Bug 39357 - Зависает avahi-daemon CVE-2021-3468
Summary: Зависает avahi-daemon CVE-2021-3468
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: avahi-daemon (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P4 major
Assignee: Sergey Bolshakov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks: 47848
  Show dependency tree
 
Reported: 2020-12-01 22:17 MSK by Vitaly Lipatov
Modified: 2023-10-05 14:32 MSK (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vitaly Lipatov 2020-12-01 22:17:33 MSK 
avahi-daemon-0.8-alt1.x86_64

Обнаружил зависший (ел 100% CPU десятки часов) avahi-daemon, где-то в районе:

0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429
429	    for (t = s->timeouts; t; t = t->timeouts_next) {
(gdb) bt
#0  0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429
#1  0x00007fdb5bbfd94a in avahi_simple_poll_prepare (s=s@entry=0x1d9ab80, timeout=-1) at simple-watch.c:481
#2  0x00007fdb5bbfdd39 in avahi_simple_poll_iterate (s=0x1d9ab80, timeout=<optimized out>) at simple-watch.c:599
Comment 1 Vitaly Lipatov 2021-04-26 22:08:45 MSK 
Так и крутится:

0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
431	        if (t->dead || !t->enabled)
(gdb) bt
#0  0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
#1  0x00007fb7db7f1c1e in avahi_simple_poll_dispatch (s=0x1919b30) at simple-watch.c:558
#2  0x0000000000407999 in ?? ()
#3  0x00007fb7db55708b in __libc_start_main (main=0x407130, argc=2, argv=0x7ffe42dbb988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe42dbb978) at ../csu/libc-start.c:308
#4  0x000000000040810a in ?? ()
Comment 2 Vitaly Lipatov 2021-04-26 22:14:32 MSK 
Да, это
https://github.com/lathiat/avahi/pull/330
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938

Сразу воспроизводится на Сизифе и p9:
$ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - /run/avahi-daemon/socket
Comment 3 Repository Robot 2021-04-28 15:00:18 MSK 
avahi-0.8-alt2 -> sisyphus:

 Wed Apr 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2
 - avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468)
Comment 4 Vitaly Lipatov 2021-06-03 02:23:45 MSK 
Что-то всё равно зависает на p9:

(gdb) bt
#0  0x00007f0fc54f521f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
#1  0x00007f0fc54f594a in avahi_simple_poll_prepare (s=s@entry=0x10c9b30, timeout=-1) at simple-watch.c:481
#2  0x00007f0fc54f5d39 in avahi_simple_poll_iterate (s=0x10c9b30, timeout=<optimized out>) at simple-watch.c:599
#3  0x0000000000407999 in ?? ()

* Ср апр 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2
- avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468)

Но таким способом уже не воспроизводится:
> Сразу воспроизводится на Сизифе и p9:
> $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat -
> /run/avahi-daemon/socket