| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This appears to have been a copy/paste mistake. If only blanks (defined as
spaces or tabs) were removed, then it cannot be right to check for white
space (defined as spaces, tabs, carriage return or linefeed) afterwards.
If libdbus was compiled with assertions enabled, then this is a
denial-of-service issue for dbus-daemon or other users of DBusServer:
an unauthenticated user with access to the server's socket can send
whitespace that triggers this assertion failure. We recommend that
production versions of dbus, for example in OS distributions, should be
compiled with checks but without assertions.
[smcv: expanded commit message]
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/421
|
|
|
|
|
|
| |
[smcv: Fix a memory leak]
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/421
|
|\
| |
| |
| |
| | |
[1.14.x] Backport more fixes from 1.15.x
See merge request dbus/dbus!393
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
After 6e48c317 the test-apparmor-activation test fails as it can no
longer access the dbus socket in /tmp. This commit updates the apparmor
profile used within the test
(cherry picked from commit 9950464761f0c44e08fb93155ca6e7f4b1d8a31f)
|
| |
| |
| |
| |
| |
| | |
Bugzilla is dead for long time now.
(cherry picked from commit dc59aa5df2c0c9a8fce5f5f0c33b69f21258c1ac)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The canonical way to find these macro is to run autogen.sh or autoreconf
while pkg-config (or pkgconf) is installed, which will copy an up-to-date
version of the macros from /usr/share/aclocal. The `make dist` archive
will include a bundled copy of those macros, but the git repository
doesn't need them.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In log_callback() the same va_list is reused for a call to vsnprintf and
vsyslog. A va_list can't be reused in this manner, such use is undefined
behavior that changes depending on glibc version.
In current glibc versions a segfault can be observed from the callsite at
bus/selinux.c:412. When trying to log a non-auditable event, the segfault
happens in strlen inside vsyslog.
Moving the call to vsnprintf closer to audit_log_user_avc_message (which is
followed by a 'goto out') avoids the reuse and segfault.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
(cherry picked from commit 52b73d511b27de1fde3dd075af5d90393a1cd97d)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On Gitlab-CI we're always running the overall script as root (and
therefore we'll only enter the code path to re-run as non-root),
but when using these scripts for manual testing they might be run as
non-root to begin with.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 25e1512c17be88b3dfdfd576969dcc5503495b68)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Travis CI needed this, but Gitlab-CI always runs our tests in a Docker
container of our choice, so there's never any need to enter another
(and it's not allowed anyway).
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit dfa7eede446de6c2711cb6b2e5a91667880d2c22)
|
| |
| |
| |
| |
| |
| |
| |
| | |
This cleans up checkouts that were subjected to `chown -R` prior to this.
Resolves: dbus/dbus#447
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ce6af6721f8e9837dad31adcf324042d3c013947)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These CI scripts were originally used on Travis-CI, which starts all
builds as an ordinary user that has the ability to become root via `sudo`.
On Gitlab-CI, we don't need that: we start as uid 0, and can do the
whole CI run like that. This also means we get somewhat better test
coverage, because some of our unit tests benefit from being run as uid 0.
The only test coverage we lose by being uid 0 is that
test_pending_fd_timeout() in test/dbus-daemon.c is skipped, because
uid 0 bypasses the limit that's under test there.
(cherry picked from commit 88dd9d5cc79e4ac37de6b7bf2c9ef8f61f657362)
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WG14 N2350 made very clear that it is an UB having type definitions
within "offsetof" [1]. This patch changes the implementation of macro
_DBUS_ALIGNOF to builtin "_Alignof" to avoid undefined behavior.
clang 16+ has started to diagnose this [2]
Fixes build when using -std >= gnu11 and using clang16+
[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm
[2] https://reviews.llvm.org/D133574
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c3e2c873ffa8e89b5f83dccc4e4e35dfcea633cb)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\
| |
| |
| |
| | |
[1.14.x] Backport: Fix data race with members of struct DBusCounter
See merge request dbus/dbus!384
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit fixes a data race condition discovered by the
gcc thread sanitizer by also locking the associated mutex
when reading the corresponding counter.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/426
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
(cherry picked from commit 1741df3b977001aee6bee7c7458ed786c60c8eb7)
|
|/
|
|
|
|
|
|
| |
The mentioned test is build on unix like platforms when embedded tests
are enabled.
(cherry picked from commit 20febb522b3dd0b932244e48f50d2fcbb98c3b4f)
[backport to 1.14.x: adjust included header]
|
|\
| |
| |
| |
| | |
[1.14.x] Backport fixes from master
See merge request dbus/dbus!362
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: bc86794f23fa53
Fixes:
```
==302818==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd6ac253c0 at pc 0x000000534d0b bp 0x7ffd6ac24e10 sp 0x7ffd6ac24e08
READ of size 8 at 0x7ffd6ac253c0 thread T0
#0 0x534d0a in locate_attributes /home/vagrant/dbus/build/../bus/config-parser.c:658:16
#1 0x52ea3f in start_busconfig_child /home/vagrant/dbus/build/../bus/config-parser.c:1080:12
#2 0x52cca4 in bus_config_parser_start_element /home/vagrant/dbus/build/../bus/config-parser.c:2039:14
#3 0x52b82b in expat_StartElementHandler /home/vagrant/dbus/build/../bus/config-loader-expat.c:107:8
#4 0x7f2179f2d2bd (/lib64/libexpat.so.1+0xd2bd) (BuildId: 0165eed77c910f6ef2227d21afa9c5c5ed5849c2)
#5 0x7f2179f2aed3 (/lib64/libexpat.so.1+0xaed3) (BuildId: 0165eed77c910f6ef2227d21afa9c5c5ed5849c2)
#6 0x7f2179f2c9ec (/lib64/libexpat.so.1+0xc9ec) (BuildId: 0165eed77c910f6ef2227d21afa9c5c5ed5849c2)
#7 0x7f2179f30a8e in XML_ParseBuffer (/lib64/libexpat.so.1+0x10a8e) (BuildId: 0165eed77c910f6ef2227d21afa9c5c5ed5849c2)
#8 0x52b040 in bus_config_load /home/vagrant/dbus/build/../bus/config-loader-expat.c:259:9
#9 0x523c8a in bus_context_new /home/vagrant/dbus/build/../bus/bus.c:828:12
#10 0x521056 in main /home/vagrant/dbus/build/../bus/main.c:716:13
#11 0x7f2179a2954f in __libc_start_call_main (/lib64/libc.so.6+0x2954f) (BuildId: 9c5863396a11aab52ae8918ae01a362cefa855fe)
#12 0x7f2179a29608 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x29608) (BuildId: 9c5863396a11aab52ae8918ae01a362cefa855fe)
#13 0x42a914 in _start (/home/vagrant/dbus/build/bus/dbus-daemon+0x42a914) (BuildId: df5369f85137975aff9bd398ae859706cc3c52ff)
Address 0x7ffd6ac253c0 is located in stack of thread T0 at offset 0 in frame
#0 0x52cfaf in start_busconfig_child /home/vagrant/dbus/build/../bus/config-parser.c:733
```
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
(cherry picked from commit ae03bcdb1116a953d4d33661cf878e68cdfbb9fd)
|
| |
| |
| |
| |
| |
| | |
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/420
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 3c0e63c10a63dc856e4c698c9e363f0ad7a223a9)
|
| | |
|
| | |
|
|/ |
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
| |
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit bef693f442d854505e7013fd31efe41747d7493c)
[backport to 1.14.x: discard Meson build system updates]
|
|
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7a2c13d21be702c7b5b7288fb82a60adc5bd7378)
[backport to 1.14.x: discard Meson build system updates]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike the message-internals test, these do not rely on extra debug
instrumentation in libdbus, and so can be used for "as-installed"
testing. (However, they do require GLib.)
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 3ef342410a1cefe3d0bfaf46279c6517f4b44a26)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These environment variables are used by GLib's g_test_build_filename()
and related convenience functions, which make it easier for unit tests
to find data files in a way that works for both build-time tests and
"as-installed" tests. During "as-installed" testing, both variables
will normally be unset, and GLib uses the directory containing the
executable. In most cases that results in the right thing happening, and
this will also be true for dbus, since we install the test executables
in ${libexecdir}/installed-tests, helper executables in the same place,
and test data in ${libexecdir}/installed-tests/data.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 37e01259435a28b11a087867ea199cd09f0a5cff)
[backport to 1.14.x: discard Meson build system updates]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In debug builds with "embedded tests" enabled, these will automatically
be used as input for the message-internals test.
Some of the messages themselves are output from a fuzzer, others are
simplifications to include only one reason for lack of validity per
message.
I've included an annotated hex-dump for each message here, but the dbus
test suite doesn't currently know how to convert hex to binary, so I've
also committed the corresponding binary. See the comment at the top of
each hex-dump for how to create the binary version (which requires the
xxd tool shipped with vim).
It would be nice for the dbus test suite to be able to convert the
annotated hex-dump to binary, either at build-time with a Python script
or at runtime by loading the text file and decoding the hex, but I don't
want to block on that for dbus/dbus#413 and dbus/dbus#418.
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d633016f7340f83142f19f4bcac08c57e1f2fd2f)
[backport to 1.14.x: discard Meson build system updates]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
|
|
|
|
|
|
| |
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 67800ac5febc9f15d6c4f113c758797472842ff3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Linux, there are two classes of AF_UNIX socket, which D-Bus refers
to as unix:path=... (portable to non-Linux systems) and unix:abstract=...
(not portable).
Back in 2003 when dbus gained support for abstract Unix sockets on Linux,
everyone thought they were better in every way than path-based Unix
sockets: if a DBusServer crashes or is terminated abnormally, there's
no detritus left in the filesystem. What's not to like? As a result,
since commit a70b042f (2003-06-04), when a DBusServer listens on a
unix:tmpdir=... address on Linux, the default is for the result to be
a unix:abstract=... address, with unix:path=... addresses only used on
non-Linux platforms.
However, the world has changed in the last 19 years, and namespace-based
Linux containers (which didn't exist in 2003) are now very popular. This
makes abstract sockets problematic.
Abstract sockets are tied to the network namespace, which is
all-or-nothing: if a container is to access the Internet without using
some sort of proxy or intermediary (like slirp4netns) then it needs to
share the network namespace with the host system, and that implies
sharing all abstract sockets with the host system. If the well-known
session bus is listening on an abstract socket, then it's a sandbox
escape route for any sandboxed or containerized app running under the
same uid. Conversely, if a container is *not* sharing the network
namespace with the host system, then it cannot access a session bus that
is listening on an abstract socket without using some sort of proxy
(like xdg-dbus-proxy), even if it isn't intended to impose a security
boundary and giving it direct access to the session bus would have been
more desirable.
Path-based sockets do not have this problem because they exist in the
filesystem (part of the "everything is a file" Unix philosophy),
allowing mount namespaces and bind-mounts to be used to share or
unshare them selectively.
On systems with `systemd --user` where dbus has been configured with
`--enable-user-session`, in general the session bus will already be
using a path-based socket for the "user bus", disregarding the listening
address specified in /usr/share/dbus-1/session.conf. The default in many
recent Linux distributions is either to use dbus-daemon in this way, or
to use dbus-broker, a reimplementation of the message bus service which
has similar "user bus" behaviour.
However, the <listen> address in session.conf is used when dbus-launch(1)
or dbus-run-session(1) is used to start a session bus, either manually,
via autolaunching, or via system integration glue in operating systems
that are not using `systemd --user`. This will occur particularly often
in operating systems that boot using a non-systemd init system.
Making unix:tmpdir=/tmp equivalent to unix:dir=/tmp ensures that the
well-known session bus listens on a path-based socket, allowing container
and sandboxing frameworks to mediate access to it in the same way they
would for the user bus. The D-Bus Specification already allows (but does
not require) this behaviour, because it is the only thing that was
implementable on non-Linux systems such as *BSD.
This change has the potential to cause regressions. If a container
framework enters a chroot or unshares the mount namespace but does not
unshare the network namespace, and is relying on the ability for a
process inside a container to access the session bus outside the
container via its abstract socket, then that assumption will be broken
by this change. Some use cases of schroot(1) are likely to suffer from
this. However, container frameworks with that assumption would already
have found that it does not hold when using the user bus, and it is
necessary to break that assumption if we want it to be possible to apply
application-level sandboxing in a secure way.
Another potential regression from this change is that if a dbus-daemon
is terminated abnormally, it will leave a socket in /tmp. Distributors
of operating systems where heavy use of dbus-launch(1) is expected might
wish to run dbus-cleanup-sockets(1) periodically.
This partially reverts commit a70b042f.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/416
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit f01382ae310c7d63790c07ed280f575d91ea57b8)
[backport to 1.14.x: adjust to absence of d98c98d1 in this branch]
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
| |
Result of: make -C $builddir update-authors
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
| |
We're not going to replace deprecated functions here, similar to commit
88e0ccb2 in the dbus-1.10 branch.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 93efaf78732176602e42cb8c8b25e19c3d538f1a)
|
|\
| |
| |
| |
| | |
Backport various fixes from 1.15.x branch
See merge request dbus/dbus!341
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 97bdefd4e2598e6ea72337acb4230928594bda81 move the
include(FindPkgConfig) call into a Linux-specific codepath, so pkg-config
was not being detected on FreeBSD. This mean that the check for
PKG_CONFIG_FOUND to determine whether to install .pc files later on
would always fail and .pc files were not installed on FreeBSD.
(cherry picked from commit 82f5c966442a455edf0bae4fbc17e35abdf7db5e)
Backported-from: dbus!280
|
| |
| |
| |
| |
| |
| |
| | |
This was not being checked, so the codepaths using the define were
never included.
(cherry picked from commit dafb5ddc09767e22d1a8848e05b756b03226dd3f)
|