Add more test cases modify for solving CVE-2020-12049

2020-06-22 11:12:15 +08:00 · 2020-06-22 11:12:15 +08:00 · c30287f43f
commit c30287f43f
parent 8c0bb51290
3 changed files with 119 additions and 1 deletions
--- a/Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch
+++ b/Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch
@ -0,0 +1,49 @@
 From b96ef23e406baa08648339a53b0161fc80de7ce4 Mon Sep 17 00:00:00 2001
 From: Andy Fiddaman <omnios@citrus-it.co.uk>
 Date: Fri, 12 Jun 2020 12:32:20 +0000
 Subject: [PATCH] Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNC
 ---
 dbus/dbus-sysdeps-unix.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)
 diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
 index b176dae1..0288dbc9 100644
 --- a/dbus/dbus-sysdeps-unix.c
 +++ b/dbus/dbus-sysdeps-unix.c
@@ -441,13 +441,32 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
             size_t i;
             int *payload = (int *) CMSG_DATA (cm);
             size_t payload_len_bytes = (cm->cmsg_len - CMSG_LEN (0));
 -            size_t payload_len_fds = payload_len_bytes / sizeof (int);
 +            size_t payload_len_fds;
             size_t fds_to_use;
             /* Every unsigned int fits in a size_t without truncation, so
              * casting (size_t) *n_fds is OK */
             _DBUS_STATIC_ASSERT (sizeof (size_t) >= sizeof (unsigned int));
 +            if ((m.msg_flags & MSG_CTRUNC) && CMSG_NXTHDR(&m, cm) == NULL &&
 +              (char *) payload + payload_len_bytes >
 +              (char *) m.msg_control + m.msg_controllen)
 +              {
 +                /* This is the last cmsg in a truncated message and using
 +                 * cmsg_len would apparently overrun the allocated buffer.
 +                 * Some operating systems (illumos and Solaris are known) do
 +                 * not adjust cmsg_len in the last cmsg when truncation occurs.
 +                 * Adjust the payload length here. The calculation for
 +                 * payload_len_fds below will discard any trailing bytes that
 +                 * belong to an incomplete file descriptor - the kernel will
 +                 * have already closed that (at least for illumos and Solaris)
 +                 */
 +                 payload_len_bytes = m.msg_controllen -
 +                   ((char *) payload - (char *) m.msg_control);
 +              }
 +
 +            payload_len_fds = payload_len_bytes / sizeof (int);
 +
             if (_DBUS_LIKELY (payload_len_fds <= (size_t) *n_fds))
               {
                 /* The fds in the payload will fit in our buffer */
 -- 
--- a/dbus.spec
+++ b/dbus.spec
@ -1,7 +1,7 @@
 Name:     dbus
 Epoch:    1
 Version:  1.12.16
-Release:  14
+Release:  15
 Summary:  System Message Bus
 License:  AFLv2.1 or GPLv2+
 URL:      http://www.freedesktop.org/Software/dbus/
@ -10,6 +10,8 @@ Source1:  00-start-message-bus.sh
 # fix CVE-2020-12049
 Patch0000:  sysdeps-unix-On-MSG_CTRUNC-close-the-fds-we-did-rece.patch
 Patch0001:  fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch
 Patch0002:  Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch
 Patch0010:  bugfix-let-systemd-restart-dbus-when-the-it-enters-failed.patch
@ -218,6 +220,9 @@ make check
 %exclude %{_pkgdocdir}/README
 %changelog
 * Mon Jun 22 2020 shenyangyang <shenyangyang4@huawei.com> - 1:1.12.16-15
 - Add more test cases modify for solving CVE-2020-12049
 * Sat Jun 20 2020 shenyangyang <shenyangyang4@huawei.com> - 1:1.12.16-14
 - Fix CVE-2020-12049
--- a/fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch
+++ b/fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch
@ -0,0 +1,64 @@
 From 8bc1381819e5a845331650bfa28dacf6d2ac1748 Mon Sep 17 00:00:00 2001
 From: Simon McVittie <smcv@collabora.com>
 Date: Thu, 16 Apr 2020 14:41:48 +0100
 Subject: [PATCH] fdpass test: Assert that we don't leak file descriptors
 This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
 or dbus!120.
 Reproduces: dbus#294
 Reproduces: CVE-2020-12049
 Reproduces: GHSL-2020-057
 Signed-off-by: Simon McVittie <smcv@collabora.com>
 ---
 test/fdpass.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/test/fdpass.c b/test/fdpass.c
 index 4a3edc4e..8bad675f 100644
 --- a/test/fdpass.c
 +++ b/test/fdpass.c
@@ -50,6 +50,14 @@
 #include "test-utils-glib.h"
 +#ifdef DBUS_ENABLE_EMBEDDED_TESTS
 +#include <dbus/dbus-message-internal.h>
 +#else
 +typedef struct _DBusInitialFDs DBusInitialFDs;
 +#define _dbus_check_fdleaks_enter() NULL
 +#define _dbus_check_fdleaks_leave(fds) do {} while (0)
 +#endif
 +
 /* Arbitrary; included here to avoid relying on the default */
 #define MAX_MESSAGE_UNIX_FDS 20
 /* This test won't work on Linux unless this is true. */
@@ -92,6 +100,7 @@ typedef struct {
     GQueue messages;
     int fd_before;
 +    DBusInitialFDs *initial_fds;
 } Fixture;
 static void oom (const gchar *doing) G_GNUC_NORETURN;
@@ -176,6 +185,8 @@ test_connect (Fixture *f,
   if (f->skip)
     return;
 +  f->initial_fds = _dbus_check_fdleaks_enter ();
 +
   g_assert (f->left_server_conn == NULL);
   g_assert (f->right_server_conn == NULL);
@@ -871,6 +882,9 @@ teardown (Fixture *f,
   if (f->fd_before >= 0 && close (f->fd_before) < 0)
     g_error ("%s", g_strerror (errno));
 #endif
 +
 +  if (f->initial_fds != NULL)
 +    _dbus_check_fdleaks_leave (f->initial_fds);
 }
 int
 --