summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2023-10-05bus: Assign a serial number for messages from the driveraccepted/tizen/unified/dev/20240620.010635accepted/tizen/unified/20231011.153130hongjinghao3-1/+27
Normally, it's enough to rely on a message being given a serial number by the DBusConnection just before it is actually sent. However, in the rare case where the policy blocks the driver from sending a message (due to a deny rule or the outgoing message quota being full), we need to get a valid serial number sooner, so that we can copy it into the DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error message sent to monitors. Otherwise, the dbus-daemon will crash with an assertion failure if at least one Monitoring client is attached, because zero is not a valid serial number to copy. This fixes a denial-of-service vulnerability: if a privileged user is monitoring the well-known system bus using a Monitoring client like dbus-monitor or `busctl monitor`, then an unprivileged user can cause denial-of-service by triggering this crash. A mitigation for this vulnerability is to avoid attaching Monitoring clients to the system bus when they are not needed. If there are no Monitoring clients, then the vulnerable code is not reached. Co-authored-by: Simon McVittie <smcv@collabora.com> Resolves: dbus/dbus#457 (cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534) [ cherry picked to tizen branch, fixes CVE-2023-34969 ] Change-Id: Iee520329acc1d4a93d3a873a5fded056cb293d5b Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
2023-02-17dbus-marshal-byteswap: Byte-swap Unix fd indexes if neededtizen_8.0_m2_releaseaccepted/tizen/unified/20230222.161457accepted/tizen/8.0/unified/20231005.094746accepted/tizen_8.0_unifiedSimon McVittie1-5/+1
When a D-Bus message includes attached file descriptors, the body of the message contains unsigned 32-bit indexes pointing into an out-of-band array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to these indexes as "handles" for the associated fds (not to be confused with a Windows HANDLE, which is a kernel object). The assertion message removed by this commit is arguably correct up to a point: fd-passing is only reasonable on a local machine, and no known operating system allows processes of differing endianness even on a multi-endian ARM or PowerPC CPU, so it makes little sense for the sender to specify a byte-order that differs from the byte-order of the recipient. However, this doesn't account for the fact that a malicious sender doesn't have to restrict itself to only doing things that make sense. On a system with untrusted local users, a message sender could crash the system dbus-daemon (a denial of service) by sending a message in the opposite endianness that contains handles to file descriptors. Before this commit, if assertions are enabled, attempting to byteswap a fd index would cleanly crash the message recipient with an assertion failure. If assertions are disabled, attempting to byteswap a fd index would silently do nothing without advancing the pointer p, causing the message's type and the pointer into its contents to go out of sync, which can result in a subsequent crash (the crash demonstrated by fuzzing was a use-after-free, but other failure modes might be possible). In principle we could resolve this by rejecting wrong-endianness messages from a local sender, but it's actually simpler and less code to treat wrong-endianness messages as valid and byteswap them. Thanks: Evgeny Vereshchagin Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 Resolves: CVE-2022-42012 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44) (cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946) Signed-off-by: Unsung Lee <unsung.lee@samsung.com> Change-Id: Ib67fd7a9ba07cadbd1d223c6596a399c2ae94553
2023-02-17dbus-marshal-validate: Validate length of arrays of fixed-length itemsSimon McVittie1-1/+12
This fast-path previously did not check that the array was made up of an integer number of items. This could lead to assertion failures and out-of-bounds accesses during subsequent message processing (which assumes that the message has already been validated), particularly after the addition of _dbus_header_remove_unknown_fields(), which makes it more likely that dbus-daemon will apply non-trivial edits to messages. Thanks: Evgeny Vereshchagin Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 Resolves: CVE-2022-42011 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69) (cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984) Signed-off-by: Unsung Lee <unsung.lee@samsung.com> Change-Id: Idfe8cead0721c414f1e6946a5dc0544bad63d42e
2023-02-17dbus-marshal-validate: Check brackets in signature nest correctlySimon McVittie1-1/+37
In debug builds with assertions enabled, a signature with incorrectly nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result in an assertion failure. In production builds without assertions enabled, a signature with incorrectly nested `()` and `{}` could potentially result in a crash or incorrect message parsing, although we do not have a concrete example of either of these failure modes. Thanks: Evgeny Vereshchagin Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 Resolves: CVE-2022-42010 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) (cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d) Change-Id: I0b3f37401dd6e0a0e8a9004e5a85e166b68db810 Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
2022-07-21dbus: fix 64-bit compiler warningstizen_7.0_m2_releasesubmit/tizen/20220721.133433accepted/tizen/unified/20220722.031020accepted/tizen/7.0/unified/hotfix/20221116.110704accepted/tizen/7.0/unified/20221110.061519tizen_7.0_hotfixaccepted/tizen_7.0_unified_hotfixGaurav Gupta2-6/+6
Fix 64-bit compiler warnings. Change-Id: I799a07c197a95d80a4fb33998ca113533ac4a54e Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
2022-04-29bus/policy: separate prefix rules in default contextsubmit/tizen/20220525.001052submit/tizen/20220502.052537accepted/tizen/unified/20220526.144439Adrian Szyndela1-57/+95
To handle prefix rules stored with all other rules in the default context we need to match each prefix of each name against policy rules. That's because names are looked up in the hash tables, so we can miss a prefix rule for a prefix of the name. However, if prefix rules are separated from non-prefix rules, we can simply check them all once for each name, and also check hash tables once for each name. This is what this commit changes. It separates prefix rules from non-prefix rules, and handles them in sequence. This gives a little boost, especially if there are no prefix rules. Change-Id: Ifade906d35af96a973920ce9c2f6065f5b9b549e
2022-03-29bus/policy: fix obvious mistake send->receiveAdrian Szyndela1-1/+1
Fortunately, the bit fields are at the exact same position, in the union, so it worked so far... Change-Id: Iaad9589dfc0f4f7e6a0f4ef4767a600f4cf2f54a
2021-12-08GVariant: reuse existing init functionAdrian Szyndela1-2/+2
Reuse existing reader initialization function instead of inventing new code for the same purpose. Change-Id: If9cee9c565134c774c1f0efc0aaef661fde28f6c
2021-11-05GVariant: fix dbus_message_copy()submit/tizen/20211115.094939submit/tizen/20211110.015122accepted/tizen/unified/20211116.130508Adrian Szyndela3-8/+160
dbus_message_copy() did not take into account differences between locked and unlocked GVariant messages. This commit adds support for converting from locked to unlocked GVariant message when a copy is made. Additionally: - it fixes initialization of the read iterator for unlocked messages; - locking or warning on such initialization is no longer needed. Change-Id: I4d316e1b1ae4e9af194ddc329833147c8c6a8055
2021-10-15Minor fix for the license of tests packagesubmit/tizen_base/20211104.091630submit/tizen/20211104.092607submit/tizen/20211103.072537accepted/tizen/unified/20211108.181413Hyotaek Shim1-3/+2
Change-Id: I35bc2c2df48fbfdf35a9c275825d7faaf5255547 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2021-10-15Clarify license declarationHyotaek Shim3-1074/+246
Tizen uses D-Bus under the Academic Free License version 2.1 by default. For the avoidance of doubt, except that if any license choice other than GPL or LGPL is available it will apply instead, Tizen elects to use only the GPL version 2 for any process, program, modules, etc., where the license of it is GPL version 2 or later version. Change-Id: I2096cf4fa1947be8b18414b51af27b1ac9fc02b0 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2021-10-01kdbus: add memfd_create() syscall number for aarch64submit/tizen/20211001.142833Adrian Szyndela1-2/+6
Citing Lukasz Stelmach <l.stelmach@samsung.com>: > The number of the memfd_syscall() on arm64 is the same as on arm only > for 32-bit processes. 64-bit process must use the number defined in the > asm-generic/unistd.h kernel header. Additionally, made other numbers same as in glib. Change-Id: Ibb038d5d0de13f8a7b88051364564c541ca0fa9a
2021-09-16Remove dbus.conf when installing extension-kdbustizen_6.5.m2_releasesubmit/tizen_6.5/20211028.163301submit/tizen/20210916.015938submit/tizen/20210916.013904accepted/tizen/unified/20210916.023815accepted/tizen/6.5/unified/20211028.225808Youngjae Cho1-0/+1
Prevent system reboot by resourced vip due to absence of dbus-deamon when dbus-libs-extension-kdbus package had been installed. Change-Id: I5264b9e87f04f5a1e55abe401a62c6afccef78e4 Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
2021-09-13dbus: add vip configurationsubmit/tizen/20210913.042525accepted/tizen/unified/20210914.084929Youngjae Cho2-0/+31
Change-Id: I02c9d76cce2f1587add8ad6a48551cf67b3dbe73 Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
2021-05-17dbus-daemon: send signals on connection overflowsubmit/tizen/20210524.120505accepted/tizen/unified/20210531.130419Adrian Szyndela3-2/+50
Change-Id: I4f0e78fe9ad8c63da7256f2dadae2029eb534004
2021-05-14bus: add ConnectionOverflow signal APIAdrian Szyndela3-0/+69
Change-Id: Iea17de732637ea990944cb63d1ef7a1a4bc4b1b8
2021-05-14dbus: prepare API for checking transport overflowAdrian Szyndela6-2/+24
Add API for checking transport overflow and implementation of transport overflow indicator for socket transport. Other transports always show "no overflow" for now. Change-Id: I5169403c4548bdaeb9b08e909a45f9299e146e5d
2020-12-23Fix build errors for --disable-cynarasubmit/tizen/20201223.062745accepted/tizen/unified/20201224.151524Hyotaek Shim1-1/+1
Change-Id: I20b221b16212f4b0cdb83eca52c0a37048ce7ed7 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2020-11-17Revert "Add Requires=local-fs.target and After=local-fs.target to dbus.service"submit/tizen/20201117.100830accepted/tizen/unified/20201118.123917Hyotaek Shim1-2/+1
This reverts commit a346f90f4a8d8f07a17f67ac2a240f78e26bf433. Change-Id: I819f1bc03da7a137feda66938502cc7f357275dd
2020-11-04Merge "Merge '1.12.20' into tizen" into tizenHyotaek Shim15-65/+272
2020-10-08Add Requires=local-fs.target and After=local-fs.target to dbus.servicesubmit/tizen/20201104.052319accepted/tizen/unified/20201105.124409INSUN PYO1-1/+2
Those dependencies prevent dbus.service from running in emergency mode, because local-fs.target always fails in emergency mode. Change-Id: Id5c13ce5eca21ae5cdcbacfa842a365eb7fc766b
2020-09-28Merge '1.12.20' into tizenAdrian Szyndela15-65/+272
Change-Id: I69124bb712d62976218715a4d88db6196397a0fb
2020-09-28Bump to 1.12.20upgrade-to-1.12.20Adrian Szyndela1-1/+1
Change-Id: Ic0987a6ccdd46539d62483481361e7efdcf03444
2020-09-25Merge 'dbus-1.12.20' into tizenAdrian Szyndela14-64/+271
dbus-1.12.20 Change-Id: I8b3a9e851dca1d42a5785fa94c97f5e9074cac35
2020-09-25BUS_RESULT: fix missed changes of TRUE/FALSE to BUS_RESULTtizen_6.0.m2_releasesubmit/tizen_6.0_hotfix/20201103.115101submit/tizen_6.0_hotfix/20201102.192901submit/tizen_6.0/20201029.205501submit/tizen/20200925.142828accepted/tizen/unified/20200928.072833accepted/tizen/6.0/unified/hotfix/20201103.000322tizen_6.0_hotfixaccepted/tizen_6.0_unified_hotfixAdrian Szyndela3-8/+8
The Tizen's branch code that added Cynara integration had changed return types in some functions from dbus_bool_t to BusResult. The code from upstream master branch uses dbus_bool_t. While merging recent changes from the upstream, there were some parts that were merged without changing TRUE/FALSE to BUS_RESULT_* or with checking conditions as bool values instead of checking the enum. The above, and the fact that TRUE==1, FALSE==0, BUS_RESULT_TRUE==0, BUS_RESULT_FALSE==1 has led to aborting on asserts, when enabled. This could also lead to issues with activation. This commit fixes the TRUE/FALSE handling where needed. Change-Id: I6cbf1aa0b43699464c9214b50fd8bb23a84709e8
2020-09-25policy: take proper eavesdropping value in verbose modeAdrian Szyndela1-1/+1
Change-Id: I5a5893d56c1d4fd98d3dc807319c73c9791dff6a
2020-09-21bus/connection: don't check cmdline in session dbus-daemonsubmit/tizen/20200921.022732accepted/tizen/unified/20200922.090815Adrian Szyndela1-2/+20
Session dbus-daemon may have no rights to look into cmdline in /proc. In such cases logs are cluttered with access denied. This commit disables checking cmdline for session dbus-daemon. (Before) May 21 08:13:06 localhost dbus-daemon[676]: [session uid=5001 pid=676] Rejected send message, 1 matched rules; type="method_call", send er=":1.33" (uid=5001 pid=1090 comm="/usr/apps/org.tizen.multi-assistant-service/bin/or" label="User::Pkg::org.tizen.multi-assistant-ser vice") interface="org.freedesktop.DBus" member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus " privilege="(n/a)" (bus) rule(<deny send_type="method_call" />) (After) May 21 08:21:55 localhost dbus-daemon[678]: [session uid=5001 pid=678] Rejected send message, 1 matched rules; type="method_call", send er=":1.33" (uid=5001 pid=1110 comm="<not-read>" label="User::Pkg::org.tizen.multi-assistant-service") interface="org.freedesktop.DBus" member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" privilege="(n/a)" (bus) rule(<deny sen d_type="method_call" />) Change-Id: I15c3b9b2a5675546b6adb3b1521e790088bd8f85 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2020-09-17bus: initialize can_send_resultsubmit/tizen/20200918.070747Adrian Szyndela1-1/+1
can_send_result may be uninitialized for cases with no send_policy. Change-Id: I0f490c3c6920df525f5583b421162f7f33b8cb68
2020-09-17check: remove 'return sth' from void functionAdrian Szyndela1-1/+1
Change-Id: I362319c7de7ac38f68595202efe8fb2b3c5a3389
2020-09-15cynara integration: check policy right away for both send and receiveAdrian Szyndela7-113/+96
Check policy at moments, when sender is still present, so the policy can be checked for both sender and receiver. This way only potential waiting for cynara check is left with no need to access any connection data. Change-Id: I6544740c6e31dee286261fe3cddb3f692c669c4d
2020-09-15cynara integration: create deferred message only when it's not already createdAdrian Szyndela1-8/+18
This will allow altering existing deferred messages, enabling concurrent asynchronous cynara checks for SEND and RECEIVE. Change-Id: I1f31c173e4229661bca9f14ecaa158ee67342db4
2020-09-15cynara integration: initialize deferred_messagesAdrian Szyndela4-8/+8
Initialize deferred messages in order to be able to alter them on concurrent Cynara calls. This way we'll be able to run both asynchronous requests for SEND and RECEIVE, if needed. Change-Id: I060969ad5645c6a1d72f1c91edb46ecc3217ef79
2020-09-15policy: bugfix -> get const data instead non-constAdrian Szyndela1-1/+1
Get const data instead of non-const data for constant strings. It triggered asserts when they are enabled, although the underlying production code is the same. Change-Id: Ic7102b6601ca168e6bf5f6902988a06c6ab76f03
2020-08-27Added a check to avoid integer underflow.submit/tizen/20200903.044811submit/tizen/20200827.104709accepted/tizen/unified/20200907.023444DEEPAK SINGH1-0/+3
Change-Id: I68962e09d1c2c8ef367a4766c23e7b15cf1e6dc1 Signed-off-by: Deepak Singh <deepak.sn@samsung.com>
2020-08-25bus/connection: Add assert to BUS_CONNECTION_DATAINSUN PYO1-0/+21
Change-Id: Ie56e99fc5c8038863b69b350128f2d6eef1acc6a
2020-08-05spec: change system bus socket location: /var/run/dbus/system_bus_socket → ↵submit/tizen/20200812.075733accepted/tizen/unified/20200819.122321INSUN PYO1-54/+58
/run/dbus/system_bus_socket Journal Log - Jan 01 09:11:45 localhost systemd[1]: /usr/lib/systemd/system/dbus.socket:8: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly Change-Id: Idf5d68e791efc70ef324a0ba50807a5512815ac7 Ref: https://gitlab.freedesktop.org/dbus/dbus/-/issues/180
2020-08-05Revert "tizen: notify service readyness after successful config file parsing"submit/tizen/20200805.062948accepted/tizen/unified/20200806.062507INSUN PYO2-8/+0
This reverts commit bbacc6024e474f4e7dd1387618209cab9524a95c. - security-manager's nss plugin removed the dependency with security-manager service. - So, deadlock is removed. Change-Id: I047da2ae670f59a6dcac9f58877c49f77bb25c7f
2020-08-05Remove unused license file, COPYINGsubmit/tizen/20200805.013704accepted/tizen/unified/20200805.122533Hyotaek Shim3-11/+1
Change-Id: Ie3e28ff56652ee454ad1f7362a93fec0973af0f6 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2020-08-04packaging: Cleanup license definitionsKarol Lewandowski1-7/+8
State clearly that libdbus and dbus-daemon are distributed under AFL-2.1 license in Tizen (including kdbus support). The tools that are in "dbus" package are under various licensed so all are listed. Change-Id: Ibfc3731e1e4bc0f59d9eae198ecc453fb9bea180
2020-07-06Remove unnecessary build dependency to libziosubmit/tizen/20200706.012823submit/tizen/20200706.011908accepted/tizen/unified/20200707.140952Hyotaek Shim1-1/+0
Change-Id: I7c9f8584c81602c773c342360dc12621c3e6b760 Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
2020-07-02v1.12.20dbus-1.12.20Simon McVittie2-3/+3
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-07-02Update NEWSSimon McVittie1-1/+20
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-07-02userdb: Reference-count DBusUserInfo, DBusGroupInfoSimon McVittie4-27/+86
Previously, the hash table indexed by uid (or gid) took ownership of the single reference to the heap-allocated struct, and the hash table indexed by username (or group name) had a borrowed pointer to the same struct that exists in the other hash table. However, this can break down if you have two or more distinct usernames that share a numeric identifier. This is generally a bad idea, because the user-space model in such situations does not match the kernel-space reality, and in particular there is no effective kernel-level security boundary between such users, but it is sometimes done anyway. In this case, when the second username is looked up in the userdb, it overwrites (replaces) the entry in the hash table that is indexed by uid, freeing the DBusUserInfo. This results in both the key and the value in the hash table that is indexed by username becoming dangling pointers (use-after-free), leading to undefined behaviour, which is certainly not what we want to see when doing access control. An equivalent situation can occur with groups, in the rare case where a numeric group ID has two names (although I have not heard of this being done in practice). Solve this by reference-counting the data structure. There are up to three references in practice: one held temporarily while the lookup function is populating and storing it, one held by the hash table that is indexed by uid, and one held by the hash table that is indexed by name. Closes: dbus#305 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 2b7948ef907669e844b52c4fa2268d6e3162a70c)
2020-07-02userdb: Make lookups return a const pointerSimon McVittie3-9/+13
This makes it more obvious that the returned pointer points to a struct owned by the userdb, which must not be freed or have its contents modified, and is only valid to dereference until the next modification to the userdb's underlying hash tables (which in practice means until the lock is released, because after that we have no guarantees about what might be going on in another thread). Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 6ee66ff7bcc91803111d950512f02651e664f74f)
2020-07-02Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNCAndy Fiddaman1-1/+20
(cherry picked from commit b96ef23e406baa08648339a53b0161fc80de7ce4)
2020-06-04bus/policy: activation: check target namesubmit/tizen/20200605.005713submit/tizen/20200604.233300submit/tizen/20200604.095417accepted/tizen/unified/20200605.020519Adrian Szyndela1-5/+10
Check target name taken from message instead of org.freedesktop.DBus in case of no peer available. This is the case when activation is happening. Change-Id: I181edbb28a1b26ed79552bb6df8b00892d2ceac8
2020-06-02Start 1.12.20 developmentSimon McVittie2-1/+6
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-06-02Prepare 1.12.18Simon McVittie2-4/+17
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-06-02fdpass test: Assert that we don't leak file descriptorsSimon McVittie1-0/+14
This version is for the dbus-1.12 branch, and doesn't rely on dbus!153 or dbus!120. Reproduces: dbus#294 Reproduces: CVE-2020-12049 Reproduces: GHSL-2020-057 Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-06-02sysdeps-unix: On MSG_CTRUNC, close the fds we did receiveSimon McVittie1-12/+20
MSG_CTRUNC indicates that we have received fewer fds that we should have done because the buffer was too small, but we were treating it as though it indicated that we received *no* fds. If we received any, we still have to make sure we close them, otherwise they will be leaked. On the system bus, if an attacker can induce us to leak fds in this way, that's a local denial of service via resource exhaustion. Reported-by: Kevin Backhouse, GitHub Security Lab Fixes: dbus#294 Fixes: CVE-2020-12049 Fixes: GHSL-2020-057