GHSL-2021-052: Potential local Denial of Service in systemd

Coordinated Disclosure Timeline

• 2021-03-12: Emailed report, PoC, and suggested fix to systemd-security@redhat.com
• 2021-03-12: Reply from Zbigniew Jędrzejewski-Szmek: Low impact, because: “systemd-ask-password normally runs privileged and only accepts input from privileged clients. So this forms a self-DoS.”
• 2021-03-12: Our suggested fix is merged: https://github.com/systemd/systemd/pull/18985

Summary

There is an infinite loop in systemd-ask-password, due to an integer overflow in an error handling code path. The bug can be triggered by entering an invalid unicode character followed by backspace.

Product

systemd

Tested Version

systemd v247.3-1 (tested on Arch Linux)

Details

Issue 1: Infinite loop in systemd-ask-password (GHSL-2021-052)

The function ask_password_tty (src/shared/ask-password-api.c, lines 391-678) has an integer overflow bug at line 586:

for (;;) {
  size_t z;

  z = utf8_encoded_valid_unichar(passphrase + q, SIZE_MAX);  <=== integer overflow
  if (z == 0) {
    q = SIZE_MAX; /* Invalid UTF8! */
    break;
  }

  if (q + z >= p) /* This one brings us over the edge */
    break;

  q += z;  <=== subtracts 22 from q, causing infinite loop
}

The integer overflow happens when utf8_encoded_valid_unichar returns an error code. The error code is a negative number: -22. This overflows when it is assigned to z (type size_t). This can cause an infinite loop if the value of q is 22 or larger.

To reproduce the bug, you need to run systemd-ask-password and enter an invalid unicode character, followed by a backspace character. The reproduction steps below use a simple C program to generate the sequence of characters and ssh to feed them into the tty.

First build the C program:

gcc print_passphrase.c -o print_passphrase

Now use ssh to feed the malicious passphrase into systemd-ask-password via a tty:

./print_passphrase | ssh -tt localhost systemd-ask-password

Now run top. If the proof of concept is successful then it will show that systemd-ask-password is consuming 100% of a CPU core. Note: the reproduction steps work best if you have ssh-agent or another key manager running so that ssh doesn’t need to ask you for your password.

Impact

This issue may lead to local denial of service.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-052 in any communication regarding this issue.