Skip to content

Heap-buffer-overflow while processing a transaction #26872

New issue
New issue
Closed
#26875
Closed
Heap-buffer-overflow while processing a transaction#26872
#26875
Labels
bug 🐛Programming errors, that need preferential fixingpid1
Milestone
v254
@mrc0mmand

Description

@mrc0mmand
mrc0mmand
opened on Mar 17, 2023

systemd version the issue has been seen with

latest main

Used distribution

Fedora 37

Linux kernel version used

No response

CPU architectures issue was seen on

None

Component

No response

Expected behaviour you didn't see

No response

Unexpected behaviour you saw

I tried (again) to tackle #24452, and managed to trigger a heap-buffer-overlow in the transaction processing stuff:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000fc720 at pc 0x7f81d567481e bp 0x7fff26241a00 sp 0x7fff262411b0
READ of size 65 at 0x6060000fc720 thread T0 (systemd)
    #0 0x7f81d567481d in printf_common(void*, char const*, __va_list_tag*) (/lib64/libasan.so.8+0x7481d)
    #1 0x7f81d5686ed5 in vasprintf (/lib64/libasan.so.8+0x86ed5)
    #2 0x7f81d391acef in log_format_iovec ../src/basic/log.c:954
    #3 0x7f81d391c024 in log_struct_internal ../src/basic/log.c:1016
    #4 0x7f81d4e72278 in transaction_verify_order_one ../src/core/transaction.c:392
    #5 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #6 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #7 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #8 0x7f81d4e756f6 in transaction_verify_order ../src/core/transaction.c:490
    #9 0x7f81d4e756f6 in transaction_activate ../src/core/transaction.c:727
    #10 0x7f81d4d22f81 in manager_add_job ../src/core/manager.c:1987
    #11 0x7f81d4bfd919 in bus_unit_queue_job_one ../src/core/dbus-unit.c:1776
    #12 0x7f81d4bfeca9 in bus_unit_queue_job ../src/core/dbus-unit.c:1884
    #13 0x7f81d4bff579 in bus_unit_method_start_generic ../src/core/dbus-unit.c:428
    #14 0x7f81d4bcbf9f in method_start_unit_generic ../src/core/dbus-manager.c:749
    #15 0x7f81d4bcc12d in method_start_unit ../src/core/dbus-manager.c:753
    #16 0x7f81d3a38b04 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
    #17 0x7f81d3a38b04 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319
    #18 0x7f81d3a3d572 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439
    #19 0x7f81d3a81b18 in process_message ../src/libsystemd/sd-bus/sd-bus.c:2981
    #20 0x7f81d3a81b18 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3023
    #21 0x7f81d3a81b18 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3243
    #22 0x7f81d3a82154 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3270
    #23 0x7f81d3a82d5c in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3627
    #24 0x7f81d3bc54cb in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4159
    #25 0x7f81d3bc6b88 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780
    #26 0x7f81d3bc73ea in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841
    #27 0x7f81d4d3b1a3 in manager_loop ../src/core/manager.c:3161
    #28 0x417ff1 in invoke_main_loop ../src/core/main.c:1963
    #29 0x417ff1 in main ../src/core/main.c:3084
    #30 0x7f81d244a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
    #31 0x7f81d244a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
    #32 0x4073b4 in _start (/usr/lib/systemd/systemd+0x4073b4)

0x6060000fc720 is located 0 bytes to the right of 64-byte region [0x6060000fc6e0,0x6060000fc720)
allocated by thread T0 (systemd) here:
    #0 0x7f81d56b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5)
    #1 0x7f81d3898e77 in greedy_realloc ../src/basic/alloc-util.c:70
    #2 0x7f81d4e71ea2 in merge_unit_ids ../src/core/transaction.c:332
    #3 0x7f81d4e71ea2 in transaction_verify_order_one ../src/core/transaction.c:388
    #4 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #5 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #6 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #7 0x7f81d4e756f6 in transaction_verify_order ../src/core/transaction.c:490
    #8 0x7f81d4e756f6 in transaction_activate ../src/core/transaction.c:727
    #9 0x7f81d4d22f81 in manager_add_job ../src/core/manager.c:1987
    #10 0x7f81d4bfd919 in bus_unit_queue_job_one ../src/core/dbus-unit.c:1776
    #11 0x7f81d4bfeca9 in bus_unit_queue_job ../src/core/dbus-unit.c:1884
    #12 0x7f81d4bff579 in bus_unit_method_start_generic ../src/core/dbus-unit.c:428
    #13 0x7f81d4bcbf9f in method_start_unit_generic ../src/core/dbus-manager.c:749
    #14 0x7f81d4bcc12d in method_start_unit ../src/core/dbus-manager.c:753
    #15 0x7f81d3a38b04 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
    #16 0x7f81d3a38b04 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319
    #17 0x7f81d3a3d572 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439
    #18 0x7f81d3a81b18 in process_message ../src/libsystemd/sd-bus/sd-bus.c:2981
    #19 0x7f81d3a81b18 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3023
    #20 0x7f81d3a81b18 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3243
    #21 0x7f81d3a82154 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3270
    #22 0x7f81d3a82d5c in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3627
    #23 0x7f81d3bc54cb in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4159
    #24 0x7f81d3bc6b88 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780
    #25 0x7f81d3bc73ea in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841
    #26 0x7f81d4d3b1a3 in manager_loop ../src/core/manager.c:3161
    #27 0x417ff1 in invoke_main_loop ../src/core/main.c:1963
    #28 0x417ff1 in main ../src/core/main.c:3084
    #29 0x7f81d244a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x7481d) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c0c80017890: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c800178a0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0c800178b0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c800178c0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800178d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c800178e0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800178f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING

To reproduce this replace the contents of test/units/testsuite-60.sh with:

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux

for ((i = 0; i < 500; i++)); do
    systemctl list-jobs
    systemd-analyze dump testsuite.target
    systemctl restart --no-block tmp.mount
    systemctl daemon-reexec
    systemd-analyze dump testsuite.target
done

touch /testok

And then simply:

sudo make -C test/TEST-60-MOUNT-RATELIMIT/ clean setup run TEST_NO_QEMU=1 BUILD_DIR=$PWD/build-san TEST_SAVE_JOURNAL=fail

Steps to reproduce the problem

No response

Additional program output to the terminal or log subsystem illustrating the issue

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐛Programming errors, that need preferential fixingpid1

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions