packages/dbus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!52 fix CVE-2022-42010,CVE-2022-42011,CVE-2022-42012

Browse Source 
From: @hongjinghao 
Reviewed-by: @licunlong 
Signed-off-by: @licunlong
This commit is contained in:
openeuler-ci-bot 2022-10-14 06:13:14 +00:00 committed by Gitee
commit d693bb2796
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 247 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
backport-CVE-2022-42010.patch Normal file
View File

@ -0,0 +1,114 @@
From 9d07424e9011e3bbe535e83043d335f3093d2916 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Tue, 13 Sep 2022 15:10:22 +0100
Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
correctly
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index 4d492f3f..ae68414d 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
int element_count;
DBusList *element_count_stack;
+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
+ char last_bracket;
result = DBUS_VALID;
element_count_stack = NULL;
@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
while (p != end)
{
+ _dbus_assert (struct_depth + dict_entry_depth >= 0);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
+
switch (*p)
{
case DBUS_TYPE_BYTE:
@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
break;
case DBUS_STRUCT_END_CHAR:
@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
+ {
+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
+ goto out;
+ }
+
_dbus_list_pop_last (&element_count_stack);
struct_depth -= 1;
+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
break;
case DBUS_DICT_ENTRY_BEGIN_CHAR:
@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
break;
case DBUS_DICT_ENTRY_END_CHAR:
@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
goto out;
}
-
+
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
+ {
+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+ goto out;
+ }
+
dict_entry_depth -= 1;
+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
element_count =
_DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
--
2.33.0

55
backport-CVE-2022-42011.patch Normal file
View File

@ -0,0 +1,55 @@
From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Sep 2022 13:14:18 +0100
Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
fixed-length items
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
dbus/dbus-marshal-validate.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index ae68414d..7d0d6cf7 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
*/
if (dbus_type_is_fixed (array_elem_type))
{
+ /* Note that fixed-size types all have sizes equal to
+ * their alignments, so this is really the item size. */
+ alignment = _dbus_type_get_alignment (array_elem_type);
+ _dbus_assert (alignment == 1 || alignment == 2 ||
+ alignment == 4 || alignment == 8);
+
+ /* Because the alignment is a power of 2, this is
+ * equivalent to: (claimed_len % alignment) != 0,
+ * but avoids slower integer division */
+ if ((claimed_len & (alignment - 1)) != 0)
+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
+
/* bools need to be handled differently, because they can
* have an invalid value
*/
if (array_elem_type == DBUS_TYPE_BOOLEAN)
{
dbus_uint32_t v;
- alignment = _dbus_type_get_alignment (array_elem_type);
while (p < array_end)
{
--
2.33.0

71
backport-CVE-2022-42012.patch Normal file
View File

@ -0,0 +1,71 @@
From 236f16e444e88a984cf12b09225e0f8efa6c5b44 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 30 Sep 2022 13:46:31 +0100
Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
dbus/dbus-marshal-byteswap.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
index e9de6f02..9dd1246f 100644
--- a/dbus/dbus-marshal-byteswap.c
+++ b/dbus/dbus-marshal-byteswap.c
@@ -62,6 +62,7 @@ byteswap_body_helper (DBusTypeReader *reader,
case DBUS_TYPE_BOOLEAN:
case DBUS_TYPE_INT32:
case DBUS_TYPE_UINT32:
+ case DBUS_TYPE_UNIX_FD:
{
p = _DBUS_ALIGN_ADDRESS (p, 4);
*((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
@@ -192,11 +193,6 @@ byteswap_body_helper (DBusTypeReader *reader,
}
break;
- case DBUS_TYPE_UNIX_FD:
- /* fds can only be passed on a local machine, so byte order must always match */
- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
- break;
-
default:
_dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
break;
--
2.33.0

8
dbus.spec
View File

@ -1,7 +1,7 @@
Name: dbus Name: dbus
Epoch: 1 Epoch: 1
Version: 1.14.0 Version: 1.14.0
Release: 1 Release: 2
Summary: System Message Bus Summary: System Message Bus
License: AFLv3.0 or GPLv2+ License: AFLv3.0 or GPLv2+
URL: http://www.freedesktop.org/Software/dbus/ URL: http://www.freedesktop.org/Software/dbus/
@ -12,6 +12,9 @@ Patch0001: bugfix-let-systemd-restart-dbus-when-the-it-enters-failed.patch
Patch0002: print-load-average-when-activate-service-timeout.patch Patch0002: print-load-average-when-activate-service-timeout.patch
Patch6000: backport-tools-Use-Python3-for-GetAllMatchRules.patch Patch6000: backport-tools-Use-Python3-for-GetAllMatchRules.patch
Patch6001: backport-CVE-2022-42012.patch
Patch6002: backport-CVE-2022-42011.patch
Patch6003: backport-CVE-2022-42010.patch
BuildRequires: systemd-devel expat-devel libselinux-devel audit-libs-devel doxygen xmlto cmake BuildRequires: systemd-devel expat-devel libselinux-devel audit-libs-devel doxygen xmlto cmake
BuildRequires: autoconf-archive libtool libX11-devel libcap-ng-devel libxslt BuildRequires: autoconf-archive libtool libX11-devel libcap-ng-devel libxslt
@ -223,6 +226,9 @@ fi
%exclude %{_pkgdocdir}/README %exclude %{_pkgdocdir}/README
%changelog %changelog
* Fri Oct 14 2022 hongjinghao <hongjinghao@huawei.com> -1:1.14.0-2
- fix CVE-2022-42010,CVE-2022-42011,CVE-2022-42012
* Tue Jun 21 2022 fushanqing <fushanqing@kylinos.cn> - 1:1.14.0-1 * Tue Jun 21 2022 fushanqing <fushanqing@kylinos.cn> - 1:1.14.0-1
- Update to 1.14.0 - Update to 1.14.0