| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ensures that our rlimit is actually high enough to avoid the
denial of service described in CVE-2014-3636 part A.
CVE-2014-7824 has been allocated for this incomplete fix.
Restore the original rlimit for activated services, to avoid
them getting undesired higher limits.
(Thanks to Alban Crequy for various adjustments which have been
included in this commit.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Conflicts:
dbus/dbus-sysdeps-util-unix.c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses CVE-2014-3635.
If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero,
then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int)
because the SPACE includes padding to a size_t boundary, whereas the LEN
does not. We have to allocate the SPACE. Previously, we told the kernel
that the buffer size we wanted was the SPACE, not the LEN, which meant
it was free to fill the padding with additional fds: on a 64-bit
platform with 32-bit int, that's one extra fd, if *n_fds happens
to be odd.
This meant that a malicious sender could send exactly 1 fd too many,
which would make us fail an assertion if enabled, or overrun a buffer
by 1 fd otherwise.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
(cherry picked from commit ee11ec12566afda5dee8a3a834274421a20661de)
|
|
|
|
|
|
|
|
|
|
| |
This means we can use _DBUS_STATIC_ASSERT at non-global scope without
tripping -Wunused-local-typedefs.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83767
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
(cherry picked from commit 0e3d08d45cb9a9ceb2c077875eeb38306dad37b8)
(cherry picked from commit f70c0e98c5cc6eaae4727d14c389e2504e79e694)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
The bus uses _dbus_connection_set_pending_fds_function and
_dbus_connection_get_pending_fds_count to be notified when there are pending
file descriptors. A timeout per connection is armed and disarmed when the file
descriptor list is used and emptied.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit e0c9d31be3b9eea9ee2a3a255bc2cf9aad713642)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to be notified whenever a file descriptor is added or
removed from a DBusConnection's DBusMessageLoader.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 8021fd84267ee1394d96f4a119adb57de3971a62)
Conflicts:
dbus/dbus-message.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to know whether there are pending file descriptors in a
DBusConnection's DBusMessageLoader.
https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[fix compilation on platforms that do not HAVE_UNIX_FD_PASSING -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 995734750cea65012537748ee56488c707d2f027)
Conflicts:
dbus/dbus-message.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.
This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit bbf11cd5f92064c7c8af61ad4d9ff41f3a039abc)
Conflicts:
cmake/bus/dbus-daemon.xml
|
|
|
|
|
|
|
|
|
|
| |
This addresses the parts of CVE-2014-3639 not already addressed by
reducing the default authentication timeout.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 8ad179a8dad789fc6a5402780044bc0ec3d41115)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partially addresses CVE-2014-3639.
This will change the default on the system bus where the limit
<limit name="auth_timeout">...</limit>
is not specified.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.
This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Conflicts:
cmake/bus/dbus-daemon.xml
|
|
|
|
|
|
|
|
| |
This addresses CVE-2014-3638.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 5bc7f9519ebc6117ba300c704794b36b87c2194b)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
applications. A malicious client could use this to force a victim system
service to be disconnected from the system bus; the victim would likely
respond by exiting. This is a denial of service (fd.o #80163,
CVE-2014-3532).
This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
the connection.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
Reviewed-by: Thiago Macieira <thiago@kde.org>
[altered commit message to explain DoS significance -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two bugs here: we would previously overwrite the unused
fds with the already-used fds instead of the other way round, and
we would copy n bytes where we should have copied n ints.
Additionally, sending crafted messages in a chosen sequence to a victim
system service could cause an invalid file descriptor to be present
when dbus-daemon tries to forward one of those crafted messages to the
victim, causing sendmsg() to fail with EBADF, which resulted in
disconnecting the victim service, which would likely respond to that
by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How it should work:
When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.
However, it does not work as expected:
1. The error message is delivered to the service instead of being delivered to
the sender. As an example, the error message could be something like:
An SELinux policy prevents this sender from sending this
message to this recipient, [...] member="MaliciousMethod"
If the sender and the service are malicious confederates and agree on a
protocol to insert information in the member name, the sender can leak
information to the service, even though the LSM attempted to block the
communication between the sender and the service.
2. The error message is delivered as a reply to the RequestName call from
service. It means the activated service will believe it cannot request the
name and might exit. The sender could activate the service frequently and
systemd will give up activating it. Thus the denial of service.
The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
(and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
is pre-allocated to be delivered to the client as part of the transaction.
The error is not propagated to the caller so RequestName will not fail
(except on OOM).
[fixed a misleading comment -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Radoslaw Pajak <r.pajak@samsung.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71526
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In code that looks like n[i] = v(&i), where v increments i, C leaves it
undefined whether the old or new value of i is used to locate n[i].
As it happens, gcc used the pre-increment value of i, but MSVC
used the post-increment value.
Fix this by inserting a sequence point to disambiguate the intended order.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69924
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[wrote commit message, fixed whitespace -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
| |
|
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=70799
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Reviewed-by: Ryan Lortie <desrt@desrt.ca>
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69409
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69327
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
| |
It was reported that accept4() will return -1 with errrno is EINVAL on
arm platform, so check EINVAL for accept4() and retry accept().
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69026
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
| |
If SOCK_CLOEXEC is defined (usually because accept4 is implemented),
check for EPROTOTYPE (the POSIX errno for invalid socket types) in
addition to EINVAL as errno indicating whether socket and socketpair
do not support SOCK_CLOEXEC (and other SOCK_* flags).
[adapted by Chengwei Yang to give _dbus_connect_exec() the same treatment]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69073
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the same as _dbus_open_socket() and _dbus_full_duplex_pipe(),
socketpair() may fail with EINVAL if call with SOCK_CLOEXEC.
Check for the failure and retry without SOCK_CLOEXEC, in addition, only
call _dbus_fd_set_close_on_exec() if the socketpair failure happened.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69073
[trivial coding style fixes -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
The function dbus_connection_set_route_peer_messages() take a bool
argument, however, in the implementation, it always hard-code to TRUE
rather than take its bool argument.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69165
[amended commit message -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
| |
Fix a file descriptor not being closed when an error codepath is taken.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69182
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
[more specific commit message -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If waitpid() failed with EINTR, we'd go back for another go, but
because ret is nonzero, we'd skip the waitpid() and just keep looping.
Also avoid an unnecessary "goto" in favour of a proper loop, to make it
more clearly correct.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68945
Reviewed-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=66493
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 0928169cf80bf767f7246ecaa52cc01e198bb15a)
|
|
|
|
|
|
|
|
| |
This makes the regression tests OK to run in parallel.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68852
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
(cherry picked from commit 9d80d46a794e0770494aa517d1b94e7e6ea9e21d)
|
| |
|
|
|
|
|
|
|
|
|
| |
This test was failing on s390; though it could fail
on other platforms too. Basically we need to be sure
we're passing at least word-aligned buffers to the
demarshalling code. malloc() will do that for us.
https://bugs.freedesktop.org/show_bug.cgi?id=67279
|
| |
|
| |
|
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=53499
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a byte in DBusString *unescaped isn't a ascii byte, which will be
cast to char (signed char on most of platform), so that's the issue
unsigned char cast to signed char. e.g. "\303\266" is a valid unicode
character, if everything goes right, it will be escaped to "%c3%b6".
However, in fact, it escaped to "%<garbage-byte>3%<garbage-byte>6".
_dbus_string_append_byte_as_hex() take an int parameter, so negative
byte is valid, but cause get a negative index in array. So garbage value
will get. e.g. '\303' --> hexdigits[((signed byte)(-61)) >> 4] is
hexdigits[-4].
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=53499
Sgne-off-by: Chengwei Yang <chengwei.yang@intel.com>
[fixed whitespace -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|