diff options
author | Xiangyu Chen <xiangyu.chen@eng.windriver.com> | 2022-11-14 09:53:20 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-24 15:30:00 +0000 |
commit | bf03da983a41cd0769f0d5263839216bd03aa393 (patch) | |
tree | 89ad07955e63dfc8d0fe808eb3c620139f1abbd4 /meta/recipes-core | |
parent | 6282ef6c7c0748a5ea40bc528d1c0cf2d7eecc3a (diff) | |
download | poky-bf03da983a41cd0769f0d5263839216bd03aa393.tar.gz |
dbus: fix CVE-2022-42010 Check brackets in signature nest correctly
(From OE-Core rev: 901e2d7e785cfbeee6dd01146dd5185d023e70d5)
Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch | 119 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus_1.14.0.bb | 1 |
2 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch new file mode 100644 index 0000000000..f2e14fb8d5 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Tue, 13 Sep 2022 15:10:22 +0100 | ||
4 | Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest | ||
5 | correctly | ||
6 | |||
7 | In debug builds with assertions enabled, a signature with incorrectly | ||
8 | nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result | ||
9 | in an assertion failure. | ||
10 | |||
11 | In production builds without assertions enabled, a signature with | ||
12 | incorrectly nested `()` and `{}` could potentially result in a crash | ||
13 | or incorrect message parsing, although we do not have a concrete example | ||
14 | of either of these failure modes. | ||
15 | |||
16 | Thanks: Evgeny Vereshchagin | ||
17 | Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 | ||
18 | Resolves: CVE-2022-42010 | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d] | ||
21 | |||
22 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
23 | (cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) | ||
24 | Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> | ||
25 | --- | ||
26 | dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- | ||
27 | 1 file changed, 37 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c | ||
30 | index 4d492f3f..ae68414d 100644 | ||
31 | --- a/dbus/dbus-marshal-validate.c | ||
32 | +++ b/dbus/dbus-marshal-validate.c | ||
33 | @@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
34 | |||
35 | int element_count; | ||
36 | DBusList *element_count_stack; | ||
37 | + char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; | ||
38 | + char last_bracket; | ||
39 | |||
40 | result = DBUS_VALID; | ||
41 | element_count_stack = NULL; | ||
42 | @@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
43 | |||
44 | while (p != end) | ||
45 | { | ||
46 | + _dbus_assert (struct_depth + dict_entry_depth >= 0); | ||
47 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
48 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); | ||
49 | + | ||
50 | switch (*p) | ||
51 | { | ||
52 | case DBUS_TYPE_BYTE: | ||
53 | @@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
54 | goto out; | ||
55 | } | ||
56 | |||
57 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
58 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
59 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
60 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; | ||
61 | break; | ||
62 | |||
63 | case DBUS_STRUCT_END_CHAR: | ||
64 | @@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
65 | goto out; | ||
66 | } | ||
67 | |||
68 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
69 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
70 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
71 | + | ||
72 | + if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) | ||
73 | + { | ||
74 | + result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; | ||
75 | + goto out; | ||
76 | + } | ||
77 | + | ||
78 | _dbus_list_pop_last (&element_count_stack); | ||
79 | |||
80 | struct_depth -= 1; | ||
81 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
82 | break; | ||
83 | |||
84 | case DBUS_DICT_ENTRY_BEGIN_CHAR: | ||
85 | @@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
86 | goto out; | ||
87 | } | ||
88 | |||
89 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
90 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
91 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
92 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; | ||
93 | break; | ||
94 | |||
95 | case DBUS_DICT_ENTRY_END_CHAR: | ||
96 | @@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
97 | result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
98 | goto out; | ||
99 | } | ||
100 | - | ||
101 | + | ||
102 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
103 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
104 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
105 | + | ||
106 | + if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) | ||
107 | + { | ||
108 | + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
109 | + goto out; | ||
110 | + } | ||
111 | + | ||
112 | dict_entry_depth -= 1; | ||
113 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
114 | |||
115 | element_count = | ||
116 | _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); | ||
117 | -- | ||
118 | 2.34.1 | ||
119 | |||
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.0.bb index 7598c45f8e..4577da782c 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.0.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ | |||
13 | file://run-ptest \ | 13 | file://run-ptest \ |
14 | file://tmpdir.patch \ | 14 | file://tmpdir.patch \ |
15 | file://dbus-1.init \ | 15 | file://dbus-1.init \ |
16 | file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" | 19 | SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" |