Long stdin from terminal can result in code execution

Bug #1381005 reported by Angelo Marletta
268
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Joseph Salisbury
Trusty
High
Joseph Salisbury
Utopic
High
Joseph Salisbury
Vivid
High
Joseph Salisbury

Bug Description

Under certain conditions, the input entered from a terminal with a foreground process waiting for stdin, can be interpreted and executed by the shell.

Steps to reproduce:
1) Open a terminal
2) Run a simple program that waits for stdin (like cat, tee, head, tail, ...) or even the bash-builtin command read. No need to specify arguments
3) Type or paste exactly 4096 ASCII characters into the terminal (see sample attachment)
4) Press Enter

What should happen:
The program in foreground reads 4097 characters (the last one is new line).

What actually happens:
Instead of reading the input, the current program exits (read() only reads one character before EOF) and the shell executes the same input starting from the second character.

I believe that the issue can be reproduced with:
- any terminal (tested on xterm, gnome-terminal, tty)
- any shell (tested on bash, zsh)
- any program that reads stdin from terminal (not attached to a pipe)

Debugging the shell with gdb suggests that the bug is in the implementation of read(), hence libc6 or under (kernel).
Specifically, the bug is caused by read() reading only one character (new line) when entering a text of 4096 characters in stdin on the terminal. It looks like read() is then closing the stdin descriptor.
If the input is 4097 characters long, read() will read two characters and the shell will interpret from the 3rd character, and so on.

Verified on:
Ubuntu 14.04.1 LTS

Kernel:
3.13.0-24-generic x86_64
3.13.0-32-generic x86_64
3.13.0-36-generic x86_64

libc6:
2.19-0ubuntu6
2.19-0ubuntu6.1
2.19-0ubuntu6.3

I'm happy to provide more information if it helps.
Angelo

Revision history for this message
Angelo Marletta (angelo-marletta) wrote :
information type: Private Security → Public Security
information type: Public Security → Private Security
description: updated
affects: eglibc (Ubuntu) → ubuntu
description: updated
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Angelo Marletta (angelo-marletta) wrote :

Yes, this is definitely related. Also I can repro bypassing libc (calling the read syscall directly) so the bug must be in kernel land.

affects: ubuntu → linux (Ubuntu)
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.18 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.18-rc4-vivid/

Changed in linux (Ubuntu):
importance: Undecided → High
status: Confirmed → Incomplete
tags: added: kernel-da-key trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can still reproduce this with 3.19 in vivid.

Changed in linux (Ubuntu):
status: Expired → Confirmed
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

I was able to reproduce this in Trusty. However, this seems to be fixed in mainline as early as v4.0-rc1. I'll figure out which commit fixes this and then have is SRU'd and request it in upstream stable, if it wasn't already.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

I believe this is the commit we need:

commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e
Author: Peter Hurley <email address hidden>
Date: Fri Jan 16 15:05:39 2015 -0500

    n_tty: Fix read buffer overwrite when no newline

It does not cherry pick cleanly, but I'll backport it and build a test kernel. I'll post a link to it shortly.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

I backported commit fb5ef9e7 and built a Vivid test kernel with it. This kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1381005/

I tested the kernel on one of my machines and it seemed to fix this bug.

Can other folks that can reproduce this bug test the kernel and post back if it solves the bug?

Thanks in advance!

tags: added: utopic vivid
Changed in linux (Ubuntu Trusty):
status: New → In Progress
Changed in linux (Ubuntu Utopic):
status: New → In Progress
Changed in linux (Ubuntu Vivid):
status: Confirmed → In Progress
Changed in linux (Ubuntu Utopic):
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Utopic):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Vivid):
assignee: nobody → Joseph Salisbury (jsalisbury)
Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

Joseph, I've tried the kernel on a truty system, looks good for me, the cat command isn't terminate prematurely.

Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

s/truty/trusty/g

Changed in linux (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in linux (Ubuntu Trusty):
status: Confirmed → In Progress
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

I've sent my backport of commit fb5ef9e7 for upstream to be included in the stable kernels. I'll also send an SRU request for Trusty, Utopic and Vivid.

Andy Whitcroft (apw)
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (9.3 KiB)

This bug was fixed in the package linux - 3.13.0-54.91

---------------
linux (3.13.0-54.91) trusty; urgency=medium

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1458618

  [ Upstream Kernel Changes ]

  * [3.13-stable only] Revert "gianfar: Carefully free skbs in functions
    called by netpoll."
    - LP: #1454746

linux (3.13.0-54.90) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1458618

  [ Andy Whitcroft ]

  * [Config] push off linux-lts-{utopic, vivid}-tools-common
    - LP: #1405807

  [ Brad Figg ]

  * hyper-v -- add hid and fb drivers to linux-virtual
    - LP: #1444179

  [ Upstream Kernel Changes ]

  * DT doc: net: cpsw mac-address is optional
    - LP: #1452628
  * net: cpsw: Add missing return value
    - LP: #1452628
  * net: cpsw: header, Add missing include
    - LP: #1452628
  * net: cpsw: Add am33xx MACID readout
    - LP: #1452628
  * am33xx: define syscon control module device node
    - LP: #1452628
  * arm: dts: am33xx, Add syscon phandle to cpsw node
    - LP: #1452628
  * net: cpsw: do not register cpts twice
    - LP: #1452620
  * x86: kvm: Revert "remove sched notifier for cross-cpu migrations"
    - LP: #1450584
  * x86: vdso: fix pvclock races with task migration
    - LP: #1450584
  * n_tty: Fix read buffer overwrite when no newline
    - LP: #1381005, #1454746
  * KVM: x86: Fix lost interrupt on irr_pending race
    - LP: #1454746
  * writeback: add missing INITIAL_JIFFIES init in
    global_update_bandwidth()
    - LP: #1454746
  * nbd: fix possible memory leak
    - LP: #1454746
  * mfd: kempld-core: Fix callback return value check
    - LP: #1454746
  * KVM: nVMX: mask unrestricted_guest if disabled on L0
    - LP: #1454746
  * spi: trigger trace event for message-done before mesg->complete
    - LP: #1454746
  * powerpc/pseries: Little endian fixes for post mobility device tree
    update
    - LP: #1454746
  * net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5}
    - LP: #1454746
  * perf: Fix irq_work 'tail' recursion
    - LP: #1454746
  * arm64: Use the reserved TTBR0 if context switching to the init_mm
    - LP: #1454746
  * selinux: fix sel_write_enforce broken return value
    - LP: #1454746
  * mm: fix anon_vma->degree underflow in anon_vma endless growing
    prevention
    - LP: #1454746
  * mm/memory hotplug: postpone the reset of obsolete pgdat
    - LP: #1454746
  * hfsplus: fix B-tree corruption after insertion at position 0
    - LP: #1454746
  * ARC: SA_SIGINFO ucontext regs off-by-one
    - LP: #1454746
  * writeback: fix possible underflow in write bandwidth calculation
    - LP: #1454746
  * iio: fix drivers that check buffer->scan_mask
    - LP: #1454746
  * iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo
    - LP: #1454746
  * iio: core: Fix double free.
    - LP: #1454746
  * USB: ftdi_sio: Added custom PID for Synapse Wireless product
    - LP: #1454746
  * iwlwifi: dvm: run INIT firmware again upon .start()
    - LP: #1454746
  * USB: keyspan_pda: add new device id
    - LP: #1454746
  * cifs: smb2_clone_range() - exit on unhandled error
    - LP: #1454746
  * cifs: fix use-after-free bug in find_wri...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".

Changed in linux (Ubuntu Utopic):
status: In Progress → Won't Fix
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Vivid):
status: In Progress → Won't Fix
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments