39357 2020-12-01 22:17:33 +0300 Зависает avahi-daemon CVE-2021-3468 2023-10-05 14:32:50 +0300 1 1 4 Development Sisyphus avahi-daemon unstable x86_64 Linux CLOSED FIXED http://bugs.debian.org/984938 P4 major --- 47848 1 lav sbolshakov aen cas sbolshakov qa-sisyphus oldest_to_newest 194561 0 lav 2020-12-01 22:17:33 +0300 avahi-daemon-0.8-alt1.x86_64 Обнаружил зависший (ел 100% CPU десятки часов) avahi-daemon, где-то в районе: 0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429 429 for (t = s->timeouts; t; t = t->timeouts_next) { (gdb) bt #0 0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429 #1 0x00007fdb5bbfd94a in avahi_simple_poll_prepare (s=s@entry=0x1d9ab80, timeout=-1) at simple-watch.c:481 #2 0x00007fdb5bbfdd39 in avahi_simple_poll_iterate (s=0x1d9ab80, timeout=<optimized out>) at simple-watch.c:599 198157 1 lav 2021-04-26 22:08:45 +0300 Так и крутится: 0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431 431 if (t->dead || !t->enabled) (gdb) bt #0 0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431 #1 0x00007fb7db7f1c1e in avahi_simple_poll_dispatch (s=0x1919b30) at simple-watch.c:558 #2 0x0000000000407999 in ?? () #3 0x00007fb7db55708b in __libc_start_main (main=0x407130, argc=2, argv=0x7ffe42dbb988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe42dbb978) at ../csu/libc-start.c:308 #4 0x000000000040810a in ?? () 198158 2 lav 2021-04-26 22:14:32 +0300 Да, это https://github.com/lathiat/avahi/pull/330 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 Сразу воспроизводится на Сизифе и p9: $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - /run/avahi-daemon/socket 198257 3 repository-robot 2021-04-28 15:00:18 +0300 avahi-0.8-alt2 -> sisyphus: Wed Apr 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2 - avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468) 198875 4 lav 2021-06-03 02:23:45 +0300 Что-то всё равно зависает на p9: (gdb) bt #0 0x00007f0fc54f521f in find_next_timeout (s=<optimized out>) at simple-watch.c:431 #1 0x00007f0fc54f594a in avahi_simple_poll_prepare (s=s@entry=0x10c9b30, timeout=-1) at simple-watch.c:481 #2 0x00007f0fc54f5d39 in avahi_simple_poll_iterate (s=0x10c9b30, timeout=<optimized out>) at simple-watch.c:599 #3 0x0000000000407999 in ?? () * Ср апр 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2 - avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468) Но таким способом уже не воспроизводится: > Сразу воспроизводится на Сизифе и p9: > $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - > /run/avahi-daemon/socket