diff options
| author | Simon McVittie <smcv@collabora.com> | 2022-09-12 13:14:18 +0100 |
|---|---|---|
| committer | Unsung Lee <unsung.lee@samsung.com> | 2023-02-17 15:33:28 +0900 |
| commit | 15b41b7b4c8f6c940ed25dc56f920b988c8065b6 (patch) | |
| tree | f2b8b636c6ab8397ae77492569b2874f534970b3 | |
| parent | 1962bd7b478b21ae054b836f41e944f2a45f6621 (diff) | |
| download | dbus-15b41b7b4c8f6c940ed25dc56f920b988c8065b6.tar.gz dbus-15b41b7b4c8f6c940ed25dc56f920b988c8065b6.tar.bz2 dbus-15b41b7b4c8f6c940ed25dc56f920b988c8065b6.zip | |
dbus-marshal-validate: Validate length of arrays of fixed-length items
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Change-Id: Idfe8cead0721c414f1e6946a5dc0544bad63d42e
| -rw-r--r-- | dbus/dbus-marshal-validate.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c index ae68414d..7d0d6cf7 100644 --- a/dbus/dbus-marshal-validate.c +++ b/dbus/dbus-marshal-validate.c @@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, */ if (dbus_type_is_fixed (array_elem_type)) { + /* Note that fixed-size types all have sizes equal to + * their alignments, so this is really the item size. */ + alignment = _dbus_type_get_alignment (array_elem_type); + _dbus_assert (alignment == 1 || alignment == 2 || + alignment == 4 || alignment == 8); + + /* Because the alignment is a power of 2, this is + * equivalent to: (claimed_len % alignment) != 0, + * but avoids slower integer division */ + if ((claimed_len & (alignment - 1)) != 0) + return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; + /* bools need to be handled differently, because they can * have an invalid value */ if (array_elem_type == DBUS_TYPE_BOOLEAN) { dbus_uint32_t v; - alignment = _dbus_type_get_alignment (array_elem_type); while (p < array_end) { |