Ubuntu
whoopsie package

DoS vulnerability: cause resource exhaustion

Bug #1881982 reported by Seong-Joong Kim
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Xenial
Fix Released
Medium
Marc Deslauriers
Bionic
Fix Released
Medium
Marc Deslauriers
Eoan
Won't Fix
Medium
Marc Deslauriers
Focal
Fix Released
Medium
Marc Deslauriers
Groovy
Fix Released
Medium
Marc Deslauriers

Bug Description

Hi,

I have found a security issue on whoopsie 0.2.69 and earlier.

# Vulnerability description
The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file.
Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process.
This results in the process being terminated by the OOM killer.

# Details
We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert().
According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value.
If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function.
Unfortunately, whoopsie does not handle the old value and the passed key when collision happens.
If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service.

[1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-insert

# PoC (*Please check the below PoC: whoopsie_killer.py)
1) Generates a certain malformed crash file that contains same repetitive key-value pairs.
2) Trigger the whoopsie to read the generated crash file.
3) After then, the whoopsie process has been killed.

# Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch)
We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new().
Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it.

Sincerely,

See original description
Tags: patch

Related branches

lp:whoopsie

CVE References

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Modification:
Correct the above issue.
Replace g_hash_table_new() with g_hash_table_new_full() and add 'key_destroy_func' and 'value_destroy_func' function.

Seong-Joong Kim (sungjungk)
description: updated
Seong-Joong Kim (sungjungk)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "g_hash_table_memory_leak.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Mathew Hodson (mhodson)
Changed in whoopsie (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

This vulnerability may cause a memory exhaustion vulnerability in the function parse_report() in whoopsie.c, which allows attackers to cause a denial of service.

Seong-Joong Kim (sungjungk)
summary: - Memory leak in parse_report()
+ memory exhaustion in parse_report()
Seong-Joong Kim (sungjungk)
description: updated
Revision history for this message
Seong-Joong Kim (sungjungk) wrote : Re: memory exhaustion in parse_report()

Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process.
This results in the process being terminated by the OOM killer.
Please check the following PoC: whoopsie_killer.py

Seong-Joong Kim (sungjungk)
description: updated
summary: - memory exhaustion in parse_report()
+ DoS vulnerability: cause resource exhaustion
Leonidas S. Barbosa (leosilvab)
Changed in whoopsie (Ubuntu):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

https://github.com/sungjungk/whoopsie_killer

Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Xenial):
status: New → Confirmed
Changed in whoopsie (Ubuntu Bionic):
status: New → Confirmed
Changed in whoopsie (Ubuntu Eoan):
status: New → Confirmed
Changed in whoopsie (Ubuntu Focal):
status: New → Confirmed
Changed in whoopsie (Ubuntu Xenial):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Bionic):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Eoan):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Focal):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Eoan):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-11937 for this issue. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.69ubuntu0.1

---------------
whoopsie (0.2.69ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.5

---------------
whoopsie (0.2.52.5ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.62ubuntu0.5

---------------
whoopsie (0.2.62ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.71

---------------
whoopsie (0.2.71) groovy; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Brian Murray <email address hidden> Wed, 05 Aug 2020 15:00:45 -0700

Changed in whoopsie (Ubuntu Groovy):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in whoopsie (Ubuntu Eoan):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.