packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
systemd/backport-sd-bus-fix-buffer-overflow.patch

127 lines
4.5 KiB
Diff
Raw Blame History

From 1a4f4051c3f41b7750dbc904bb4768413bc8bd58 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 27 May 2022 04:23:10 +0900
Subject: [PATCH] sd-bus: fix buffer overflow
Fixes #23486.
(cherry picked from commit 89b6a3f13e5f3b8a375dc82cb2a1c2c204a5067e)
(cherry picked from commit a5c4e29b2ca83b0956ea4635e1db7b02ae007d55)
(cherry picked from commit a5b0338e896338774226a3bd8a56f63555c7b9ce)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/1a4f4051c3f41b7750dbc904bb4768413bc8bd58
---
src/libsystemd/sd-bus/bus-message.c | 30 ++++++++++++++----
test/fuzz/fuzz-bus-message/issue-23486-case-1 | Bin 0 -> 32 bytes
test/fuzz/fuzz-bus-message/issue-23486-case-2 | Bin 0 -> 16 bytes
test/fuzz/fuzz-bus-message/issue-23486-case-3 | Bin 0 -> 16 bytes
4 files changed, 23 insertions(+), 7 deletions(-)
create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-1
create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-2
create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-3
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 20f7396c74..d74a351e29 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -428,7 +428,7 @@ int bus_message_from_header(
_cleanup_free_ sd_bus_message *m = NULL;
struct bus_header *h;
- size_t a, label_sz;
+ size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */
assert(bus);
assert(header || header_accessible <= 0);
@@ -506,7 +506,10 @@ int bus_message_from_header(
m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size);
m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size);
- if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size)
+ assert(message_size >= sizeof(struct bus_header));
+ if (m->fields_size > message_size - sizeof(struct bus_header) ||
+ ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) ||
+ m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size))
return -EBADMSG;
}
@@ -3062,15 +3065,21 @@ void bus_body_part_unmap(struct bus_body_part *part) {
return;
}
-static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
+static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
size_t k, start, end;
assert(rindex);
assert(align > 0);
- start = ALIGN_TO((size_t) *rindex, align);
- end = start + nbytes;
+ start = ALIGN_TO(*rindex, align);
+ if (start > sz)
+ return -EBADMSG;
+
+ /* Avoid overflow below */
+ if (nbytes > SIZE_MAX - start)
+ return -EBADMSG;
+ end = start + nbytes;
if (end > sz)
return -EBADMSG;
@@ -3273,10 +3282,17 @@ static int message_peek_body(
assert(rindex);
assert(align > 0);
- start = ALIGN_TO((size_t) *rindex, align);
+ start = ALIGN_TO(*rindex, align);
+ if (start > m->user_body_size)
+ return -EBADMSG;
+
padding = start - *rindex;
- end = start + nbytes;
+ /* Avoid overflow below */
+ if (nbytes > SIZE_MAX - start)
+ return -EBADMSG;
+
+ end = start + nbytes;
if (end > m->user_body_size)
return -EBADMSG;
diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-1 b/test/fuzz/fuzz-bus-message/issue-23486-case-1
new file mode 100644
index 0000000000000000000000000000000000000000..fe8338b42ba6af6c080aa92aa619e05a6e6e1cc8
GIT binary patch
literal 32
gcmd1dVrFCj0xbpQd;uUW!<wI;RGG=}=RX7h0Ak|{p8x;=
literal 0
HcmV?d00001
diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-2 b/test/fuzz/fuzz-bus-message/issue-23486-case-2
new file mode 100644
index 0000000000000000000000000000000000000000..179124461333198e95e94ac045c3e333bb2063c6
GIT binary patch
literal 16
Rcmc~{{?Ewp9|{;47ywYf31|QS
literal 0
HcmV?d00001
diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-3 b/test/fuzz/fuzz-bus-message/issue-23486-case-3
new file mode 100644
index 0000000000000000000000000000000000000000..cff8b38037a67c92b0bf5295fbf7dd53378f2d76
GIT binary patch
literal 16
Wcmc~{y3fb}1Sc6&82<hL{~rJ)#s+u*
literal 0
HcmV?d00001
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink