| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
procfs has special semantics: most files are 0 size,
only one read can be done on a file, and they are
not larger than 4MB. Enhance _dbus_file_get_content()
so that we can read files from /proc with it.
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
| |
|
|
|
|
|
|
| |
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
|
| |
|
|
|
|
|
| |
`_dbus_verbose()` already logs the function name,
do not log it again in the message.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
|
| |
|
|
|
|
|
|
| |
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, `retstr` would not be freed when `_dbus_string_append_len()`
or `_dbus_string_steal_data()` failed.
Fix those by:
* jumping to `_dbus_string_free()` when `_dbus_string_append_len()` fails
* ignoring the return value of `_dbus_string_free()`.
The latter works because in case of failure, `ret` will be set
to NULL by `_dbus_string_steal_data()`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This appears to have been a copy/paste mistake. If only blanks (defined as
spaces or tabs) were removed, then it cannot be right to check for white
space (defined as spaces, tabs, carriage return or linefeed) afterwards.
If libdbus was compiled with assertions enabled, then this is a
denial-of-service issue for dbus-daemon or other users of DBusServer:
an unauthenticated user with access to the server's socket can send
whitespace that triggers this assertion failure. We recommend that
production versions of dbus, for example in OS distributions, should be
compiled with checks but without assertions.
[smcv: expanded commit message]
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/421
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WG14 N2350 made very clear that it is an UB having type definitions
within "offsetof" [1]. This patch changes the implementation of macro
_DBUS_ALIGNOF to builtin "_Alignof" to avoid undefined behavior.
clang 16+ has started to diagnose this [2]
Fixes build when using -std >= gnu11 and using clang16+
[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm
[2] https://reviews.llvm.org/D133574
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
This commit fixes a data race condition discovered by the
gcc thread sanitizer by also locking the associated mutex
when reading the corresponding counter.
Fixes #426
|
| |
|
|
|
| |
The mentioned test is build on unix like platforms when embedded tests
are enabled.
|
| |
|
|
|
|
|
| |
Allow other Meson project to consume libdbus as subproject. For this
we need to instantiate a dependency object.
Signed-off-by: Daniel Wagner <dwagner@suse.de>
|
| |
|
|
| |
Thus it is identical with the other places.
|
| |
|
|
|
|
|
|
|
| |
The full license texts are not added because they were already
added in a previous commit.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
see #394
|
| |
|
|
|
|
|
| |
all places where `timeout` is used can be represented as int.
This MR is a response to issue #430.
Signed-off-by: Xin Shi <shixin21@huawei.com>
|
| |
|
|
|
|
|
| |
skip useless loop when `found` is TRUE.
This MR is a response to issue #431.
Signed-off-by: Aiknow <shixin21@huawei.com>
|
| |
|
|
| |
Bugzilla is dead for long time now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like many relatively-low-level codebases, dbus has historically assumed
that data pointers are interchangeable with function pointers (which is
implied by POSIX and also true on Windows, but not guaranteed by ISO C).
Before dbus!335 was merged, we also assumed that size_t is the same
size as a pointer (which is frequently assumed, but not guaranteed by
ISO C, and notably not true on CHERI). dbus!335 is believed to have
removed all uses of that assumption.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
| |
This means we get the alignment comparisons even on non-gcc compilers.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
This file was added to simplify the license documentation, because the
code moved from dbus-sysdeps-win.c is subject to a different license.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
[smcv: keep license grant; add to Meson build system]
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This was probably meant to be relicensed from AFL-2.0 to AFL-2.1 at the
same time as the rest of the codebase, but it wasn't. For now, just
convert its documented license status into machine-readable form.
The history of this file seems to be completely Red Hat and Collabora,
so we should be able to relicense it to (AFL-2.1 OR GPL-2.0-or-later)
or even to MIT, but let's start by making the stated license more
obvious.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
The TCL-derived code is under its own license, so the overall license
of the file is (AFL-2.1 OR GPL-2.0-or-later) AND TCL.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
| |
This permissive license does not appear to be a match for anything
on the SPDX license list, so we need to use the LicenseRef- prefix
for a custom license.
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This permissive license does not appear to be a match for anything
on the SPDX license list, so we need to use the LicenseRef- prefix
for a custom license.
It's referred to as GAP (presumably short for "GNU all-permissive") in
https://sources.debian.org/src/libassuan/2.5.5-1/debian/copyright/
so use the same abbreviation here.
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
SPDX license operator
https://spdx.github.io/spdx-spec/SPDX-license-expressions/ says that
using upper-case operators is canonical.
|
| |
|
|
|
| |
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/420
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
We have 16-bit types with 2-byte alignment, but this comment claimed
we only have 1-, 4- or 8-byte alignment. The actual implementation is
fine, and correctly reports 2-byte alignment for the 16-bit types.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
We recommend disabling assertions in production builds of dbus, so it
is "cheap" to add them even in relatively fast-path locations.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
array_reader_check_finished() no longer returns a type, only a boolean,
so this comment isn't accurate any more.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
We already checked that claimed_len <= (end - p), therefore we can
assume that claimed_len + p <= end. Make this a bit more obvious.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Linux, there are two classes of AF_UNIX socket, which D-Bus refers
to as unix:path=... (portable to non-Linux systems) and unix:abstract=...
(not portable).
Back in 2003 when dbus gained support for abstract Unix sockets on Linux,
everyone thought they were better in every way than path-based Unix
sockets: if a DBusServer crashes or is terminated abnormally, there's
no detritus left in the filesystem. What's not to like? As a result,
since commit a70b042f (2003-06-04), when a DBusServer listens on a
unix:tmpdir=... address on Linux, the default is for the result to be
a unix:abstract=... address, with unix:path=... addresses only used on
non-Linux platforms.
However, the world has changed in the last 19 years, and namespace-based
Linux containers (which didn't exist in 2003) are now very popular. This
makes abstract sockets problematic.
Abstract sockets are tied to the network namespace, which is
all-or-nothing: if a container is to access the Internet without using
some sort of proxy or intermediary (like slirp4netns) then it needs to
share the network namespace with the host system, and that implies
sharing all abstract sockets with the host system. If the well-known
session bus is listening on an abstract socket, then it's a sandbox
escape route for any sandboxed or containerized app running under the
same uid. Conversely, if a container is *not* sharing the network
namespace with the host system, then it cannot access a session bus that
is listening on an abstract socket without using some sort of proxy
(like xdg-dbus-proxy), even if it isn't intended to impose a security
boundary and giving it direct access to the session bus would have been
more desirable.
Path-based sockets do not have this problem because they exist in the
filesystem (part of the "everything is a file" Unix philosophy),
allowing mount namespaces and bind-mounts to be used to share or
unshare them selectively.
On systems with `systemd --user` where dbus has been configured with
`--enable-user-session`, in general the session bus will already be
using a path-based socket for the "user bus", disregarding the listening
address specified in /usr/share/dbus-1/session.conf. The default in many
recent Linux distributions is either to use dbus-daemon in this way, or
to use dbus-broker, a reimplementation of the message bus service which
has similar "user bus" behaviour.
However, the <listen> address in session.conf is used when dbus-launch(1)
or dbus-run-session(1) is used to start a session bus, either manually,
via autolaunching, or via system integration glue in operating systems
that are not using `systemd --user`. This will occur particularly often
in operating systems that boot using a non-systemd init system.
Making unix:tmpdir=/tmp equivalent to unix:dir=/tmp ensures that the
well-known session bus listens on a path-based socket, allowing container
and sandboxing frameworks to mediate access to it in the same way they
would for the user bus. The D-Bus Specification already allows (but does
not require) this behaviour, because it is the only thing that was
implementable on non-Linux systems such as *BSD.
This change has the potential to cause regressions. If a container
framework enters a chroot or unshares the mount namespace but does not
unshare the network namespace, and is relying on the ability for a
process inside a container to access the session bus outside the
container via its abstract socket, then that assumption will be broken
by this change. Some use cases of schroot(1) are likely to suffer from
this. However, container frameworks with that assumption would already
have found that it does not hold when using the user bus, and it is
necessary to break that assumption if we want it to be possible to apply
application-level sandboxing in a secure way.
Another potential regression from this change is that if a dbus-daemon
is terminated abnormally, it will leave a socket in /tmp. Distributors
of operating systems where heavy use of dbus-launch(1) is expected might
wish to run dbus-cleanup-sockets(1) periodically.
This partially reverts commit a70b042f.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/416
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
I am building DBus targeting the Arm Morello board and the "no padding"
layout assertion fails here since pointers require 16-byte alignment, and
therefore we have to add two additional ints to the DBusMessageIter struct.
As this is a new architecture, where DBus previously failed to compiled
we do not have any layout backwards compatibility requirements, so we can
simplify the DBusMessageIter structure to allocate space for 16 pointers
(which should give us a lot of space for any further changes).
|
| |
|
|
|
|
|
| |
These static assertions fail on CHERI-enabled architectures such as Arm
Morello, where pointers are 128 bits. Architectures with 128-bit pointers
were not supported in DBus 1.10, so we can skip the checks for DBus 1.10
structure layout compatibility for architectures with pointer size > 64 bit.
|
| |
|
|
|
|
|
| |
When building for Arm Morello (where pointers are 16 bytes), I hit the
static assertion that sizeof (DBusMessageRealIter) <= sizeof (DBusMessageIter)
inside _dbus_message_iter_init_common() otherwise. This can be fixed by
moving the pointers to the beginning of the struct to remove padding.
|
| |
|
|
|
|
|
|
|
| |
This is required e.g. for CHERI-enabled targets such as Arm Morello where
aligning to sizeof(long) is not sufficient to load/store pointers (which
need 16 byte alignment instead of 8 bytes).
As we can't depend on C11 yet, this commit adds a max_align_t emulation
to dbus-internals.h.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When targeting CHERI-enabled architectures such as Arm Morello, performing
a bitwise and with uintptr_t values can result in an ambiguous operation
compiler warning. Fix this warning by telling compiler which operand is
(potentially) a pointer and which one is an integer by changing the
boundary type to size_t. This change has no functional effect on other
architectures but is required to build with -Werror for Morello.
Example warning message:
```
warning: binary expression on capability types 'unsigned __intcap' and 'unsigned __intcap'; it is not clear which should be used as the source of provenance; currently provenance is inherited from the left-hand side [-Wcheri-provenance]
_dbus_assert (_DBUS_ALIGN_VALUE (insert_at, 8) == (unsigned) insert_at);
```
|
| |
|
|
|
|
|
| |
dbus 1.15.x officially requires C99, so we can do this unconditionally
on the 1.15.x branch.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the elements field has a fixed nonzero size, accessing elements
beyond that size is technically undefined behaviour, which is caught
by some options of the undefined behaviour sanitizer. Try to use a C99
flexible array, or failing that, a zero-length array (which is a popular
non-standard syntax to achieve the same thing).
dbus 1.15.x has C99 as a requirement, but this commit avoids assuming
C99 in order to make this change backportable to 1.14.x if it becomes
necessary to do so (for example to be able to run tests or fuzzers
against 1.14.x, or if compilers' defaults become more strict).
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
With internal DBus checks disabled, but with assertions enabled, the
function would be ifdef'ed out. This is problematic, since the function
is called from within an assertion statement in _dbus_variant_write().
Fixes #412.
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
This header is GCC specific header that on my system just contains
`#include_next <limits.h>`. FreeBSD also provides this header but it
contains a `#warning` that it should not be used. Replace the one use
with `#include <limit.h>` and drop the configure checks.
|
| |
|
|
|
|
| |
The function close_ignore_error() is only used in some cases. To avoid
duplicating the #ifdef condition, this patch moves the check just before
the definition of _dbus_close_all().
|
| |
|
|
|
|
|
|
|
|
| |
dbus is generally a C-only project, but the Windows side has a tiny
amount of C++ to initialize global locks (because Windows doesn't have
a direct equivalent of PTHREAD_MUTEX_INITIALIZER). We don't need a C++
compiler when building for a non-Windows OS, so there's no need to
find it or check which options it supports.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
This makes it possible for projects to incorporate D-Bus as a CMake sub-project in a larger CMake project.
Before this PR, doing so would result in many errors.
This is because CMAKE_SOURCE_DIR and CMAKE_BINARY_DIR would point to directories above the D-Bus project.
Using paths relative to the project directory, PROJECT_SOURCE_DIR and PROJECT_BINARY_DIR, corrects for this.
|
| |
|
|
|
|
|
| |
We now require a (mostly-)C99 compiler, meaning we can rely on having
Standard C stdint.h.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
| |
dbus now requires a (mostly-)C99 compiler, which guarantees the presence
of Standard C va_copy().
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
