| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
- spec: drop deprecated option --with-init-scripts
- spec: package new, installed files
- spec: acknowledge removing of dbus.socket from dbus.target.wants
- spec: add autoconf-archive build dependency
- acknowledge renaming HACKING to CONTRIBUTING.md
- spec: bump version to 1.12.16
|
|
dbus 1.12.16
|
|
This reverts commit 8d7fa32af68f2ba1f5da3494ce6d50e8e7c2c034.
Change-Id: Iaf3890e804b87b7c6751237e0ef93b3ad5db9ceb
|
|
This reverts commit 873bad7e9515fbafb8682fa6cdadfee629762e0d.
Change-Id: I642e8ca08d551320b56d97e682c969689640700f
|
|
Debugging is difficult due to lack of error information:
When the broadcast signal is blocked by dbus policy,
unlike other types of dbus messages,
dbus-daemon does not print any error logs,
it just passes an error message to the bus monitor.
Change-Id: I9c6c55530d64451403664ea1eee4b703360691eb
|
|
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.
Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.
This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:
* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart
Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.
Change-Id: I04d70bf97d78d25551e9adc217a4dd7652d428b6
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749
|
|
This reverts commit 662187a7597aaf9c9ad2a635944951e6174a36da.
We've optimized systemd-user without unified system/session.
So, we revert the patch for unified system/session.
Change-Id: I70ee37ebeda65e549c5f544d37d511cb6d54b757
|
|
Reconstruct rule with xml format.
Change-Id: I760f5c89f519672743a10fa15b66ac14b7e819a1
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
print out connection log
Change-Id: Ib0fc3be8b07577da687a024f5c39178dad387644
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
The bloom filters computing had been implemented in the past, basing
on systemd. However, the reimplementation introduced two bugs:
- no clearing of 'p' variable;
- clearing of hash_index variable in a wrong place.
This fixes the bugs.
The same applies to glib.
Change-Id: Ie7c602c6bc881e38c62f41d482ab3785b03c5503
|
|
This reverts commit c7fbfc743059b3e9988a359106ad459511b5ea78.
Change-Id: I86742a428f372ff6988a13df12694c550e2a53c2
|
|
fix Undefined Behavior Sanitizer error.
Change-Id: If3b68e68d4de753d0e66c0eeb07f626431057cbf
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
Change-Id: I4e67ff2258b11bab764f51cfe7e2ae01f2a11d49
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
|
|
The function defines and initializes local DBusError.
It is not used in kdbus_decode_msg() and function relies on assert for error.
So, remove the DBusError variable in kdbus_decode_msg().
Change-Id: Ic726f2a161f06766b081f1a98e83ff4f3834f75b
Signed-off-by: Himanshu Maithani <himanshu.m@samsung.com>
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
|
|
Pass NULL as error argument to avoid setting error string in dbus_validate_bus_name(), thus avoid possible memory leak.
We expect the name to be valid bus name (utf8) as it is fetched from the connection.
It will also optimize stack usage as "local_error" variable & dbus_error_init() function are called in for loop.
Other fix could be to check free "error" if it is set.
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
Reviewed-by: Himanshu Maithani <himanshu.m@samsung.com>
Change-Id: I773211edd76b6591369bbaae5464971894481a28
|
|
free message/name from the error in kdbus_write_msg_internal
Change-Id: I7f03abc0fc3f7c81e3725b3325f9e15209906e35
Signed-off-by: Himanshu Maithani <himanshu.m@samsung.com>
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
We don't actually complete successful authentication, because that
would require us to generate a cookie and compute the correct SHA1,
which is difficult to do in a deterministic authentication script.
However, we do assert that dbus#269 (CVE-2019-12749) has been fixed.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.
Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.
This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:
* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart
Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
Change default own policy from allow to deny.
Change-Id: Ifde07a31ea3e6b8c97a6b7aee093ff9bf67c301c
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
Linux systems have traditionally set the soft limit to 1024 and the hard
limit to 4096. Recent versions of systemd keep the soft fd limit at
1024 to avoid breaking programs that still use select(), but raise the
hard limit to 512*1024, while in recent Debian versions a complicated
interaction between components gives a soft limit of 1024 and a hard
limit of 1024*1024. If we can, we might as well elevate our soft limit
to match the hard limit, minimizing the chance that we will run out of
file descriptor slots.
Unlike the previous code to raise the hard and soft limits to at least
65536, we do this even if we don't have privileges: privileges are
unnecessary to raise the soft limit up to the hard limit.
If we *do* have privileges, we also continue to raise the hard and soft
limits to at least 65536 if they weren't already that high, making
it harder to carry out a denial of service attack on the system bus on
systems that use the traditional limit (CVE-2014-7824).
As was previously the case on the system bus, we'll drop the limits back
to our initial limits before we execute a subprocess for traditional
(non-systemd) activation, if enabled.
systemd activation doesn't involve us starting subprocesses at all,
so in both cases activated services will still inherit the same limits
they did previously.
This change also fixes a bug when the hard limit is very large but
the soft limit is not, for example seen as a regression when upgrading
to systemd >= 240 (Debian #928877). In such environments, dbus-daemon
would previously have changed its fd limit to 64K soft/64K hard. Because
this hard limit is less than its original hard limit, it was unable to
restore its original hard limit as intended when carrying out traditional
activation, leaving activated subprocesses with unintended limits (while
logging a warning).
Reviewed-by: Lennart Poettering <lennart@poettering.net>
[smcv: Correct a comment based on Lennart's review, reword commit message]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7eacbfece70f16bb54d0f3ac51f87ae398759ef5)
[smcv: Mention that this also fixes Debian #928877]
|
|
The CMake config file installed by DBus will run in the context of other
projects. Consequently, changing the value of the PKG_CONFIG_DIR,
PKG_CONFIG_PATH or PKG_CONFIG_LIBDIR environment variables will affect
any further calls to pkg-config made by such projects, which can cause
problems.
A common case of this happening are pkg-config files installed in
usr/share/pkgconfig for .pc files that are architecture-independent, as
for example systemd does.
Avoid clobbering the environment variables by saving and restoring their
values. Note that for some of the variables, setting them to an empty
string is different from not setting them at all.
Signed-off-by: Clemens Lang <clemens.lang@bmw-carit.de>
(cherry picked from commit 3525cc045d4c683dfc6048f5be795cc372c323a3)
Closes: dbus#267
|
|
Change-Id: Iac35795aaa9a0640c83b59ddb6fb5dc18435746f
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
The unified user session is about moving user session units, managed by
systemd --user, to main systemd, where it's managed as part of newly
created user@.target.
user@.target will contain same units as previously available in user/,
with same UID and environment setup. systemd instance is used for unit
to be able to specify UID (inherited from user@.target).
The rationale behind this work is following:
* VD requirement to remove user session support
* boot time optimization requirements, due to:
+ 'systemd --user' taking 1s its own startup that could be used for
unit startup
+ ability to better rearrange units if these managed by one systemd
instance
Unit installed by this commit will not be used till user login mechanism
will be changed in systemd package (via changing pam_systemd to start
user@.target, rather than user@.service).
Change-Id: I524768f116ca91d812ae0884adbb300e52817975
|
|
Change-Id: I1f1b72c237451aa04da92195c696a0387cad9e18
|
|
VD only uses /tmp/dbus_launch
- VD target: use /tmp/dbus_launch generated by systemd in kdbus
- VD emulator: use /tmp/dbus_launch generated by dbus-daemon that uses VD plugin drop-in
Change-Id: If2120a016015ee76c589416dab7cc6c96ee21b05
|
|
dbus-daemon connect to security-manager.service to get getgrouplist.
(gdb) bt
0 security_manager_groups_get_for_user (uid=0, groups=groups@entry=0xfffef754, groups_count=groups_count@entry=0xfffef758) at /usr/src/debug/security-manager-1.5.3/src/client/client-security-manager.cpp:1391
1 0xf71faa14 in _nss_securitymanager_initgroups_dyn (user=0x443f70 "root", group_gid=<optimized out>, start=0xfffef7cc, size=0xfffef800, groupsp=0xfffef804, limit=-1, errnop=0xf77ea11c)
at /usr/src/debug/security-manager-1.5.3/src/nss/nss_securitymanager.cpp:109
2 0xf759f204 in internal_getgrouplist (user=0x1 <error: Cannot access memory at address 0x1>, user@entry=0x443f70 "root", group=124, group@entry=0, size=0xfffef800, size@entry=0xfffef7f8, groupsp=0xfffef804, groupsp@entry=0xfffef7fc,
limit=limit@entry=-1) at initgroups.c:112
3 0xf759f45c in getgrouplist (user=user@entry=0x443f70 "root", group=0, groups=groups@entry=0x443f90, ngroups=ngroups@entry=0xfffef834) at initgroups.c:170
4 0xf778d940 in fill_user_info (info=info@entry=0x442ce0, uid=uid@entry=0, username=username@entry=0x0, error=0x1c, error@entry=0xfffef8b0) at dbus-sysdeps-unix.c:2410
5 0xf778db24 in _dbus_user_info_fill_uid (info=info@entry=0x442ce0, uid=uid@entry=0, error=error@entry=0xfffef8b0) at dbus-sysdeps-unix.c:2534
6 0xf7790b24 in _dbus_user_database_lookup (db=db@entry=0x4424c0, uid=<optimized out>, username=username@entry=0x0, error=error@entry=0xfffef8b0) at dbus-userdb.c:176
7 0xf7790d64 in _dbus_user_database_get_uid (db=db@entry=0x4424c0, uid=<optimized out>, info=0xfffef8ac, info@entry=0xfffef8a4, error=error@entry=0xfffef8b0) at dbus-userdb.c:662
8 0xf7790dc8 in init_system_db () at dbus-userdb.c:247
9 0xf7790f4c in init_system_db () at dbus-userdb.c:238
10 _dbus_user_database_get_system () at dbus-userdb.c:340
11 0x00421e58 in _dbus_get_user_id_and_primary_group (username=0xfffef928, uid_p=0x442584, gid_p=0x0) at dbus-userdb-util.c:210
12 0x0040f344 in start_busconfig_child (error=0xfffef9b8, attribute_values=0x0, attribute_names=0x4404f8, element_name=0x4399e0 "\250\230\003", parser=0x440d08) at config-parser.c:1048
13 bus_config_parser_start_element (parser=0x440d08, element_name=element_name@entry=0x442478 "policy", attribute_names=attribute_names@entry=0x4404f8, attribute_values=attribute_values@entry=0x442568, error=0xfffefc08) at config-parser.c:1919
14 0x0041ecc8 in expat_StartElementHandler (userData=0xfffefb18, name=0x442478 "policy", atts=0x440710) at config-loader-expat.c:107
15 0xf76c84a0 in doContent (parser=parser@entry=0x440518, startTagLevel=startTagLevel@entry=0, enc=enc@entry=0xf76e8a50 <utf8_encoding>,
s=s@entry=0x4414d0 "<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/usr/share/dbus-1/accessibility-services</servicedir>\n <auth>EXTERNAL</auth>\n\n <listen>unix:tmpdir=/tmp</listen>\n\n <policy user=\"owner\">\n <"...,
end=end@entry=0x441957 "", nextPtr=nextPtr@entry=0x440530, haveMore=haveMore@entry=0 '\000') at xmlparse.c:2890
16 0xf76c8ca0 in contentProcessor (parser=parser@entry=0x440518,
start=start@entry=0x4414d0 "<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/usr/share/dbus-1/accessibility-services</servicedir>\n <auth>EXTERNAL</auth>\n\n <listen>unix:tmpdir=/tmp</listen>\n\n <policy user=\"owner\">\n <"..., end=end@entry=0x441957 "", endPtr=endPtr@entry=0x440530) at xmlparse.c:2552
17 0xf76c9d9e in doProlog (parser=parser@entry=0x440518, enc=0xf76e8a50 <utf8_encoding>,
s=0x4414d0 "<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/usr/share/dbus-1/accessibility-services</servicedir>\n <auth>EXTERNAL</auth>\n\n <listen>unix:tmpdir=/tmp</listen>\n\n <policy user=\"owner\">\n <"...,
s@entry=0x441440 "<!DOCTYPE busconfig PUBLIC \"-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN\" \"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd\">\n<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/"...,
end=0x441957 "", tok=<optimized out>, next=<optimized out>,
next@entry=0x441449 " busconfig PUBLIC \"-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN\" \"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd\">\n<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/usr/share"...,
nextPtr=nextPtr@entry=0x440530, haveMore=haveMore@entry=0 '\000') at xmlparse.c:4579
18 0xf76ca2da in prologProcessor (parser=0x440518,
s=0x441440 "<!DOCTYPE busconfig PUBLIC \"-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN\" \"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd\">\n<busconfig>\n\n <type>accessibility</type>\n\n<servicedir>/"...,
end=<optimized out>, nextPtr=0x440530) at xmlparse.c:4293
19 0xf76cb678 in XML_ParseBuffer (parser=0x440518, len=<optimized out>, isFinal=1) at xmlparse.c:1988
20 0x0041eebc in bus_config_load (file=file@entry=0xfffefc18, is_toplevel=is_toplevel@entry=1, parent=parent@entry=0x0, error=0xfffefc08, error@entry=0x406824 <main+960>) at config-loader-expat.c:245
21 0x0040a890 in bus_context_new (config_file=0xfffefc18, flags=(BUS_CONTEXT_FLAG_FORK_NEVER | BUS_CONTEXT_FLAG_WRITE_PID_FILE), print_addr_pipe=0xfffefc00, print_pid_pipe=0xfffefc04, address=0x0, error=0xfffefc08) at bus.c:797
22 0x00406824 in main (argc=<optimized out>, argv=<optimized out>) at main.c:634
Change-Id: Ic1ee03c3e760506e72032247da36b2567d903ba3
|
|
build: Don't assume we can set permissions on a directory
See merge request dbus/dbus!112
|
|
MSYS2 has enough of a Unixish environment to run Autotools, but
apparently not enough of a Unixish environment to have functional
permissions.
Closes: dbus#216
(cherry picked from commit 14f46d14a0526f137f81a3fff5d32f26733323cd)
|
|
Backport -Wlogical-op fixes to 1.12.x
See merge request dbus/dbus!109
|
|
Adapt to API change in AX_CODE_COVERAGE version 28
See merge request dbus/dbus!108
|
|
EAGAIN and EWOULDBLOCK are documented to possibly be numerically equal,
for instance in errno(3), and a simple logical OR check will trigger the
-Wlogical-op warning of GCC. The GCC developers consider the warning to
work as-designed in this case:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602
Avoid such a warning by explicitly checking if the values are identical.
Fixes: https://gitlab.freedesktop.org/dbus/dbus/issues/225
Signed-off-by: David King <dking@redhat.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a65319134209d39f5eb6e5425ec6a35fad05bcd7)
|
|
Switch the order of the argument checks to avoid the
-Wduplicated-branches warning.
Signed-off-by: David King <dking@redhat.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c0bf0d185d72e20e70da9a98e13f69e19f2a87d5)
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 99580298f305e1e2426f0c016d797a1ff9ea0b79)
|
|
Group names in desktop files may contain all ASCII characters, except
control characters and '[' and ']'. Rather than accepting all values,
thanks to a logical operator confusion found by GCC warning
-Wlogical-op, instead explicitly reject the invalid values.
Signed-off-by: David King <dking@redhat.com>
Fixes: https://gitlab.freedesktop.org/dbus/dbus/issues/208
(cherry picked from commit 3ef9e789c1b99f420078f4debabd4f5c4fa0a748)
|
|
AX_CODE_COVERAGE recently changed the way it embedded its Makefile rules
in the output file: instead of using @CODE_COVERAGE_RULES@, users
are now meant to include aminclude_static.am.
The new AX_CODE_COVERAGE is only in the latest autoconf-archive release,
version 2019.01.06, which is inconveniently new, so bundle everything
we need for the moment.
This requires us to stop using the deprecated CODE_COVERAGE_LDFLAGS
(which we still used to support older versions of autoconf-archive)
and replace them with CODE_COVERAGE_LIBS.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2938c2125ebcd001e470aeac1ffac45b6b1ebe89)
Closes: dbus#265
|
|
This uses new functionality of libdbuspolicy: using client's pool and fd.
This way libdbuspolicy doesn't have to create its own connection,
and what is more important it doesn't have to create its own 1MB pool.
This is at the cost of using client's pool for receiving responses
to ioctl(KDBUS_CMD_GET_CONN_INFO), which are small.
Change-Id: I183a91196fead179a9fba22fa6418680305d3558
|
|
Trying to call an unnammed method on org.freedesktop.DBus is considered
a programming error.
This detects such errors.
Change-Id: Ic341df0eef0e7ef5ab8234aacc2c256c295327c3
|
|
This changes the moment of checking if user is allowed to connect to
the bus. Now, it reflects standard process a bit more.
The standard process is:
- open fd (e.g. socket);
- check authentication, if needed and possible;
- connect to the bus (say hello).
In kdbus, we have only:
- open kdbus fd;
- connect to the bus (ioctl KDBUS_CMD_HELLO).
Calling libdbuspolicy for authentication fits between the two.
Additionally, and most importantly, this is required to share
the connection between libdbus and libdbuspolicy in the future.
Change-Id: Id6fe1dbc1cdc6ec774316e13fe5d60d862949476
|
|
Change-Id: If4b04d0f287e199e809cdf183ce4ce779c0f4dd4
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
Change-Id: I0743a3d67e3d6d58acc605ded013eedb6b0af9c5
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().
One might reasonably worry that this change can break callers that use
this (incorrect) pattern:
if (!dbus_message_iter_open_container (outer, ..., inner))
{
dbus_message_iter_abandon_container (outer, inner);
goto fail;
}
/* now we know inner is open, and we must close it later */
However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.
This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.
Change-Id: I2ccd4b516c7714f64c4543dd8d2e5c99633733a5
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
|
|
Found by source code inspection while trying to debug an unrelated
leak.
Change-Id: I0726c57bb4b0ccdadee2263b14f9fe3fe4ebc99a
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
|
|
_dbus_header_set_field_basic()
The const void* 'value' pointer that is passed the address of a
uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
casts it to a DBusBasicValue, a union type that has an alignment of
eight on 64-bit platforms and is therefore more-aligned than the
uint32.
The read of a value of a more-aligned type through a pointer to a less
-aligned type is undefined behaviour.
Fix by storing the uint32 in a DBusBasicValue and passing that instead.
Found by UBSan:
dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
0x7fdb8dac3a04: note: pointer points here
4a 87 b5 71 01 00 00 00 40 7d 01 00 00 61 00 00 10 3b ac 8d db 7f 00 00 2c 2a 3e 94 db 7f 00 00
^
#0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
#1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
#2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
#3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
#4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
#5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
Change-Id: I0149da4ebbead9b4b38c8c62af1ea892e24ec95e
Signed-off-by: Marc Mutz <marc@kdab.net>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
|
