|
 |
ff6046 |
From 871bb5457c5951870d447f53c976a1a1f2dac85d Mon Sep 17 00:00:00 2001
|
|
|
ff6046 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
ff6046 |
Date: Fri, 3 Aug 2018 14:46:57 +0200
|
|
|
ff6046 |
Subject: [PATCH] bus-message: fix calculation of offsets table for arrays
|
|
|
ff6046 |
|
|
|
ff6046 |
This is similar to the grandparent commit 'fix calculation of offsets table',
|
|
|
ff6046 |
except that now the change is for array elements. Same story as before: we need
|
|
|
ff6046 |
to make sure that the offsets increase enough taking alignment into account.
|
|
|
ff6046 |
|
|
|
ff6046 |
While at it, rename 'p' to 'previous' to match similar code in other places.
|
|
|
ff6046 |
|
|
|
ff6046 |
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
|
|
|
ff6046 |
|
|
|
ff6046 |
Resolves: #1696224
|
|
|
ff6046 |
---
|
|
|
ff6046 |
src/libsystemd/sd-bus/bus-message.c | 17 ++++++++++++-----
|
|
|
ff6046 |
...sh-d8f3941c74219b4c03532c9b244d5ea539c61af5 | Bin 0 -> 41 bytes
|
|
|
ff6046 |
2 files changed, 12 insertions(+), 5 deletions(-)
|
|
|
ff6046 |
create mode 100644 test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
|
|
|
ff6046 |
|
|
|
ff6046 |
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
|
|
|
ff6046 |
index c8f7937102..ac823aaf58 100644
|
|
|
ff6046 |
--- a/src/libsystemd/sd-bus/bus-message.c
|
|
|
ff6046 |
+++ b/src/libsystemd/sd-bus/bus-message.c
|
|
|
ff6046 |
@@ -3532,7 +3532,7 @@ static int bus_message_enter_array(
|
|
|
ff6046 |
|
|
|
ff6046 |
size_t rindex;
|
|
|
ff6046 |
void *q;
|
|
|
ff6046 |
- int r, alignment;
|
|
|
ff6046 |
+ int r;
|
|
|
ff6046 |
|
|
|
ff6046 |
assert(m);
|
|
|
ff6046 |
assert(c);
|
|
|
ff6046 |
@@ -3558,6 +3558,7 @@ static int bus_message_enter_array(
|
|
|
ff6046 |
|
|
|
ff6046 |
if (!BUS_MESSAGE_IS_GVARIANT(m)) {
|
|
|
ff6046 |
/* dbus1 */
|
|
|
ff6046 |
+ int alignment;
|
|
|
ff6046 |
|
|
|
ff6046 |
r = message_peek_body(m, &rindex, 4, 4, &q);
|
|
|
ff6046 |
if (r < 0)
|
|
|
ff6046 |
@@ -3591,7 +3592,8 @@ static int bus_message_enter_array(
|
|
|
ff6046 |
*n_offsets = 0;
|
|
|
ff6046 |
|
|
|
ff6046 |
} else {
|
|
|
ff6046 |
- size_t where, p = 0, framing, sz;
|
|
|
ff6046 |
+ size_t where, previous = 0, framing, sz;
|
|
|
ff6046 |
+ int alignment;
|
|
|
ff6046 |
unsigned i;
|
|
|
ff6046 |
|
|
|
ff6046 |
/* gvariant: variable length array */
|
|
|
ff6046 |
@@ -3619,17 +3621,22 @@ static int bus_message_enter_array(
|
|
|
ff6046 |
if (!*offsets)
|
|
|
ff6046 |
return -ENOMEM;
|
|
|
ff6046 |
|
|
|
ff6046 |
+ alignment = bus_gvariant_get_alignment(c->signature);
|
|
|
ff6046 |
+ assert(alignment > 0);
|
|
|
ff6046 |
+
|
|
|
ff6046 |
for (i = 0; i < *n_offsets; i++) {
|
|
|
ff6046 |
- size_t x;
|
|
|
ff6046 |
+ size_t x, start;
|
|
|
ff6046 |
+
|
|
|
ff6046 |
+ start = ALIGN_TO(previous, alignment);
|
|
|
ff6046 |
|
|
|
ff6046 |
x = bus_gvariant_read_word_le((uint8_t*) q + i * sz, sz);
|
|
|
ff6046 |
if (x > c->item_size - sz)
|
|
|
ff6046 |
return -EBADMSG;
|
|
|
ff6046 |
- if (x < p)
|
|
|
ff6046 |
+ if (x < start)
|
|
|
ff6046 |
return -EBADMSG;
|
|
|
ff6046 |
|
|
|
ff6046 |
(*offsets)[i] = rindex + x;
|
|
|
ff6046 |
- p = x;
|
|
|
ff6046 |
+ previous = x;
|
|
|
ff6046 |
}
|
|
|
ff6046 |
|
|
|
ff6046 |
*item_size = (*offsets)[0] - rindex;
|
|
|
ff6046 |
diff --git a/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
|
|
|
ff6046 |
new file mode 100644
|
|
|
ff6046 |
index 0000000000000000000000000000000000000000..26262e1149825a114a89bf9cee5aeca0be463984
|
|
|
ff6046 |
GIT binary patch
|
|
|
ff6046 |
literal 41
|
|
|
ff6046 |
rcmd1#|DTC5gMmSS0SHWtIT#p03
|
|
|
ff6046 |
|
|
|
ff6046 |
literal 0
|
|
|
ff6046 |
HcmV?d00001
|
|
|
ff6046 |
|