diff options
Diffstat (limited to 'meta/recipes-core/dbus/dbus/CVE-2020-12049.patch')
-rw-r--r-- | meta/recipes-core/dbus/dbus/CVE-2020-12049.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch new file mode 100644 index 0000000000..ac7a4b7a71 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Thu, 16 Apr 2020 14:45:11 +0100 | ||
4 | Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive | ||
5 | |||
6 | MSG_CTRUNC indicates that we have received fewer fds that we should | ||
7 | have done because the buffer was too small, but we were treating it | ||
8 | as though it indicated that we received *no* fds. If we received any, | ||
9 | we still have to make sure we close them, otherwise they will be leaked. | ||
10 | |||
11 | On the system bus, if an attacker can induce us to leak fds in this | ||
12 | way, that's a local denial of service via resource exhaustion. | ||
13 | |||
14 | Reported-by: Kevin Backhouse, GitHub Security Lab | ||
15 | Fixes: dbus#294 | ||
16 | Fixes: CVE-2020-12049 | ||
17 | Fixes: GHSL-2020-057 | ||
18 | |||
19 | Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63] | ||
20 | CVE: CVE-2020-12049 | ||
21 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
22 | --- | ||
23 | dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------ | ||
24 | 1 file changed, 20 insertions(+), 12 deletions(-) | ||
25 | |||
26 | diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c | ||
27 | index b5fc2466..b176dae1 100644 | ||
28 | --- a/dbus/dbus-sysdeps-unix.c | ||
29 | +++ b/dbus/dbus-sysdeps-unix.c | ||
30 | @@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, | ||
31 | struct cmsghdr *cm; | ||
32 | dbus_bool_t found = FALSE; | ||
33 | |||
34 | - if (m.msg_flags & MSG_CTRUNC) | ||
35 | - { | ||
36 | - /* Hmm, apparently the control data was truncated. The bad | ||
37 | - thing is that we might have completely lost a couple of fds | ||
38 | - without chance to recover them. Hence let's treat this as a | ||
39 | - serious error. */ | ||
40 | - | ||
41 | - errno = ENOSPC; | ||
42 | - _dbus_string_set_length (buffer, start); | ||
43 | - return -1; | ||
44 | - } | ||
45 | - | ||
46 | for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) | ||
47 | if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) | ||
48 | { | ||
49 | @@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, | ||
50 | if (!found) | ||
51 | *n_fds = 0; | ||
52 | |||
53 | + if (m.msg_flags & MSG_CTRUNC) | ||
54 | + { | ||
55 | + unsigned int i; | ||
56 | + | ||
57 | + /* Hmm, apparently the control data was truncated. The bad | ||
58 | + thing is that we might have completely lost a couple of fds | ||
59 | + without chance to recover them. Hence let's treat this as a | ||
60 | + serious error. */ | ||
61 | + | ||
62 | + /* We still need to close whatever fds we *did* receive, | ||
63 | + * otherwise they'll never get closed. (CVE-2020-12049) */ | ||
64 | + for (i = 0; i < *n_fds; i++) | ||
65 | + close (fds[i]); | ||
66 | + | ||
67 | + *n_fds = 0; | ||
68 | + errno = ENOSPC; | ||
69 | + _dbus_string_set_length (buffer, start); | ||
70 | + return -1; | ||
71 | + } | ||
72 | + | ||
73 | /* put length back (doesn't actually realloc) */ | ||
74 | _dbus_string_set_length (buffer, start + bytes_read); | ||
75 | |||
76 | -- | ||
77 | 2.25.1 | ||
78 | |||