Blame SOURCES/dbus-1.6.12-avoid-corrupting-multiple-fds.patch

4d5d3b
From 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e Mon Sep 17 00:00:00 2001
4d5d3b
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
4d5d3b
Date: Wed, 11 Jun 2014 12:24:20 +0100
4d5d3b
Subject: If loader contains two messages with fds, don't corrupt the second
4d5d3b
4d5d3b
There were two bugs here: we would previously overwrite the unused
4d5d3b
fds with the already-used fds instead of the other way round, and
4d5d3b
we would copy n bytes where we should have copied n ints.
4d5d3b
4d5d3b
Additionally, sending crafted messages in a chosen sequence to a victim
4d5d3b
system service could cause an invalid file descriptor to be present
4d5d3b
when dbus-daemon tries to forward one of those crafted messages to the
4d5d3b
victim, causing sendmsg() to fail with EBADF, which resulted in
4d5d3b
disconnecting the victim service, which would likely respond to that
4d5d3b
by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533).
4d5d3b
4d5d3b
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694
4d5d3b
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469
4d5d3b
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
4d5d3b
4d5d3b
diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
4d5d3b
index c6953d0..78df755 100644
4d5d3b
--- a/dbus/dbus-message.c
4d5d3b
+++ b/dbus/dbus-message.c
4d5d3b
@@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader,
4d5d3b
 
4d5d3b
       message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds;
4d5d3b
       loader->n_unix_fds -= n_unix_fds;
4d5d3b
-      memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds);
4d5d3b
+      memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0]));
4d5d3b
     }
4d5d3b
   else
4d5d3b
     message->unix_fds = NULL;
4d5d3b
-- 
4d5d3b
cgit v0.10.2
4d5d3b