diff options
| author | Xiangyu Chen <xiangyu.chen@eng.windriver.com> | 2022-11-14 09:53:20 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-24 15:30:00 +0000 |
| commit | bf03da983a41cd0769f0d5263839216bd03aa393 (patch) | |
| tree | 89ad07955e63dfc8d0fe808eb3c620139f1abbd4 /meta/recipes-core | |
| parent | 6282ef6c7c0748a5ea40bc528d1c0cf2d7eecc3a (diff) | |
| download | poky-bf03da983a41cd0769f0d5263839216bd03aa393.tar.gz | |
dbus: fix CVE-2022-42010 Check brackets in signature nest correctly
(From OE-Core rev: 901e2d7e785cfbeee6dd01146dd5185d023e70d5)
Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
| -rw-r--r-- | meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch | 119 | ||||
| -rw-r--r-- | meta/recipes-core/dbus/dbus_1.14.0.bb | 1 |
2 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch new file mode 100644 index 0000000000..f2e14fb8d5 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch | |||
| @@ -0,0 +1,119 @@ | |||
| 1 | From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Simon McVittie <smcv@collabora.com> | ||
| 3 | Date: Tue, 13 Sep 2022 15:10:22 +0100 | ||
| 4 | Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest | ||
| 5 | correctly | ||
| 6 | |||
| 7 | In debug builds with assertions enabled, a signature with incorrectly | ||
| 8 | nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result | ||
| 9 | in an assertion failure. | ||
| 10 | |||
| 11 | In production builds without assertions enabled, a signature with | ||
| 12 | incorrectly nested `()` and `{}` could potentially result in a crash | ||
| 13 | or incorrect message parsing, although we do not have a concrete example | ||
| 14 | of either of these failure modes. | ||
| 15 | |||
| 16 | Thanks: Evgeny Vereshchagin | ||
| 17 | Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 | ||
| 18 | Resolves: CVE-2022-42010 | ||
| 19 | |||
| 20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d] | ||
| 21 | |||
| 22 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
| 23 | (cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) | ||
| 24 | Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> | ||
| 25 | --- | ||
| 26 | dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- | ||
| 27 | 1 file changed, 37 insertions(+), 1 deletion(-) | ||
| 28 | |||
| 29 | diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c | ||
| 30 | index 4d492f3f..ae68414d 100644 | ||
| 31 | --- a/dbus/dbus-marshal-validate.c | ||
| 32 | +++ b/dbus/dbus-marshal-validate.c | ||
| 33 | @@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 34 | |||
| 35 | int element_count; | ||
| 36 | DBusList *element_count_stack; | ||
| 37 | + char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; | ||
| 38 | + char last_bracket; | ||
| 39 | |||
| 40 | result = DBUS_VALID; | ||
| 41 | element_count_stack = NULL; | ||
| 42 | @@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 43 | |||
| 44 | while (p != end) | ||
| 45 | { | ||
| 46 | + _dbus_assert (struct_depth + dict_entry_depth >= 0); | ||
| 47 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
| 48 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); | ||
| 49 | + | ||
| 50 | switch (*p) | ||
| 51 | { | ||
| 52 | case DBUS_TYPE_BYTE: | ||
| 53 | @@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 54 | goto out; | ||
| 55 | } | ||
| 56 | |||
| 57 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
| 58 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
| 59 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
| 60 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; | ||
| 61 | break; | ||
| 62 | |||
| 63 | case DBUS_STRUCT_END_CHAR: | ||
| 64 | @@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 65 | goto out; | ||
| 66 | } | ||
| 67 | |||
| 68 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
| 69 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
| 70 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
| 71 | + | ||
| 72 | + if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) | ||
| 73 | + { | ||
| 74 | + result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; | ||
| 75 | + goto out; | ||
| 76 | + } | ||
| 77 | + | ||
| 78 | _dbus_list_pop_last (&element_count_stack); | ||
| 79 | |||
| 80 | struct_depth -= 1; | ||
| 81 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
| 82 | break; | ||
| 83 | |||
| 84 | case DBUS_DICT_ENTRY_BEGIN_CHAR: | ||
| 85 | @@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 86 | goto out; | ||
| 87 | } | ||
| 88 | |||
| 89 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
| 90 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
| 91 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
| 92 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; | ||
| 93 | break; | ||
| 94 | |||
| 95 | case DBUS_DICT_ENTRY_END_CHAR: | ||
| 96 | @@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
| 97 | result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
| 98 | goto out; | ||
| 99 | } | ||
| 100 | - | ||
| 101 | + | ||
| 102 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
| 103 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
| 104 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
| 105 | + | ||
| 106 | + if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) | ||
| 107 | + { | ||
| 108 | + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
| 109 | + goto out; | ||
| 110 | + } | ||
| 111 | + | ||
| 112 | dict_entry_depth -= 1; | ||
| 113 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
| 114 | |||
| 115 | element_count = | ||
| 116 | _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); | ||
| 117 | -- | ||
| 118 | 2.34.1 | ||
| 119 | |||
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.0.bb index 7598c45f8e..4577da782c 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.0.bb | |||
| @@ -13,6 +13,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ | |||
| 13 | file://run-ptest \ | 13 | file://run-ptest \ |
| 14 | file://tmpdir.patch \ | 14 | file://tmpdir.patch \ |
| 15 | file://dbus-1.init \ | 15 | file://dbus-1.init \ |
| 16 | file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \ | ||
| 16 | " | 17 | " |
| 17 | 18 | ||
| 18 | SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" | 19 | SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" |