Bug 688698 (CVE-2011-1159)
Summary: | CVE-2011-1159 acpid: blocked writes can lead to acpid daemon hang | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aglotov, maurizio.antillon, ted |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | acpid 2.0.9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:57:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 701340 | ||
Bug Blocks: |
Description
Vincent Danen
2011-03-17 18:33:12 UTC
I've filed a bug for this because it has a CVE assigned, but I don't understand the problem. If the problem is that acpid hangs if there are no unprivileged processes listening (as described) to the socket to keep the queue empty, then acpid would hang a lot. Using lsof, I don't see anything but acpid opening /var/run/acpid.socket: # lsof -U|grep acpi acpid 1489 root 3u unix 0xffff880137479a00 0t0 10297 socket acpid 1489 root 8u unix 0xffff880137479d40 0t0 10300 /var/run/acpid.socket acpid 1489 root 9u unix 0xffff8800bd6f5a00 0t0 138801 /var/run/acpid.socket There is an exploit attached to the original report to demonstrate it, but by the sounds of things it requires 6-10hrs to trigger (on a laptop). I'll give this a try with my Fedora 14-based laptop, but am I missing something here? If the problem is as described, shouldn't acpid be hanging all the time, or is there something unprivileged that periodically polls the file? Ran the reproducer on my laptop, and it indeed stops counting when it hits 209 messages in the queue. But acpid remains at 0% CPU usage. I'm not sure what messages these are because acpi_listen isn't printing anything. It's possible that acpid has "hung" and isn't writing anything to the socket until the backlog is cleared, but there is no extra CPU or memory usage as a result. If I stop and restart acpid, while this reproducer is running, the count jumps way up and it's receiving way more than 209 messages (currently at 2,000,000 and counting). But acpid is still at 0% CPU and 0% memory. I honestly don't see what the problem here is. Perhaps Jiri or someone else has some idea? I'm also not sure what the reproducer is supposed to do other than tell you how many messages are in the queue. Interestingly, nothing appears to me when running acpi_listen unprivileged until I also use it as root. Once I do that, then the unprivileged acpi_listen starts to print acpi events. When I quit the privileged acpi_listen, I still see new events on the unprivileged one. The counter shown by the reproducer also doesn't reset (after unplugging and re-plugging in the power adapter, with a restarted acpid, I have been sitting at 36 messages in the queue, despite acpi_listen also listening (unprivileged). Unless someone knows something, or can spot something, that I can't see, I would say this is a non-issue. I'll keep this running for a bit to see if anything interesting happens later on perhaps. I was able to reproduce a similar situation by writing a test program to simulate acpid, then connecting to it with the exploit. So I believe the issue is valid. Regardless, the suggested fix is harmless and makes sense. I've made the fix in acpid 2.0.9 which can be found here: http://tedfelix.com/linux/acpid-netlink.html Thanks for that information, Ted. We'll set this aside for something more urgent and fix it in the future (I don't believe this is severe enough to warrant an update on its own). The feedback is appreciated. Created acpid tracking bugs for this issue Affects: fedora-all [bug 701340] |