David King
parent
0aedf7ba4a
commit
3fe121c9b6
|
|
@ -0,0 +1,73 @@
|
|||
From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 30 Sep 2022 13:46:31 +0100
|
||||
Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
|
||||
|
||||
When a D-Bus message includes attached file descriptors, the body of the
|
||||
message contains unsigned 32-bit indexes pointing into an out-of-band
|
||||
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
|
||||
these indexes as "handles" for the associated fds (not to be confused
|
||||
with a Windows HANDLE, which is a kernel object).
|
||||
|
||||
The assertion message removed by this commit is arguably correct up to
|
||||
a point: fd-passing is only reasonable on a local machine, and no known
|
||||
operating system allows processes of differing endianness even on a
|
||||
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
|
||||
to specify a byte-order that differs from the byte-order of the recipient.
|
||||
|
||||
However, this doesn't account for the fact that a malicious sender
|
||||
doesn't have to restrict itself to only doing things that make sense.
|
||||
On a system with untrusted local users, a message sender could crash
|
||||
the system dbus-daemon (a denial of service) by sending a message in
|
||||
the opposite endianness that contains handles to file descriptors.
|
||||
|
||||
Before this commit, if assertions are enabled, attempting to byteswap
|
||||
a fd index would cleanly crash the message recipient with an assertion
|
||||
failure. If assertions are disabled, attempting to byteswap a fd index
|
||||
would silently do nothing without advancing the pointer p, causing the
|
||||
message's type and the pointer into its contents to go out of sync, which
|
||||
can result in a subsequent crash (the crash demonstrated by fuzzing was
|
||||
a use-after-free, but other failure modes might be possible).
|
||||
|
||||
In principle we could resolve this by rejecting wrong-endianness messages
|
||||
from a local sender, but it's actually simpler and less code to treat
|
||||
wrong-endianness messages as valid and byteswap them.
|
||||
|
||||
Thanks: Evgeny Vereshchagin
|
||||
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
|
||||
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
|
||||
Resolves: CVE-2022-42012
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
|
||||
(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946)
|
||||
---
|
||||
dbus/dbus-marshal-byteswap.c | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
|
||||
index 27695aafb..7104e9c63 100644
|
||||
--- a/dbus/dbus-marshal-byteswap.c
|
||||
+++ b/dbus/dbus-marshal-byteswap.c
|
||||
@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader,
|
||||
case DBUS_TYPE_BOOLEAN:
|
||||
case DBUS_TYPE_INT32:
|
||||
case DBUS_TYPE_UINT32:
|
||||
+ case DBUS_TYPE_UNIX_FD:
|
||||
{
|
||||
p = _DBUS_ALIGN_ADDRESS (p, 4);
|
||||
*((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
|
||||
@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader,
|
||||
}
|
||||
break;
|
||||
|
||||
- case DBUS_TYPE_UNIX_FD:
|
||||
- /* fds can only be passed on a local machine, so byte order must always match */
|
||||
- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
|
||||
- break;
|
||||
-
|
||||
default:
|
||||
_dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
|
||||
break;
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
|
@ -47,6 +47,8 @@ Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
|
|||
Patch1: dbus-1.12.20-CVE-2022-42010.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2133641
|
||||
Patch2: dbus-1.12.20-CVE-2022-42011.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2133635
|
||||
Patch3: dbus-1.12.20-CVE-2022-42012.patch
|
||||
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: libtool
|
||||
|
|
@ -455,6 +457,7 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|||
* Tue Oct 18 2022 David King <amigadave@amigadave.com> - 1:1.12.20-7
|
||||
- Fix CVE-2022-42010 (#2133647)
|
||||
- Fix CVE-2022-42011 (#2133641)
|
||||
- Fix CVE-2022-42012 (#2133635)
|
||||
|
||||
* Wed Aug 17 2022 David King <amigadave@amigadave.com> - 1:1.12.20-6
|
||||
- Override upstream sysusers.d confguration (#2118226)
|
||||
|
|
|
|||
Loading…
Reference in New Issue