Описание
An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 237-3ubuntu10.13 |
| cosmic | released | 239-7ubuntu10.8 |
| devel | released | 240-6ubuntu1 |
| esm-infra-legacy/trusty | not-affected | |
| esm-infra/bionic | released | 237-3ubuntu10.13 |
| esm-infra/xenial | released | 229-4ubuntu21.16 |
| precise/esm | DNE | |
| trusty | not-affected | |
| trusty/esm | not-affected | |
| upstream | needs-triage |
Показывать по
EPSS
4.9 Medium
CVSS2
5.5 Medium
CVSS3
Связанные уязвимости
An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
An issue was discovered in sd-bus in systemd 239. bus_process_object() ...
EPSS
4.9 Medium
CVSS2
5.5 Medium
CVSS3