skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 25, 2021

GHSL-2021-052: Potential local Denial of Service in systemd

Kevin Backhouse

Coordinated Disclosure Timeline


There is an infinite loop in systemd-ask-password, due to an integer overflow in an error handling code path. The bug can be triggered by entering an invalid unicode character followed by backspace.



Tested Version

systemd v247.3-1 (tested on Arch Linux)


Issue 1: Infinite loop in systemd-ask-password (GHSL-2021-052)

The function ask_password_tty (src/shared/ask-password-api.c, lines 391-678) has an integer overflow bug at line 586:

for (;;) {
  size_t z;

  z = utf8_encoded_valid_unichar(passphrase + q, SIZE_MAX);  <=== integer overflow
  if (z == 0) {
    q = SIZE_MAX; /* Invalid UTF8! */

  if (q + z >= p) /* This one brings us over the edge */

  q += z;  <=== subtracts 22 from q, causing infinite loop

The integer overflow happens when utf8_encoded_valid_unichar returns an error code. The error code is a negative number: -22. This overflows when it is assigned to z (type size_t). This can cause an infinite loop if the value of q is 22 or larger.

To reproduce the bug, you need to run systemd-ask-password and enter an invalid unicode character, followed by a backspace character. The reproduction steps below use a simple C program to generate the sequence of characters and ssh to feed them into the tty.

First build the C program:

gcc print_passphrase.c -o print_passphrase

Now use ssh to feed the malicious passphrase into systemd-ask-password via a tty:

./print_passphrase | ssh -tt localhost systemd-ask-password

Now run top. If the proof of concept is successful then it will show that systemd-ask-password is consuming 100% of a CPU core. Note: the reproduction steps work best if you have ssh-agent or another key manager running so that ssh doesn’t need to ask you for your password.


This issue may lead to local denial of service.


This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).


You can contact the GHSL team at, please include a reference to GHSL-2021-052 in any communication regarding this issue.