new file mode 100644
@@ -0,0 +1,61 @@
+From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 12 Sep 2022 13:14:18 +0100
+Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
+ fixed-length items
+
+This fast-path previously did not check that the array was made up
+of an integer number of items. This could lead to assertion failures
+and out-of-bounds accesses during subsequent message processing (which
+assumes that the message has already been validated), particularly after
+the addition of _dbus_header_remove_unknown_fields(), which makes it
+more likely that dbus-daemon will apply non-trivial edits to messages.
+
+Thanks: Evgeny Vereshchagin
+Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
+Resolves: CVE-2022-42011
+
+Upstream-Status: Backport from
+[https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
+Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
+---
+ dbus/dbus-marshal-validate.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index ae68414d..7d0d6cf7 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
+ */
+ if (dbus_type_is_fixed (array_elem_type))
+ {
++ /* Note that fixed-size types all have sizes equal to
++ * their alignments, so this is really the item size. */
++ alignment = _dbus_type_get_alignment (array_elem_type);
++ _dbus_assert (alignment == 1 || alignment == 2 ||
++ alignment == 4 || alignment == 8);
++
++ /* Because the alignment is a power of 2, this is
++ * equivalent to: (claimed_len % alignment) != 0,
++ * but avoids slower integer division */
++ if ((claimed_len & (alignment - 1)) != 0)
++ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
++
+ /* bools need to be handled differently, because they can
+ * have an invalid value
+ */
+ if (array_elem_type == DBUS_TYPE_BOOLEAN)
+ {
+ dbus_uint32_t v;
+- alignment = _dbus_type_get_alignment (array_elem_type);
+
+ while (p < array_end)
+ {
+--
+2.34.1
+
@@ -14,6 +14,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
file://tmpdir.patch \
file://dbus-1.init \
file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
+ file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
"
SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"
Backport a patch from upstream[1] to fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type [1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> --- ...idate-Validate-length-of-arrays-of-f.patch | 61 +++++++++++++++++++ meta/recipes-core/dbus/dbus_1.14.0.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch