systemd contains a heap use-after-free vulnerability due to the way asynchronous polkit queries are performed. The userdata that needs to be passed to the polkit callback is cached in the AsyncPolkitQuery structure, however when the callback is actually called, the object the userdata is pointing to may already have been released and re-used for other purposes. Local unprivileged attackers may abuse this flaw to crash systemd services or potentially execute code and elevate their privileges.
This bug happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses an async function like bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the DBus method is called again, with the userdata previously allocated. If the polkit requests takes a bit too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability.
At least systemd-machined service exposes a DBus API that is vulnerable to this flaw, because of the way Images are temporarily stored in a cache and because of some DBus methods like org.freedesktop.machine1.Image.Clone that performs asynchronous polkit queries which may trigger the use-after-free. The attack can be done by any unprivileged user as the interface org.freedesktop.machine1.Image is accessible by everybody.
Usage of polkit to open up machined's commands to unprivileged user was done in upstream commit https://github.com/systemd/systemd/commit/70244d1d25eb80b57e160ea004d0e6bf793d4caf . This commit was first included in systemd v220.
Vulnerable DBus methods have:
1) a "find" function for the associated object (e.g. image_object_find) that configures a temporary cache and setups a "defer_event" which frees the elements in the cache
2) a call to bus_verify_polkit_async() in the handler of the method (e.g. bus_image_method_clone)
3) SD_BUS_VTABLE_UNPRIVILEGED as one of the specified flags
Name: Tavis Ormandy (Google Project Zero)
This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as there is no service that performs asynchronous polkit requests in a vulnerable way.
The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.
Red Hat Enterprise Linux 7 ships systemd v219, which does not have any service that uses bus_verify_polkit_async() while holding a temporary cache that is freed during a "defer_event". However, function bus_verify_polkit_async() does contain the vulnerable code even though the flaw is not reachable.
In particular, the following commits prevent the flaw:
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1798414]