diff options
Diffstat (limited to 'recipes-core')
-rw-r--r-- | recipes-core/dbus/dbus_1.8.2.bbappend | 5 | ||||
-rw-r--r-- | recipes-core/dbus/files/CVE-2014-3532.patch | 112 |
2 files changed, 117 insertions, 0 deletions
diff --git a/recipes-core/dbus/dbus_1.8.2.bbappend b/recipes-core/dbus/dbus_1.8.2.bbappend new file mode 100644 index 0000000..3a6cb06 --- /dev/null +++ b/recipes-core/dbus/dbus_1.8.2.bbappend | |||
@@ -0,0 +1,5 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | ||
2 | |||
3 | SRC_URI += "\ | ||
4 | file://CVE-2014-3532.patch \ | ||
5 | " | ||
diff --git a/recipes-core/dbus/files/CVE-2014-3532.patch b/recipes-core/dbus/files/CVE-2014-3532.patch new file mode 100644 index 0000000..95f110c --- /dev/null +++ b/recipes-core/dbus/files/CVE-2014-3532.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | Date: Tue, 24 Jun 2014 17:57:14 +0100 | ||
2 | Subject: Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS) | ||
3 | |||
4 | Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix | ||
5 | sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice") | ||
6 | when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by | ||
7 | applications. A malicious client could use this to force a victim system | ||
8 | service to be disconnected from the system bus; the victim would likely | ||
9 | respond by exiting. This is a denial of service (fd.o #80163, | ||
10 | CVE-2014-3532). | ||
11 | |||
12 | This patch silently drops the D-Bus message on ETOOMANYREFS and does not close | ||
13 | the connection. | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163 | ||
18 | Reviewed-by: Thiago Macieira <thiago@kde.org> | ||
19 | [altered commit message to explain DoS significance -smcv] | ||
20 | Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | |||
23 | diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c | ||
24 | index de3a18c..f4ba0fa 100644 | ||
25 | --- a/dbus/dbus-sysdeps.c | ||
26 | +++ b/dbus/dbus-sysdeps.c | ||
27 | @@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void) | ||
28 | } | ||
29 | |||
30 | /** | ||
31 | + * See if errno is ETOOMANYREFS | ||
32 | + * @returns #TRUE if errno == ETOOMANYREFS | ||
33 | + */ | ||
34 | +dbus_bool_t | ||
35 | +_dbus_get_is_errno_etoomanyrefs (void) | ||
36 | +{ | ||
37 | +#ifdef ETOOMANYREFS | ||
38 | + return errno == ETOOMANYREFS; | ||
39 | +#else | ||
40 | + return FALSE; | ||
41 | +#endif | ||
42 | +} | ||
43 | + | ||
44 | +/** | ||
45 | * Get error message from errno | ||
46 | * @returns _dbus_strerror(errno) | ||
47 | */ | ||
48 | diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h | ||
49 | index e586946..21033eb 100644 | ||
50 | --- a/dbus/dbus-sysdeps.h | ||
51 | +++ b/dbus/dbus-sysdeps.h | ||
52 | @@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void); | ||
53 | dbus_bool_t _dbus_get_is_errno_enomem (void); | ||
54 | dbus_bool_t _dbus_get_is_errno_eintr (void); | ||
55 | dbus_bool_t _dbus_get_is_errno_epipe (void); | ||
56 | +dbus_bool_t _dbus_get_is_errno_etoomanyrefs (void); | ||
57 | const char* _dbus_strerror_from_errno (void); | ||
58 | |||
59 | void _dbus_disable_sigpipe (void); | ||
60 | diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c | ||
61 | index 774f459..199d3b5 100644 | ||
62 | --- a/dbus/dbus-transport-socket.c | ||
63 | +++ b/dbus/dbus-transport-socket.c | ||
64 | @@ -645,12 +645,44 @@ do_writing (DBusTransport *transport) | ||
65 | { | ||
66 | /* EINTR already handled for us */ | ||
67 | |||
68 | - /* For some discussion of why we also ignore EPIPE here, see | ||
69 | + /* If the other end closed the socket with close() or shutdown(), we | ||
70 | + * receive EPIPE here but we must not close the socket yet: there | ||
71 | + * might still be some data to read. See: | ||
72 | * http://lists.freedesktop.org/archives/dbus/2008-March/009526.html | ||
73 | */ | ||
74 | |||
75 | if (_dbus_get_is_errno_eagain_or_ewouldblock () || _dbus_get_is_errno_epipe ()) | ||
76 | goto out; | ||
77 | + | ||
78 | + /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() | ||
79 | + * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd | ||
80 | + * mechanism (SCM_RIGHTS) is used recursively with a recursion level | ||
81 | + * of maximum 4. The kernel does not have an API to check whether | ||
82 | + * the passed fds can be forwarded and it can change asynchronously. | ||
83 | + * See: | ||
84 | + * https://bugs.freedesktop.org/show_bug.cgi?id=80163 | ||
85 | + */ | ||
86 | + | ||
87 | + else if (_dbus_get_is_errno_etoomanyrefs ()) | ||
88 | + { | ||
89 | + /* We only send fds in the first byte of the message. | ||
90 | + * ETOOMANYREFS cannot happen after. | ||
91 | + */ | ||
92 | + _dbus_assert (socket_transport->message_bytes_written == 0); | ||
93 | + | ||
94 | + _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n", | ||
95 | + total_bytes_to_write); | ||
96 | + | ||
97 | + socket_transport->message_bytes_written = 0; | ||
98 | + _dbus_string_set_length (&socket_transport->encoded_outgoing, 0); | ||
99 | + _dbus_string_compact (&socket_transport->encoded_outgoing, 2048); | ||
100 | + | ||
101 | + /* The message was not actually sent but it needs to be removed | ||
102 | + * from the outgoing queue | ||
103 | + */ | ||
104 | + _dbus_connection_message_sent_unlocked (transport->connection, | ||
105 | + message); | ||
106 | + } | ||
107 | else | ||
108 | { | ||
109 | _dbus_verbose ("Error writing to remote app: %s\n", | ||
110 | -- | ||
111 | cgit v0.10.2 | ||
112 | |||