Bug 1685286 - systemd: memory leak on invalid D-Bus message
Summary: systemd: memory leak on invalid D-Bus message
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 29
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-04 21:36 UTC by Felix Riemann
Modified: 2019-04-01 00:01 UTC (History)
6 users (show)

Fixed In Version: systemd-241-4.gitcbf14c9.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-01 00:01:24 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd pull 12025 0 None None None 2019-03-18 13:06:41 UTC

Description Felix Riemann 2019-03-04 21:36:04 UTC 
Description of problem:
Taking a closer look at the recent CVE-2019-6454 I was sending D-Bus messages with large path strings to PID 1.

While the patched package doesn't seem to crash anymore it seems to leak the memory associated with the messages.

Version-Release number of selected component (if applicable):

systemd-239-12.git8bca462.fc29

How reproducible:
Always

Steps to Reproduce:
1. Check PID1's memory usage:
 grep -i Rss /proc/1/status
 VmRSS:	    7960 kB
 RssAnon:	    4296 kB
 RssFile:	    3664 kB
 RssShmem:	       0 kB
2. Send invalid messages to PID1:
 for i in `seq 1 10`; do gdbus call -y -d org.freedesktop.systemd1 -m org.freedesktop.systemd1.Manager.StartUnit -o "/$(for x in `seq 0 28000`; do echo -n $x; done)"; done

Note that this takes some time as gdbus waits for a reply. This makes each message at least ~128KiB large due to the path string.

3.Check PID1's memory usage:
 grep -i Rss /proc/1/status
 VmRSS:	   10600 kB
 RssAnon:	    6936 kB
 RssFile:	    3664 kB
 RssShmem:	       0 kB


Actual results:
PID 1 drops the invalid D-Bus message, but doesn't seem to release all associated ressources.

Expected results:
PID 1 drops the invalid D-Bus message and releases all associated ressources.

Additional info:
PID1 nicely logs that it drops the messages if log level is set to 'debug':
systemd[1]: Received invalid message from connection bus-api-system, dropping.
Comment 1 Felix Riemann 2019-03-04 21:52:34 UTC 
Improved (re-)producer:

for i in `seq 1 30`; do gdbus call -y -d org.freedesktop.systemd1 -m org.freedesktop.systemd1.Manager.StartUnit -o "/$(for x in `seq 0 28000`; do echo -n $x; done)" & done

This adds several megabytes to the equation at once:

#  grep -i Rss /proc/1/status
VmRSS:	   67272 kB
RssAnon:	   63424 kB
RssFile:	    3848 kB
RssShmem:	       0 kB

#  grep -i Rss /proc/1/status
VmRSS:	   74664 kB
RssAnon:	   70816 kB
RssFile:	    3848 kB
RssShmem:	       0 kB
Comment 2 Fedora Update System 2019-03-29 16:45:11 UTC 
grub2-2.02-75.fc30 systemd-241-4.gitcbf14c9.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
Comment 3 Fedora Update System 2019-03-29 20:32:38 UTC 
grub2-2.02-75.fc30, systemd-241-4.gitcbf14c9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
Comment 4 Felix Riemann 2019-03-31 20:17:39 UTC 
Gave a +1 on Bodhi as the leak seems to gone with the systemd-241-4.gitcbf14c9.fc30. :)
Comment 5 Fedora Update System 2019-04-01 00:01:24 UTC 
grub2-2.02-75.fc30, systemd-241-4.gitcbf14c9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.