dbus: CVE-2014-3532

Fixes denial of service in file descriptor passing feature References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 https://bugs.freedesktop.org/show_bug.cgi?id=80163 http://openwall.com/lists/oss-security/2014/07/02/4 Upstream commit: http://cgit.freedesktop.org/dbus/dbus/commit/?id= 9ca90648fc870c24d852ce6d7ce9387a9fc9a94a Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-04 14:37:17 +0100
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-04 14:37:17 +0100
commit: 8d7d20f1ae6c10ef37723572b535c5c22814461e (patch)
tree: beec32ca8334caaf5e0f3fe6f88f1cedd3873ba0 /recipes-core/dbus
parent: 7c31d929af764a61ffdfc99ec9c2fc23e24dad2b (diff)
download: meta-el-common-8d7d20f1ae6c10ef37723572b535c5c22814461e.tar.gz
2 files changed, 117 insertions, 0 deletions
diff --git a/recipes-core/dbus/dbus_1.8.2.bbappend b/recipes-core/dbus/dbus_1.8.2.bbappend
new file mode 100644
index 0000000..3a6cb06
--- /dev/null
+++ b/recipes-core/dbus/dbus_1.8.2.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "\
+            file://CVE-2014-3532.patch \
+            "
diff --git a/recipes-core/dbus/files/CVE-2014-3532.patch b/recipes-core/dbus/files/CVE-2014-3532.patch
new file mode 100644
index 0000000..95f110c
--- /dev/null
+++ b/recipes-core/dbus/files/CVE-2014-3532.patch
@@ -0,0 +1,112 @@
+Date: Tue, 24 Jun 2014 17:57:14 +0100
+Subject: Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)
+Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
+sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
+when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
+applications. A malicious client could use this to force a victim system
+service to be disconnected from the system bus; the victim would likely
+respond by exiting. This is a denial of service (fd.o #80163,
+CVE-2014-3532).
+This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
+the connection.
+Upstream-Status: Backport
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
+Reviewed-by: Thiago Macieira <thiago@kde.org>
+[altered commit message to explain DoS significance -smcv]
+Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
+index de3a18c..f4ba0fa 100644
+--- a/dbus/dbus-sysdeps.c
+++ b/dbus/dbus-sysdeps.c
+@@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void)
+ }
+ 
+ /**
+ * See if errno is ETOOMANYREFS
+ * @returns #TRUE if errno == ETOOMANYREFS
+ */
+dbus_bool_t
+_dbus_get_is_errno_etoomanyrefs (void)
+{
+#ifdef ETOOMANYREFS
+  return errno == ETOOMANYREFS;
+#else
+  return FALSE;
+#endif
+}
+
+/**
+  * Get error message from errno
+  * @returns _dbus_strerror(errno)
+  */
+diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
+index e586946..21033eb 100644
+--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
+@@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void);
+ dbus_bool_t _dbus_get_is_errno_enomem                (void);
+ dbus_bool_t _dbus_get_is_errno_eintr                 (void);
+ dbus_bool_t _dbus_get_is_errno_epipe                 (void);
+dbus_bool_t _dbus_get_is_errno_etoomanyrefs           (void);
+ const char* _dbus_strerror_from_errno                (void);
+ 
+ void _dbus_disable_sigpipe (void);
+diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c
+index 774f459..199d3b5 100644
+--- a/dbus/dbus-transport-socket.c
+++ b/dbus/dbus-transport-socket.c
+@@ -645,12 +645,44 @@ do_writing (DBusTransport *transport)
+         {
+           /* EINTR already handled for us */
+           
+-          /* For some discussion of why we also ignore EPIPE here, see
+          /* If the other end closed the socket with close() or shutdown(), we
+           * receive EPIPE here but we must not close the socket yet: there
+           * might still be some data to read. See:
+            * http://lists.freedesktop.org/archives/dbus/2008-March/009526.html
+            */
+           
+           if (_dbus_get_is_errno_eagain_or_ewouldblock () || _dbus_get_is_errno_epipe ())
+             goto out;
+
+          /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg()
+           * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd
+           * mechanism (SCM_RIGHTS) is used recursively with a recursion level
+           * of maximum 4. The kernel does not have an API to check whether
+           * the passed fds can be forwarded and it can change asynchronously.
+           * See:
+           * https://bugs.freedesktop.org/show_bug.cgi?id=80163
+           */
+
+          else if (_dbus_get_is_errno_etoomanyrefs ())
+            {
+              /* We only send fds in the first byte of the message.
+               * ETOOMANYREFS cannot happen after.
+               */
+              _dbus_assert (socket_transport->message_bytes_written == 0);
+
+              _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n",
+                             total_bytes_to_write);
+
+              socket_transport->message_bytes_written = 0;
+              _dbus_string_set_length (&socket_transport->encoded_outgoing, 0);
+              _dbus_string_compact (&socket_transport->encoded_outgoing, 2048);
+
+              /* The message was not actually sent but it needs to be removed
+               * from the outgoing queue
+               */
+              _dbus_connection_message_sent_unlocked (transport->connection,
+                                                      message);
+            }
+           else
+             {
+               _dbus_verbose ("Error writing to remote app: %s\n",
+-- 
+cgit v0.10.2
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-04 14:37:17 +0100
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-04 14:37:17 +0100
commit	8d7d20f1ae6c10ef37723572b535c5c22814461e (patch)
tree	beec32ca8334caaf5e0f3fe6f88f1cedd3873ba0 /recipes-core/dbus
parent	7c31d929af764a61ffdfc99ec9c2fc23e24dad2b (diff)
download	meta-el-common-8d7d20f1ae6c10ef37723572b535c5c22814461e.tar.gz

diff --git a/recipes-core/dbus/dbus_1.8.2.bbappend b/recipes-core/dbus/dbus_1.8.2.bbappend new file mode 100644 index 0000000..3a6cb06 --- /dev/null +++ b/recipes-core/dbus/dbus_1.8.2.bbappend
@@ -0,0 +1,5 @@
	1	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	2
	3	SRC_URI += "\
	4	file://CVE-2014-3532.patch \
	5	"


diff --git a/recipes-core/dbus/files/CVE-2014-3532.patch b/recipes-core/dbus/files/CVE-2014-3532.patch new file mode 100644 index 0000000..95f110c --- /dev/null +++ b/recipes-core/dbus/files/CVE-2014-3532.patch
@@ -0,0 +1,112 @@
	1	Date: Tue, 24 Jun 2014 17:57:14 +0100
	2	Subject: Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)
	3
	4	Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
	5	sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
	6	when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
	7	applications. A malicious client could use this to force a victim system
	8	service to be disconnected from the system bus; the victim would likely
	9	respond by exiting. This is a denial of service (fd.o #80163,
	10	CVE-2014-3532).
	11
	12	This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
	13	the connection.
	14
	15	Upstream-Status: Backport
	16
	17	Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
	18	Reviewed-by: Thiago Macieira <thiago@kde.org>
	19	[altered commit message to explain DoS significance -smcv]
	20	Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
	21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	22
	23	diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
	24	index de3a18c..f4ba0fa 100644
	25	--- a/dbus/dbus-sysdeps.c
	26	+++ b/dbus/dbus-sysdeps.c
	27	@@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void)
	28	}
	29
	30	/**
	31	+ * See if errno is ETOOMANYREFS
	32	+ * @returns #TRUE if errno == ETOOMANYREFS
	33	+ */
	34	+dbus_bool_t
	35	+_dbus_get_is_errno_etoomanyrefs (void)
	36	+{
	37	+#ifdef ETOOMANYREFS
	38	+ return errno == ETOOMANYREFS;
	39	+#else
	40	+ return FALSE;
	41	+#endif
	42	+}
	43	+
	44	+/**
	45	* Get error message from errno
	46	* @returns _dbus_strerror(errno)
	47	*/
	48	diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
	49	index e586946..21033eb 100644
	50	--- a/dbus/dbus-sysdeps.h
	51	+++ b/dbus/dbus-sysdeps.h
	52	@@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void);
	53	dbus_bool_t _dbus_get_is_errno_enomem (void);
	54	dbus_bool_t _dbus_get_is_errno_eintr (void);
	55	dbus_bool_t _dbus_get_is_errno_epipe (void);
	56	+dbus_bool_t _dbus_get_is_errno_etoomanyrefs (void);
	57	const char* _dbus_strerror_from_errno (void);
	58
	59	void _dbus_disable_sigpipe (void);
	60	diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c
	61	index 774f459..199d3b5 100644
	62	--- a/dbus/dbus-transport-socket.c
	63	+++ b/dbus/dbus-transport-socket.c
	64	@@ -645,12 +645,44 @@ do_writing (DBusTransport *transport)
	65	{
	66	/* EINTR already handled for us */
	67
	68	- /* For some discussion of why we also ignore EPIPE here, see
	69	+ /* If the other end closed the socket with close() or shutdown(), we
	70	+ * receive EPIPE here but we must not close the socket yet: there
	71	+ * might still be some data to read. See:
	72	* http://lists.freedesktop.org/archives/dbus/2008-March/009526.html
	73	*/
	74
	75	if (_dbus_get_is_errno_eagain_or_ewouldblock () \|\| _dbus_get_is_errno_epipe ())
	76	goto out;
	77	+
	78	+ /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg()
	79	+ * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd
	80	+ * mechanism (SCM_RIGHTS) is used recursively with a recursion level
	81	+ * of maximum 4. The kernel does not have an API to check whether
	82	+ * the passed fds can be forwarded and it can change asynchronously.
	83	+ * See:
	84	+ * https://bugs.freedesktop.org/show_bug.cgi?id=80163
	85	+ */
	86	+
	87	+ else if (_dbus_get_is_errno_etoomanyrefs ())
	88	+ {
	89	+ /* We only send fds in the first byte of the message.
	90	+ * ETOOMANYREFS cannot happen after.
	91	+ */
	92	+ _dbus_assert (socket_transport->message_bytes_written == 0);
	93	+
	94	+ _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n",
	95	+ total_bytes_to_write);
	96	+
	97	+ socket_transport->message_bytes_written = 0;
	98	+ _dbus_string_set_length (&socket_transport->encoded_outgoing, 0);
	99	+ _dbus_string_compact (&socket_transport->encoded_outgoing, 2048);
	100	+
	101	+ /* The message was not actually sent but it needs to be removed
	102	+ * from the outgoing queue
	103	+ */
	104	+ _dbus_connection_message_sent_unlocked (transport->connection,
	105	+ message);
	106	+ }
	107	else
	108	{
	109	_dbus_verbose ("Error writing to remote app: %s\n",
	110	--
	111	cgit v0.10.2
	112