntu5
-------------- next part --------------
diff -Nru systemd-241/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch systemd-241/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch
--- systemd-241/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch	1969-12-31 19:00:00.000000000 -0500
+++ systemd-241/debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch	2019-05-29 11:44:09.000000000 -0400
@@ -0,0 +1,35 @@
+From 59c55e73eaee345e1ee67c23eace8895ed499693 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
+Date: Mon, 13 May 2019 16:58:01 -0300
+Subject: [PATCH] ask-password: prevent buffer overrow when reading from
+ keyring
+
+When we read from keyring, a temporary buffer is allocated in order to
+determine the size needed for the entire data. However, when zeroing that area,
+we use the data size returned by the read instead of the lesser size allocate
+for the buffer.
+
+That will cause memory corruption that causes systemd-cryptsetup to crash
+either when a single large password is used or when multiple passwords have
+already been pushed to the keyring.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
+
+Origin: upstream, https://github.com/systemd/systemd/commit/59c55e73eaee345e1ee67c23eace8895ed499693
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814373
+
+---
+ src/shared/ask-password-api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/shared/ask-password-api.c
++++ b/src/shared/ask-password-api.c
+@@ -81,7 +81,7 @@
+                 if (n < m)
+                         break;
+ 
+-                explicit_bzero_safe(p, n);
++                explicit_bzero_safe(p, m);
+                 free(p);
+                 m *= 2;
+         }
diff -Nru systemd-241/debian/patches/series systemd-241/debian/patches/series
--- systemd-241/debian/patches/series	2019-05-24 16:58:59.000000000 -0400
+++ systemd-241/debian/patches/series	2019-05-29 11:44:29.000000000 -0400
@@ -35,3 +35,4 @@
 debian/Let-graphical-session-pre.target-be-manually-started.patch
 debian/Add-env-variable-for-machine-ID-path.patch
 debian/Drop-seccomp-system-call-filter-for-udev.patch
+ask-password-prevent-buffer-overrow-when-reading-fro.patch

More information about the Pkg-systemd-maintainers mailing list