Age | Commit message (Collapse) | Author | Files | Lines |
|
Normally, it's enough to rely on a message being given a serial number
by the DBusConnection just before it is actually sent. However, in the
rare case where the policy blocks the driver from sending a message
(due to a deny rule or the outgoing message quota being full), we need
to get a valid serial number sooner, so that we can copy it into the
DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
message sent to monitors. Otherwise, the dbus-daemon will crash with
an assertion failure if at least one Monitoring client is attached,
because zero is not a valid serial number to copy.
This fixes a denial-of-service vulnerability: if a privileged user is
monitoring the well-known system bus using a Monitoring client like
dbus-monitor or `busctl monitor`, then an unprivileged user can cause
denial-of-service by triggering this crash. A mitigation for this
vulnerability is to avoid attaching Monitoring clients to the system
bus when they are not needed. If there are no Monitoring clients, then
the vulnerable code is not reached.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus/dbus#457
(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
[ cherry picked to tizen branch, fixes CVE-2023-34969 ]
Change-Id: Iee520329acc1d4a93d3a873a5fded056cb293d5b
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
|
|
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946)
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Change-Id: Ib67fd7a9ba07cadbd1d223c6596a399c2ae94553
|
|
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Change-Id: Idfe8cead0721c414f1e6946a5dc0544bad63d42e
|
|
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d)
Change-Id: I0b3f37401dd6e0a0e8a9004e5a85e166b68db810
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
|
|
Fix 64-bit compiler warnings.
Change-Id: I799a07c197a95d80a4fb33998ca113533ac4a54e
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
|
|
To handle prefix rules stored with all other rules in the default context
we need to match each prefix of each name against policy rules.
That's because names are looked up in the hash tables, so we can
miss a prefix rule for a prefix of the name.
However, if prefix rules are separated from non-prefix rules, we
can simply check them all once for each name, and also check hash tables once
for each name.
This is what this commit changes. It separates prefix rules
from non-prefix rules, and handles them in sequence.
This gives a little boost, especially if there are no prefix rules.
Change-Id: Ifade906d35af96a973920ce9c2f6065f5b9b549e
|
|
Fortunately, the bit fields are at the exact same position,
in the union, so it worked so far...
Change-Id: Iaad9589dfc0f4f7e6a0f4ef4767a600f4cf2f54a
|
|
Reuse existing reader initialization function instead
of inventing new code for the same purpose.
Change-Id: If9cee9c565134c774c1f0efc0aaef661fde28f6c
|
|
dbus_message_copy() did not take into account differences
between locked and unlocked GVariant messages.
This commit adds support for converting from locked to unlocked
GVariant message when a copy is made.
Additionally:
- it fixes initialization of the read iterator for unlocked messages;
- locking or warning on such initialization is no longer needed.
Change-Id: I4d316e1b1ae4e9af194ddc329833147c8c6a8055
|
|
Change-Id: I35bc2c2df48fbfdf35a9c275825d7faaf5255547
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
Tizen uses D-Bus under the Academic Free License version 2.1 by default.
For the avoidance of doubt, except that if any license choice other than
GPL or LGPL is available it will apply instead, Tizen elects to use only
the GPL version 2 for any process, program, modules, etc.,
where the license of it is GPL version 2 or later version.
Change-Id: I2096cf4fa1947be8b18414b51af27b1ac9fc02b0
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
Citing Lukasz Stelmach <l.stelmach@samsung.com>:
> The number of the memfd_syscall() on arm64 is the same as on arm only
> for 32-bit processes. 64-bit process must use the number defined in the
> asm-generic/unistd.h kernel header.
Additionally, made other numbers same as in glib.
Change-Id: Ibb038d5d0de13f8a7b88051364564c541ca0fa9a
|
|
Prevent system reboot by resourced vip due to absence of dbus-deamon
when dbus-libs-extension-kdbus package had been installed.
Change-Id: I5264b9e87f04f5a1e55abe401a62c6afccef78e4
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
|
|
Change-Id: I02c9d76cce2f1587add8ad6a48551cf67b3dbe73
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
|
|
Change-Id: I4f0e78fe9ad8c63da7256f2dadae2029eb534004
|
|
Change-Id: Iea17de732637ea990944cb63d1ef7a1a4bc4b1b8
|
|
Add API for checking transport overflow and implementation
of transport overflow indicator for socket transport.
Other transports always show "no overflow" for now.
Change-Id: I5169403c4548bdaeb9b08e909a45f9299e146e5d
|
|
Change-Id: I20b221b16212f4b0cdb83eca52c0a37048ce7ed7
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
This reverts commit a346f90f4a8d8f07a17f67ac2a240f78e26bf433.
Change-Id: I819f1bc03da7a137feda66938502cc7f357275dd
|
|
|
|
Those dependencies prevent dbus.service from running in emergency mode,
because local-fs.target always fails in emergency mode.
Change-Id: Id5c13ce5eca21ae5cdcbacfa842a365eb7fc766b
|
|
Change-Id: I69124bb712d62976218715a4d88db6196397a0fb
|
|
Change-Id: Ic0987a6ccdd46539d62483481361e7efdcf03444
|
|
dbus-1.12.20
Change-Id: I8b3a9e851dca1d42a5785fa94c97f5e9074cac35
|
|
The Tizen's branch code that added Cynara integration had changed
return types in some functions from dbus_bool_t to BusResult. The code
from upstream master branch uses dbus_bool_t. While merging recent
changes from the upstream, there were some parts that were merged
without changing TRUE/FALSE to BUS_RESULT_* or with checking conditions
as bool values instead of checking the enum.
The above, and the fact that TRUE==1, FALSE==0, BUS_RESULT_TRUE==0,
BUS_RESULT_FALSE==1 has led to aborting on asserts, when enabled.
This could also lead to issues with activation.
This commit fixes the TRUE/FALSE handling where needed.
Change-Id: I6cbf1aa0b43699464c9214b50fd8bb23a84709e8
|
|
Change-Id: I5a5893d56c1d4fd98d3dc807319c73c9791dff6a
|
|
Session dbus-daemon may have no rights to look into cmdline in /proc.
In such cases logs are cluttered with access denied.
This commit disables checking cmdline for session dbus-daemon.
(Before)
May 21 08:13:06 localhost dbus-daemon[676]: [session uid=5001 pid=676] Rejected send message, 1 matched rules; type="method_call", send
er=":1.33" (uid=5001 pid=1090 comm="/usr/apps/org.tizen.multi-assistant-service/bin/or" label="User::Pkg::org.tizen.multi-assistant-ser
vice") interface="org.freedesktop.DBus" member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus
" privilege="(n/a)" (bus) rule(<deny send_type="method_call" />)
(After)
May 21 08:21:55 localhost dbus-daemon[678]: [session uid=5001 pid=678] Rejected send message, 1 matched rules; type="method_call", send
er=":1.33" (uid=5001 pid=1110 comm="<not-read>" label="User::Pkg::org.tizen.multi-assistant-service") interface="org.freedesktop.DBus"
member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" privilege="(n/a)" (bus) rule(<deny sen
d_type="method_call" />)
Change-Id: I15c3b9b2a5675546b6adb3b1521e790088bd8f85
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
can_send_result may be uninitialized for cases with no send_policy.
Change-Id: I0f490c3c6920df525f5583b421162f7f33b8cb68
|
|
Change-Id: I362319c7de7ac38f68595202efe8fb2b3c5a3389
|
|
Check policy at moments, when sender is still present, so the policy
can be checked for both sender and receiver.
This way only potential waiting for cynara check is left with no need
to access any connection data.
Change-Id: I6544740c6e31dee286261fe3cddb3f692c669c4d
|
|
This will allow altering existing deferred messages, enabling
concurrent asynchronous cynara checks for SEND and RECEIVE.
Change-Id: I1f31c173e4229661bca9f14ecaa158ee67342db4
|
|
Initialize deferred messages in order to be able to alter them
on concurrent Cynara calls. This way we'll be able to run
both asynchronous requests for SEND and RECEIVE, if needed.
Change-Id: I060969ad5645c6a1d72f1c91edb46ecc3217ef79
|
|
Get const data instead of non-const data for constant strings.
It triggered asserts when they are enabled, although the underlying
production code is the same.
Change-Id: Ic7102b6601ca168e6bf5f6902988a06c6ab76f03
|
|
Change-Id: I68962e09d1c2c8ef367a4766c23e7b15cf1e6dc1
Signed-off-by: Deepak Singh <deepak.sn@samsung.com>
|
|
Change-Id: Ie56e99fc5c8038863b69b350128f2d6eef1acc6a
|
|
/run/dbus/system_bus_socket
Journal Log
- Jan 01 09:11:45 localhost systemd[1]: /usr/lib/systemd/system/dbus.socket:8: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly
Change-Id: Idf5d68e791efc70ef324a0ba50807a5512815ac7
Ref: https://gitlab.freedesktop.org/dbus/dbus/-/issues/180
|
|
This reverts commit bbacc6024e474f4e7dd1387618209cab9524a95c.
- security-manager's nss plugin removed the dependency with security-manager service.
- So, deadlock is removed.
Change-Id: I047da2ae670f59a6dcac9f58877c49f77bb25c7f
|
|
Change-Id: Ie3e28ff56652ee454ad1f7362a93fec0973af0f6
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
State clearly that libdbus and dbus-daemon are distributed under AFL-2.1
license in Tizen (including kdbus support).
The tools that are in "dbus" package are under various licensed so all
are listed.
Change-Id: Ibfc3731e1e4bc0f59d9eae198ecc453fb9bea180
|
|
Change-Id: I7c9f8584c81602c773c342360dc12621c3e6b760
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.
However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.
In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.
An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).
Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.
Closes: dbus#305
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2b7948ef907669e844b52c4fa2268d6e3162a70c)
|
|
This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 6ee66ff7bcc91803111d950512f02651e664f74f)
|
|
(cherry picked from commit b96ef23e406baa08648339a53b0161fc80de7ce4)
|
|
Check target name taken from message instead of org.freedesktop.DBus in case
of no peer available. This is the case when activation is happening.
Change-Id: I181edbb28a1b26ed79552bb6df8b00892d2ceac8
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
or dbus!120.
Reproduces: dbus#294
Reproduces: CVE-2020-12049
Reproduces: GHSL-2020-057
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.
On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.
Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057
|