c12b32ba46
CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message from unprivileged user Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Cc: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
From febef5e18558c114f4fb7c94f6c8ed3520c50cdf Mon Sep 17 00:00:00 2001
|
|
From: Riccardo Schirone <rschiron@redhat.com>
|
|
Date: Mon, 4 Feb 2019 14:29:09 +0100
|
|
Subject: [PATCH] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX
|
|
limit.
|
|
|
|
Even though the dbus specification does not enforce any length limit on the
|
|
path of a dbus message, having to analyze too long strings in PID1 may be
|
|
time-consuming and it may have security impacts.
|
|
|
|
In any case, the limit is set so high that real-life applications should not
|
|
have a problem with it.
|
|
|
|
(cherry picked from commit 61397a60d98e368a5720b37e83f3169e3eb511c4)
|
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
---
|
|
Upstream status: commit 61397a60d98
|
|
|
|
src/libsystemd/sd-bus/bus-internal.c | 2 +-
|
|
src/libsystemd/sd-bus/bus-internal.h | 4 ++++
|
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
|
|
index 40acae213381..598b7f110c73 100644
|
|
--- a/src/libsystemd/sd-bus/bus-internal.c
|
|
+++ b/src/libsystemd/sd-bus/bus-internal.c
|
|
@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) {
|
|
if (slash)
|
|
return false;
|
|
|
|
- return true;
|
|
+ return (q - p) <= BUS_PATH_SIZE_MAX;
|
|
}
|
|
|
|
char* object_path_startswith(const char *a, const char *b) {
|
|
diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
|
|
index f208b294d8f1..a8d61bf72a4e 100644
|
|
--- a/src/libsystemd/sd-bus/bus-internal.h
|
|
+++ b/src/libsystemd/sd-bus/bus-internal.h
|
|
@@ -332,6 +332,10 @@ struct sd_bus {
|
|
|
|
#define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
|
|
#define BUS_AUTH_SIZE_MAX (64*1024)
|
|
+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
|
|
+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
|
|
+ * to not clash unnecessarily with real-life applications. */
|
|
+#define BUS_PATH_SIZE_MAX (64*1024)
|
|
|
|
#define BUS_CONTAINER_DEPTH 128
|
|
|
|
--
|
|
2.20.1
|
|
|