Bug 1793979 (CVE-2019-20386) - CVE-2019-20386 systemd: memory leak in button_open() in login/logind-button.c when udev events are received
Summary: CVE-2019-20386 systemd: memory leak in button_open() in login/logind-button.c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-20386
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1793980 1798503 1798504
Blocks: 1793981
TreeView+ depends on / blocked
 
Reported: 2020-01-22 12:31 UTC by Marian Rehak
Modified: 2021-02-16 20:43 UTC (History)
14 users (show)

Fixed In Version: systemd 243
Doc Type: If docs needed, set a value
Doc Text:
A memory leak was discovered in the systemd-login when a power-switch event is received. A physical attacker may trigger one of these events and leak bytes due to a missing free.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:59:34 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4007 0 None None None 2020-09-29 20:32:23 UTC
Red Hat Product Errata RHSA-2020:4553 0 None None None 2020-11-04 01:55:48 UTC

Description Marian Rehak 2020-01-22 12:31:14 UTC
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.

Upstream Fix:

https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad

Comment 1 Marian Rehak 2020-01-22 12:31:35 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-30 [bug 1793980]

Comment 2 Sam Fowler 2020-01-23 06:59:35 UTC
Statement:

The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.

Comment 3 Riccardo Schirone 2020-02-04 13:19:16 UTC
In systemd v239 (-> means "is called from"):

logind-button.c:button_open()
-> logind-core.c:manager_process_button_device()
   -> logind.c:manager_enumerate_buttons(): this function is called when logind is started, at the very beginning, to enumerate all the buttons available in the system;
   -> logind.c:manager_dispatch_button_udev(): this function is called every time there is an event received by udev with the tag "power-switch" and subsystem "input";

Comment 4 Zbigniew Jędrzejewski-Szmek 2020-02-04 17:59:16 UTC
Since this is only called when hardware is physically added or when udevadm trigger is called by root, it doesn't seem to be a big issue. Lowering severity appropriately.

Comment 5 Riccardo Schirone 2020-02-05 13:26:22 UTC
I have lowered the Impact of this flaw to Low and adjusted the CVSSv3.1 score to 2.4/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Attack Vector is Physical (AV:P) because the only way to reach the button_open() function, after logind initialization, is through the manager_dispatch_button_udev() function which is called when a user physically does something that triggers a udev event (e.g. pressing the poweroff button, opening the lid, etc.).
Availability set to Low (A:L) because even when this happens, this just leaks some bytes but it would be hard to make logind crash. Moreover, an attacker that has physical access to a machine and wants to cause a Denial of Service, could just as well turn off the machine.

Comment 7 errata-xmlrpc 2020-09-29 20:32:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4007 https://access.redhat.com/errata/RHSA-2020:4007

Comment 8 Product Security DevOps Team 2020-09-29 21:59:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20386

Comment 9 errata-xmlrpc 2020-11-04 01:55:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4553 https://access.redhat.com/errata/RHSA-2020:4553


Note You need to log in before you can comment on or make changes to this bug.