A flaw was found in systemd-journald. A stack buffer overflow when passing several MB of arguments to a program calling syslog function. This can lead to a denial of service attack or arbitrary code execution in some cases.
This boils down to a large alloca(), making it possible to jump the stack pointer into the heap and corrupt the heap region (a "Stack Clash" attack). Since the alloca()ed region is completely written, this will eventually lead to a crash.
The reporters describe achieving code execution by combining the attack with a thread race inside journald, with careful timing they are able to attack the stack of a neighbouring thread which will return to the attacker's pointer before the crash occurs.
Some restriction is placed on this attack by get_process_cmdline() substituting ' ' for all non-printable characters; this makes code execution more difficult to achieve.
This vulnerability was introduced in systemd v203.
Name: Qualys Research Labs
Function dispatch_message_real() in journal/journald-server.c constructs a record to write to the journal by converting each field to a string with the format "<field-name>=<field-value". Such strings are constructed by using the strjoina() function defined in basic/string-util.h, which allocates the resulting string on the stack with alloca(). If an attacker is able to make the stack clash with another memory region by providing a large attacker-controlled string, it is possible to overwrite the other region's data, causing crashes or possibly gaining code execution.
In this particular case, a process may have a big cmdline (as read from /proc/<pid>/cmdline) that could clash the stack and crash systemd-journald or gain code execution from within systemd-journald's context.
If systemd is compiled with -fstack-clash-protection flag, like in Fedora 28/29, the flaw is not exploitable because stack clashing is prevented.
Small fix to comment 0 (stack buffer overflow vs stack overflow)
> A flaw was found in systemd-journald. A stack buffer overflow when passing several MB of arguments to a program calling syslog function.
A stack overflow flaw was found in systemd-journald when passing several MB of arguments to a program calling syslog() function.
This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Important because it allows a local attacker to crash systemd-journald or escalate his privileges. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1664972]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049