| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.
However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.
In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.
An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).
Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.
Closes: dbus#305
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2b7948ef907669e844b52c4fa2268d6e3162a70c)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 6ee66ff7bcc91803111d950512f02651e664f74f)
|
|
|
|
| |
(cherry picked from commit b96ef23e406baa08648339a53b0161fc80de7ce4)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
| |
This version is for the dbus-1.10 branch, and doesn't rely on dbus!153
or dbus!120.
Reproduces: dbus#294
Reproduces: CVE-2020-12049
Reproduces: GHSL-2020-057
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.
On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.
[Backport to dbus-1.10: Change signedness of iterator due to
commit ab8cb96e "_dbus_read_socket_with_unix_fds: make n_fds unsigned"
not having been applied to this branch.]
Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.
Instead, let each connection remove itself from the list, then assert
that the list has become empty.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of yelp-build use this instead of a jQuery syntax
highlighter.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106171
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Also add it to .gitignore as suggested]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 49ad5b110fd5f5f4e41405d98007a11d8eb741f7)
|
|
|
|
|
|
|
|
| |
Otherwise, distcheck fails when mallard-ducktype is available.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9391d769ae335872e5b770f6741855fde45b8186)
(cherry picked from commit 08e48ca660ad83cf573679d636cb6a23fa5e5454)
|
|
|
|
|
|
|
|
|
| |
Newer versions of yelp-build don't install jquery.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106171
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit bab857fb6f75ffe0ac3771de4b8272ad97623a2c)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
| |
We don't actually complete successful authentication, because that
would require us to generate a cookie and compute the correct SHA1,
which is difficult to do in a deterministic authentication script.
However, we do assert that dbus#269 (CVE-2019-12749) has been fixed.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.
Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.
This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:
* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart
Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749
|
|
|
|
|
|
|
| |
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
(cherry picked from commit ddbc44adb2709f6dc248364f02b8b4207ea5a1af)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log.
Detected by AddressSanitizer.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/234
Reviewed-by: pwithnall
|
| |
|
|
|
|
|
|
|
| |
This should avoid them overwriting each other.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit e3fb085886d26aa84a0ce1bfe441244206c87e6f)
|
|
|
|
|
|
|
|
|
|
| |
freedesktop.org Gitlab doesn't currently have enough test runners
available to run all of this every time. For higher-risk changes
(for example those that change the build system) we can run the
complete set through the web UI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a2f416c2896062755c285f2d1fe4a2dc03455aa1)
|
|
|
|
|
|
|
| |
We test the combinations that we don't test on Travis-CI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a6d926b805a1a38567a70490b3e8d7d6c932d1f5)
|
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d0728fd06e5a2302e7596e3df56b68b0a0834fd7)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses the same shell scripts as Travis-CI, with slightly different
settings. We use Docker containers for all our Gitlab-CI runs, so take
the opportunity to use Debian 9 'stretch' as our baseline, and
relegate Ubuntu 14.04 'trusty' to to a secondary build.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 60933c09e9e891f74f0102fabe22d29a1a7ae5c5)
|
|
|
|
|
|
|
|
|
|
| |
Travis-CI workers have cmake preinstalled, but Gitlab-CI Docker images
typically don't.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 907832e00849ca454322052981dbb122ea537506)
|
|
|
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 408b222a9fc61327cd7be385b6705f30f0c38802)
|
|
|
|
|
|
|
| |
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit d22e7901b555a0bfb5e06fb2463d839a276c7482)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the debug build, enable features that are off by default. In the
reduced build, explicitly disable features, some of which are
on by default. In the legacy build, check that we can compile the
default feature-set without inotify, dnotify, systemd, etc.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Rebase onto 1.13.x branch, fix minor conflicts]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
(cherry picked from commit 3c031ef5aa1f7f53c6344781cb38b78abe44dc96)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As noted in GLib commit c879f50f, gcc's interpretation of the malloc
attribute has become more strict over time, which could result in
miscompilation. The new definition is that in addition to assuming
that the returned memory block is newly-allocated, gcc now assumes
that it does not contain any valid pointers. This is OK for
uninitialized or zero-initialized memory returned by dbus_malloc()
or dbus_malloc0(), but not valid for dbus_realloc(), which might be
used for a dynamically-sized array of (structures containing)
valid pointers.
See https://gitlab.gnome.org/GNOME/glib/issues/1465
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107741
|
|
|
|
| |
As usual, the next release from this branch will be 1.10.28.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running the "embedded tests" through valgrind revealed that before this
commit, we would have been willing to read up to 3 bytes off the end of
a message if the message is truncated part way through a boolean. Any
practical allocator will round up allocations to the next 32-bit (or
larger) boundary, so in practice this will not leave the memory buffer
(and in particular did not crash during unit testing), but it could read
uninitialized contents.
On little-endian CPUs, an attacker might be able to use this to learn
whether up to 3 bytes of uninitialized memory in the dbus-daemon
were all-zero (their crafted message would be relayed) or not (their
connection would be disconnected for sending an invalid message). On
big-endian CPUs, an attacker might be able to use this to learn whether
up to 3 bytes were all-zeroes (relayed to a cooperating peer), 0-2
bytes of all-zeroes followed by 0x01 (relayed to a cooperating peer),
or something else (disconnected). This is not believed to be exploitable
to leak interesting information.
Fixes: 62e46533 "hardcode dbus_bool_t to 32 bits"
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107332
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit e93a775e68daeda5c95984452aee6327e31c17dd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using strncpy (buffer, str, strlen (str)) is a "code smell" that
might indicate a serious bug (it effectively turns strncpy into
strcpy), and gcc 8 now warns about it. In fact we avoided the bug
here, but it wasn't at all obvious.
We already checked that path_len is less than or equal to
_DBUS_MAX_SUN_PATH_LENGTH, which is 99, chosen to be strictly less
than the POSIX minimum sizeof(sun_path) >= 100, so we couldn't
actually be overflowing the available buffer.
The new static assertion in this commit matches a comment above the
definition of _DBUS_MAX_SUN_PATH_LENGTH: we define
_DBUS_MAX_SUN_PATH_LENGTH to 99, because POSIX says struct
sockaddr_un's sun_path member is at least 100 bytes (including space
for a \0 terminator). dbus will now fail to compile on
platforms that are non-POSIX-compliant in this way, except for Windows.
We zeroed the struct sockaddr_un before writing into it, so stopping
one byte short of the end of sun_path ensures that we get \0
termination.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107350
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit f429631365ba59a1749438af2184cab138a31772)
|
|
|
|
|
|
|
|
|
| |
The foreach(list, (DBusForeachFunction) free, NULL) idiom seems too
entrenched to remove it from stable branches.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107349
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
| |
Reviewed-by: David King <dking@redhat.com>
[smcv: Fix typo in cmake macro name]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
(cherry picked from commit 49ca421997d91d3e01626b2c92a826e6a5db0b2f)
|
|
|
|
|
|
|
|
|
|
| |
This gives us feature parity with the Autotools build system for this
particular area, and in particular means a system dbus-daemon built
with cmake can expand its fd limit.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
(cherry picked from commit a146724f2f7610bc0a968d03a3f20481c03a6a37)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Startup ordering was changed in #92832 to ensure that SELinux audit
messages could be sent. As a side effect, the raising of file descriptor
limits was moved to after the dropping of root privileges, resulting in
the limit change always failing.
Move the raise_file_descriptor_limit() call to ensure that it is called
before dropping root privileges.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1529044
[smcv: Call raise_file_descriptor_limit() even if !context->user]
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 6e42964f5f850f4108fd8f7f3cd385ab4d60f9f6)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ed38caa71dd70e3a0b510bc91b81ae272a2d8efb)
|
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c6e79f9113d320679d3c29f83b306cb6e5d81bee)
|