dbus: fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed

Backport a patch from upstream [1] to fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed [1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946 (From OE-Core rev: ad5c72d7f4c5ac2ad84eff8235d87f6c097af386) Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Xiangyu Chen <xiangyu.chen@eng.windriver.com> 2022-11-14 15:05:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-24 15:30:00 +0000
commit: 24f6bf271ba71ce54dc01af7628abdb36687936e (patch)
tree: 2747a1b5c76bbefa40d03e34bf56ad53897c27ca
parent: 5f78d205a1871258d10d531193bd3ea10f483251 (diff)
download: poky-24f6bf271ba71ce54dc01af7628abdb36687936e.tar.gz
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
new file mode 100644
index 0000000000..47f4f1e0d3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
@@ -0,0 +1,76 @@
+From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 30 Sep 2022 13:46:31 +0100
+Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
+When a D-Bus message includes attached file descriptors, the body of the
+message contains unsigned 32-bit indexes pointing into an out-of-band
+array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
+these indexes as "handles" for the associated fds (not to be confused
+with a Windows HANDLE, which is a kernel object).
+The assertion message removed by this commit is arguably correct up to
+a point: fd-passing is only reasonable on a local machine, and no known
+operating system allows processes of differing endianness even on a
+multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
+to specify a byte-order that differs from the byte-order of the recipient.
+However, this doesn't account for the fact that a malicious sender
+doesn't have to restrict itself to only doing things that make sense.
+On a system with untrusted local users, a message sender could crash
+the system dbus-daemon (a denial of service) by sending a message in
+the opposite endianness that contains handles to file descriptors.
+Before this commit, if assertions are enabled, attempting to byteswap
+a fd index would cleanly crash the message recipient with an assertion
+failure. If assertions are disabled, attempting to byteswap a fd index
+would silently do nothing without advancing the pointer p, causing the
+message's type and the pointer into its contents to go out of sync, which
+can result in a subsequent crash (the crash demonstrated by fuzzing was
+a use-after-free, but other failure modes might be possible).
+In principle we could resolve this by rejecting wrong-endianness messages
+from a local sender, but it's actually simpler and less code to treat
+wrong-endianness messages as valid and byteswap them.
+Thanks: Evgeny Vereshchagin
+Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
+Resolves: CVE-2022-42012
+Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
+Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
+---
+ dbus/dbus-marshal-byteswap.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
+index 27695aaf..7104e9c6 100644
+--- a/dbus/dbus-marshal-byteswap.c
+++ b/dbus/dbus-marshal-byteswap.c
+@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader       *reader,
+         case DBUS_TYPE_BOOLEAN:
+         case DBUS_TYPE_INT32:
+         case DBUS_TYPE_UINT32:
+        case DBUS_TYPE_UNIX_FD:
+           {
+             p = _DBUS_ALIGN_ADDRESS (p, 4);
+             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
+@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader       *reader,
+           }
+           break;
+ 
+-        case DBUS_TYPE_UNIX_FD:
+-          /* fds can only be passed on a local machine, so byte order must always match */
+-          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
+-          break;
+-
+         default:
+           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
+           break;
+-- 
+2.34.1
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.0.bb
index e1efa9e058..484629e987 100644
--- a/meta/recipes-core/dbus/dbus_1.14.0.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
           file://dbus-1.init \
           file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
           file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
+           file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \
 "
 SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"
author	Xiangyu Chen <xiangyu.chen@eng.windriver.com>	2022-11-14 15:05:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-24 15:30:00 +0000
commit	24f6bf271ba71ce54dc01af7628abdb36687936e (patch)
tree	2747a1b5c76bbefa40d03e34bf56ad53897c27ca
parent	5f78d205a1871258d10d531193bd3ea10f483251 (diff)
download	poky-24f6bf271ba71ce54dc01af7628abdb36687936e.tar.gz

diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch new file mode 100644 index 0000000000..47f4f1e0d3 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
@@ -0,0 +1,76 @@
		1	From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001
		2	From: Simon McVittie <smcv@collabora.com>
		3	Date: Fri, 30 Sep 2022 13:46:31 +0100
		4	Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
		5
		6	When a D-Bus message includes attached file descriptors, the body of the
		7	message contains unsigned 32-bit indexes pointing into an out-of-band
		8	array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
		9	these indexes as "handles" for the associated fds (not to be confused
		10	with a Windows HANDLE, which is a kernel object).
		11
		12	The assertion message removed by this commit is arguably correct up to
		13	a point: fd-passing is only reasonable on a local machine, and no known
		14	operating system allows processes of differing endianness even on a
		15	multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
		16	to specify a byte-order that differs from the byte-order of the recipient.
		17
		18	However, this doesn't account for the fact that a malicious sender
		19	doesn't have to restrict itself to only doing things that make sense.
		20	On a system with untrusted local users, a message sender could crash
		21	the system dbus-daemon (a denial of service) by sending a message in
		22	the opposite endianness that contains handles to file descriptors.
		23
		24	Before this commit, if assertions are enabled, attempting to byteswap
		25	a fd index would cleanly crash the message recipient with an assertion
		26	failure. If assertions are disabled, attempting to byteswap a fd index
		27	would silently do nothing without advancing the pointer p, causing the
		28	message's type and the pointer into its contents to go out of sync, which
		29	can result in a subsequent crash (the crash demonstrated by fuzzing was
		30	a use-after-free, but other failure modes might be possible).
		31
		32	In principle we could resolve this by rejecting wrong-endianness messages
		33	from a local sender, but it's actually simpler and less code to treat
		34	wrong-endianness messages as valid and byteswap them.
		35
		36	Thanks: Evgeny Vereshchagin
		37	Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
		38	Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
		39	Resolves: CVE-2022-42012
		40
		41	Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
		42
		43	Signed-off-by: Simon McVittie <smcv@collabora.com>
		44	(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
		45	Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
		46	---
		47	dbus/dbus-marshal-byteswap.c \| 6 +-----
		48	1 file changed, 1 insertion(+), 5 deletions(-)
		49
		50	diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
		51	index 27695aaf..7104e9c6 100644
		52	--- a/dbus/dbus-marshal-byteswap.c
		53	+++ b/dbus/dbus-marshal-byteswap.c
		54	@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader,
		55	case DBUS_TYPE_BOOLEAN:
		56	case DBUS_TYPE_INT32:
		57	case DBUS_TYPE_UINT32:
		58	+ case DBUS_TYPE_UNIX_FD:
		59	{
		60	p = _DBUS_ALIGN_ADDRESS (p, 4);
		61	((dbus_uint32_t)p) = DBUS_UINT32_SWAP_LE_BE (((dbus_uint32_t)p));
		62	@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader,
		63	}
		64	break;
		65
		66	- case DBUS_TYPE_UNIX_FD:
		67	- /* fds can only be passed on a local machine, so byte order must always match */
		68	- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
		69	- break;
		70	-
		71	default:
		72	_dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
		73	break;
		74	--
		75	2.34.1
		76


diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.0.bb index e1efa9e058..484629e987 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
15	file://dbus-1.init \	15	file://dbus-1.init \
16	file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \	16	file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
17	file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \	17	file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
		18	file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \
18	"	19	"
19		20
20	SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"	21	SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"