diff mbox series

[kirkstone,02/35] dbus: fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type

Message ID 5d96a3c244388623d87a2999dafaa25d0bd216b6.1668952942.git.steve@sakoman.com
State New
Headers show
Series [kirkstone,01/35] dbus: fix CVE-2022-42010 Check brackets in signature nest correctly | expand

Commit Message

Steve Sakoman Nov. 20, 2022, 2:14 p.m. UTC
From: Xiangyu Chen <xiangyu.chen@eng.windriver.com>

Backport a patch from upstream[1] to fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type
[1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984

Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...idate-Validate-length-of-arrays-of-f.patch | 61 +++++++++++++++++++
 meta/recipes-core/dbus/dbus_1.14.0.bb         |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
diff mbox series

Patch

diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
new file mode 100644
index 0000000000..f953326f78
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
@@ -0,0 +1,61 @@ 
+From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 12 Sep 2022 13:14:18 +0100
+Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
+ fixed-length items
+
+This fast-path previously did not check that the array was made up
+of an integer number of items. This could lead to assertion failures
+and out-of-bounds accesses during subsequent message processing (which
+assumes that the message has already been validated), particularly after
+the addition of _dbus_header_remove_unknown_fields(), which makes it
+more likely that dbus-daemon will apply non-trivial edits to messages.
+
+Thanks: Evgeny Vereshchagin
+Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
+Resolves: CVE-2022-42011
+
+Upstream-Status: Backport from
+[https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
+Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
+---
+ dbus/dbus-marshal-validate.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index ae68414d..7d0d6cf7 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
+                  */ 
+                 if (dbus_type_is_fixed (array_elem_type))
+                   {
++                    /* Note that fixed-size types all have sizes equal to
++                     * their alignments, so this is really the item size. */
++                    alignment = _dbus_type_get_alignment (array_elem_type);
++                    _dbus_assert (alignment == 1 || alignment == 2 ||
++                                  alignment == 4 || alignment == 8);
++
++                    /* Because the alignment is a power of 2, this is
++                     * equivalent to: (claimed_len % alignment) != 0,
++                     * but avoids slower integer division */
++                    if ((claimed_len & (alignment - 1)) != 0)
++                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
++
+                     /* bools need to be handled differently, because they can
+                      * have an invalid value
+                      */
+                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
+                       {
+                         dbus_uint32_t v;
+-                        alignment = _dbus_type_get_alignment (array_elem_type);
+ 
+                         while (p < array_end)
+                           {
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.0.bb
index 4577da782c..e1efa9e058 100644
--- a/meta/recipes-core/dbus/dbus_1.14.0.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.0.bb
@@ -14,6 +14,7 @@  SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
            file://tmpdir.patch \
            file://dbus-1.init \
            file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
+           file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
 "
 
 SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"