gdbusconnection: Prevent sending a serial of zero on overflow
Backport a patch that prevents sending an invalid D-Bus message with a serial of zero when the message serial counter overflows. Instead of wrapping to 0, the serial now wraps to 1, avoiding the issue.
Upstream fix: b94b44407a.patch
Resolves: RHEL-114086
This commit was backported by Jotnar, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Jotnar
This commit is contained in:
RHEL Packaging Agent
Tomas Tomecek
parent
354bed5efc
commit
83c6c9dcd0
70
RHEL-114086.patch
Normal file
70
RHEL-114086.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From f3eecc88f4f45b128c963d695a61b230d2665db5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Philip Withnall <pwithnall@gnome.org>
|
||||||
|
Date: Mon, 3 Feb 2025 18:27:21 +0000
|
||||||
|
Subject: [PATCH] gdbusconnection: Prevent sending a serial of zero on overflow
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
It finally happened: someone managed to keep a process alive long
|
||||||
|
enough, and using a single `GDBusConnection`, to overflow the
|
||||||
|
`last_serial` counter in the connection and send an invalid message with
|
||||||
|
serial of zero (which is disallowed by the D-Bus specification).
|
||||||
|
|
||||||
|
Avoid that happening in future by skipping serials of zero on overflow,
|
||||||
|
and wrapping straight back around to 1.
|
||||||
|
|
||||||
|
This looks a little more confusing than it is, because `last_serial` is
|
||||||
|
pre-incremented on use, so to skip zero, we explicitly set it to zero.
|
||||||
|
This is exactly what happens when the `GDBusConnection` is initialised
|
||||||
|
anyway.
|
||||||
|
|
||||||
|
I can’t think of a way to add a unit test for this — there is no way to
|
||||||
|
affect the value of `last_serial` except by sending messages (each one
|
||||||
|
increments it), and in order to get it to overflow by sending messages
|
||||||
|
at 1kHz, the test would have to run for 49 days.
|
||||||
|
|
||||||
|
Instead, I tested this manually by temporarily modifying
|
||||||
|
`GDBusConnection` to initialise `last_serial` to `G_MAXUINT32 - 3`, then
|
||||||
|
checked that the unit tests all still passed, and that the overflow code
|
||||||
|
was being executed.
|
||||||
|
|
||||||
|
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
|
||||||
|
|
||||||
|
Fixes: #3592
|
||||||
|
---
|
||||||
|
gio/gdbusconnection.c | 17 +++++++++++++++--
|
||||||
|
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
|
||||||
|
index b4cdc7e..45d7861 100644
|
||||||
|
--- a/gio/gdbusconnection.c
|
||||||
|
+++ b/gio/gdbusconnection.c
|
||||||
|
@@ -1790,9 +1790,22 @@ g_dbus_connection_send_message_unlocked (GDBusConnection *connection,
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
if (flags & G_DBUS_SEND_MESSAGE_FLAGS_PRESERVE_SERIAL)
|
||||||
|
- serial_to_use = g_dbus_message_get_serial (message);
|
||||||
|
+ {
|
||||||
|
+ serial_to_use = g_dbus_message_get_serial (message);
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
- serial_to_use = ++connection->last_serial; /* TODO: handle overflow */
|
||||||
|
+ {
|
||||||
|
+ /* The serial_to_use must not be zero, as per
|
||||||
|
+ * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages. */
|
||||||
|
+ if (connection->last_serial == G_MAXUINT32)
|
||||||
|
+ connection->last_serial = 1;
|
||||||
|
+ else
|
||||||
|
+ connection->last_serial++;
|
||||||
|
+
|
||||||
|
+ serial_to_use = connection->last_serial;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ g_assert (serial_to_use != 0);
|
||||||
|
|
||||||
|
switch (blob[0])
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.47.3
|
||||||
|
|
||||||
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: glib2
|
Name: glib2
|
||||||
Version: 2.56.4
|
Version: 2.56.4
|
||||||
Release: 166%{?dist}
|
Release: 167%{?dist}
|
||||||
Summary: A library of handy utility functions
|
Summary: A library of handy utility functions
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -147,6 +147,9 @@ Patch29: CVE-2024-34397.patch
|
|||||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356
|
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4356
|
||||||
Patch30: gdatetime-test.patch
|
Patch30: gdatetime-test.patch
|
||||||
|
|
||||||
|
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4470
|
||||||
|
Patch31: RHEL-114086.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
GLib is the low-level core library that forms the basis for projects
|
GLib is the low-level core library that forms the basis for projects
|
||||||
such as GTK+ and GNOME. It provides data structure handling for C,
|
such as GTK+ and GNOME. It provides data structure handling for C,
|
||||||
@ -344,6 +347,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
|
|||||||
%{_datadir}/installed-tests
|
%{_datadir}/installed-tests
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 17 2025 RHEL Packaging Agent <jotnar@redhat.com> - 2.56.4-167
|
||||||
|
- gdbusconnection: Prevent sending a serial of zero on overflow
|
||||||
|
- Resolves: RHEL-114086
|
||||||
|
|
||||||
* Fri Jul 11 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.4-166
|
* Fri Jul 11 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.4-166
|
||||||
- Add patches for CVE-2024-34397, CVE-2024-52533, CVE-2025-4373
|
- Add patches for CVE-2024-34397, CVE-2024-52533, CVE-2025-4373
|
||||||
- Update GDateTime test for new tzdata
|
- Update GDateTime test for new tzdata
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user