|
 |
4a88b0 |
From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001
|
|
|
4a88b0 |
From: Simon McVittie <smcv@collabora.com>
|
|
|
4a88b0 |
Date: Mon, 12 Sep 2022 13:14:18 +0100
|
|
|
4a88b0 |
Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
|
|
|
4a88b0 |
fixed-length items
|
|
|
4a88b0 |
|
|
|
4a88b0 |
This fast-path previously did not check that the array was made up
|
|
|
4a88b0 |
of an integer number of items. This could lead to assertion failures
|
|
|
4a88b0 |
and out-of-bounds accesses during subsequent message processing (which
|
|
|
4a88b0 |
assumes that the message has already been validated), particularly after
|
|
|
4a88b0 |
the addition of _dbus_header_remove_unknown_fields(), which makes it
|
|
|
4a88b0 |
more likely that dbus-daemon will apply non-trivial edits to messages.
|
|
|
4a88b0 |
|
|
|
4a88b0 |
Thanks: Evgeny Vereshchagin
|
|
|
4a88b0 |
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
|
|
|
4a88b0 |
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
|
|
|
4a88b0 |
Resolves: CVE-2022-42011
|
|
|
4a88b0 |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
4a88b0 |
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
|
|
|
4a88b0 |
(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
|
|
|
4a88b0 |
---
|
|
|
4a88b0 |
dbus/dbus-marshal-validate.c | 13 ++++++++++++-
|
|
|
4a88b0 |
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
4a88b0 |
|
|
|
4a88b0 |
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
|
|
|
4a88b0 |
index ae68414dd..7d0d6cf72 100644
|
|
|
4a88b0 |
--- a/dbus/dbus-marshal-validate.c
|
|
|
4a88b0 |
+++ b/dbus/dbus-marshal-validate.c
|
|
|
4a88b0 |
@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
|
|
|
4a88b0 |
*/
|
|
|
4a88b0 |
if (dbus_type_is_fixed (array_elem_type))
|
|
|
4a88b0 |
{
|
|
|
4a88b0 |
+ /* Note that fixed-size types all have sizes equal to
|
|
|
4a88b0 |
+ * their alignments, so this is really the item size. */
|
|
|
4a88b0 |
+ alignment = _dbus_type_get_alignment (array_elem_type);
|
|
|
4a88b0 |
+ _dbus_assert (alignment == 1 || alignment == 2 ||
|
|
|
4a88b0 |
+ alignment == 4 || alignment == 8);
|
|
|
4a88b0 |
+
|
|
|
4a88b0 |
+ /* Because the alignment is a power of 2, this is
|
|
|
4a88b0 |
+ * equivalent to: (claimed_len % alignment) != 0,
|
|
|
4a88b0 |
+ * but avoids slower integer division */
|
|
|
4a88b0 |
+ if ((claimed_len & (alignment - 1)) != 0)
|
|
|
4a88b0 |
+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
|
|
|
4a88b0 |
+
|
|
|
4a88b0 |
/* bools need to be handled differently, because they can
|
|
|
4a88b0 |
* have an invalid value
|
|
|
4a88b0 |
*/
|
|
|
4a88b0 |
if (array_elem_type == DBUS_TYPE_BOOLEAN)
|
|
|
4a88b0 |
{
|
|
|
4a88b0 |
dbus_uint32_t v;
|
|
|
4a88b0 |
- alignment = _dbus_type_get_alignment (array_elem_type);
|
|
|
4a88b0 |
|
|
|
4a88b0 |
while (p < array_end)
|
|
|
4a88b0 |
{
|
|
|
4a88b0 |
--
|
|
|
4a88b0 |
GitLab
|
|
|
4a88b0 |
|