richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
ff6046
From 709214f554355158b2c3e70c7f3424997e002cee Mon Sep 17 00:00:00 2001
ff6046
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
ff6046
Date: Thu, 23 Aug 2018 14:48:40 +0200
ff6046
Subject: [PATCH] bus-message: avoid wrap-around when using length read from
ff6046
 message
ff6046
ff6046
We would read (-1), and then add 1 to it, call message_peek_body(..., 0, ...),
ff6046
and when trying to make use of the data.
ff6046
ff6046
The fuzzer test case is just for one site, but they all look similar.
ff6046
ff6046
v2: fix two UINT8_MAX/UINT32_MAX mismatches founds by LGTM
ff6046
(cherry picked from commit 902000c19830f5e5a96e8948d691b42e91ecb1e7)
ff6046
ff6046
Resolves: #1696224
ff6046
---
ff6046
 src/libsystemd/sd-bus/bus-message.c           |  24 ++++++++++++++++++
ff6046
 ...h-603dfd98252375ac7dbced53c2ec312671939a36 | Bin 0 -> 40 bytes
ff6046
 2 files changed, 24 insertions(+)
ff6046
 create mode 100644 test/fuzz/fuzz-bus-message/crash-603dfd98252375ac7dbced53c2ec312671939a36
ff6046
ff6046
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
ff6046
index 613722a1a0..53cbd675b7 100644
ff6046
--- a/src/libsystemd/sd-bus/bus-message.c
ff6046
+++ b/src/libsystemd/sd-bus/bus-message.c
ff6046
@@ -3414,6 +3414,10 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
ff6046
                                 return r;
ff6046
 
ff6046
                         l = BUS_MESSAGE_BSWAP32(m, *(uint32_t*) q);
ff6046
+                        if (l == UINT32_MAX)
ff6046
+                                /* avoid overflow right below */
ff6046
+                                return -EBADMSG;
ff6046
+
ff6046
                         r = message_peek_body(m, &rindex, 1, l+1, &q);
ff6046
                         if (r < 0)
ff6046
                                 return r;
ff6046
@@ -3436,6 +3440,10 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
ff6046
                                 return r;
ff6046
 
ff6046
                         l = *(uint8_t*) q;
ff6046
+                        if (l == UINT8_MAX)
ff6046
+                                /* avoid overflow right below */
ff6046
+                                return -EBADMSG;
ff6046
+
ff6046
                         r = message_peek_body(m, &rindex, 1, l+1, &q);
ff6046
                         if (r < 0)
ff6046
                                 return r;
ff6046
@@ -3701,6 +3709,10 @@ static int bus_message_enter_variant(
ff6046
                         return r;
ff6046
 
ff6046
                 l = *(uint8_t*) q;
ff6046
+                if (l == UINT8_MAX)
ff6046
+                        /* avoid overflow right below */
ff6046
+                        return -EBADMSG;
ff6046
+
ff6046
                 r = message_peek_body(m, &rindex, 1, l+1, &q);
ff6046
                 if (r < 0)
ff6046
                         return r;
ff6046
@@ -4269,6 +4281,10 @@ _public_ int sd_bus_message_peek_type(sd_bus_message *m, char *type, const char
ff6046
                                         return r;
ff6046
 
ff6046
                                 l = *(uint8_t*) q;
ff6046
+                                if (l == UINT8_MAX)
ff6046
+                                        /* avoid overflow right below */
ff6046
+                                        return -EBADMSG;
ff6046
+
ff6046
                                 r = message_peek_body(m, &rindex, 1, l+1, &q);
ff6046
                                 if (r < 0)
ff6046
                                         return r;
ff6046
@@ -4849,6 +4865,10 @@ static int message_peek_field_string(
ff6046
                 if (r < 0)
ff6046
                         return r;
ff6046
 
ff6046
+                if (l == UINT32_MAX)
ff6046
+                        /* avoid overflow right below */
ff6046
+                        return -EBADMSG;
ff6046
+
ff6046
                 r = message_peek_fields(m, ri, 1, l+1, &q);
ff6046
                 if (r < 0)
ff6046
                         return r;
ff6046
@@ -4900,6 +4920,10 @@ static int message_peek_field_signature(
ff6046
                         return r;
ff6046
 
ff6046
                 l = *(uint8_t*) q;
ff6046
+                if (l == UINT8_MAX)
ff6046
+                        /* avoid overflow right below */
ff6046
+                        return -EBADMSG;
ff6046
+
ff6046
                 r = message_peek_fields(m, ri, 1, l+1, &q);
ff6046
                 if (r < 0)
ff6046
                         return r;
ff6046
diff --git a/test/fuzz/fuzz-bus-message/crash-603dfd98252375ac7dbced53c2ec312671939a36 b/test/fuzz/fuzz-bus-message/crash-603dfd98252375ac7dbced53c2ec312671939a36
ff6046
new file mode 100644
ff6046
index 0000000000000000000000000000000000000000..b3fee9e07af4f925697a549bbc8ffc03a277fac0
ff6046
GIT binary patch
ff6046
literal 40
ff6046
mcmc~{Vqjzdg7laF|BC@>cE)0c{}2$`*K@IKT2AZ~5ElR}@e}O;
ff6046
ff6046
literal 0
ff6046
HcmV?d00001
ff6046