From RhBug:1970887
A flaw was found in systemd. Attacker controlled alloca() in function unit_name_path_escape() leads to a crash in systemd and ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo and each mountpoint is passed to mount_setup_unit(), which calls unit_name_path_escape() underneath to duplicate the string through alloca(). A local attacker who is able to mount a filesystem on a very long path can crash systemd and the whole system.
alloca()
unit_name_path_escape()
/proc/self/mountinfo
mount_setup_unit()
Reference fixes:
Metadata Update from @ngompa: - Custom field Red Hat Bugzilla adjusted to https://bugzilla.redhat.com/1970887 - Custom field Upstream issue adjusted to https://github.com/systemd/systemd/pull/20256
This is also in systemd-stable 248.5. I'll work on pulling that in today
Metadata Update from @ngompa: - Issue assigned to anitazha (was: dcavalca)
Metadata Update from @anitazha: - Custom field Red Hat Bugzilla reset (from https://bugzilla.redhat.com/1970887) - Custom field Upstream issue reset (from https://github.com/systemd/systemd/pull/20256) - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
tagged systemd-248.5-1.2 for release
Metadata Update from @ngompa: - Issue tagged with: c8s
Login to comment on this ticket.