orion / rpms / dbus

Forked from rpms/dbus a year ago
Clone

Blame SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch

ea1581
From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
ea1581
From: Simon McVittie <smcv@collabora.com>
ea1581
Date: Thu, 16 Apr 2020 14:45:11 +0100
ea1581
Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
ea1581
ea1581
MSG_CTRUNC indicates that we have received fewer fds that we should
ea1581
have done because the buffer was too small, but we were treating it
ea1581
as though it indicated that we received *no* fds. If we received any,
ea1581
we still have to make sure we close them, otherwise they will be leaked.
ea1581
ea1581
On the system bus, if an attacker can induce us to leak fds in this
ea1581
way, that's a local denial of service via resource exhaustion.
ea1581
ea1581
Reported-by: Kevin Backhouse, GitHub Security Lab
ea1581
Fixes: dbus#294
ea1581
Fixes: CVE-2020-12049
ea1581
Fixes: GHSL-2020-057
ea1581
---
ea1581
 dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
ea1581
 1 file changed, 20 insertions(+), 12 deletions(-)
ea1581
ea1581
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
ea1581
index b5fc24663..b176dae1a 100644
ea1581
--- a/dbus/dbus-sysdeps-unix.c
ea1581
+++ b/dbus/dbus-sysdeps-unix.c
ea1581
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
ea1581
       struct cmsghdr *cm;
ea1581
       dbus_bool_t found = FALSE;
ea1581
 
ea1581
-      if (m.msg_flags & MSG_CTRUNC)
ea1581
-        {
ea1581
-          /* Hmm, apparently the control data was truncated. The bad
ea1581
-             thing is that we might have completely lost a couple of fds
ea1581
-             without chance to recover them. Hence let's treat this as a
ea1581
-             serious error. */
ea1581
-
ea1581
-          errno = ENOSPC;
ea1581
-          _dbus_string_set_length (buffer, start);
ea1581
-          return -1;
ea1581
-        }
ea1581
-
ea1581
       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
ea1581
         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
ea1581
           {
ea1581
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
ea1581
       if (!found)
ea1581
         *n_fds = 0;
ea1581
 
ea1581
+      if (m.msg_flags & MSG_CTRUNC)
ea1581
+        {
ea1581
+          unsigned int i;
ea1581
+
ea1581
+          /* Hmm, apparently the control data was truncated. The bad
ea1581
+             thing is that we might have completely lost a couple of fds
ea1581
+             without chance to recover them. Hence let's treat this as a
ea1581
+             serious error. */
ea1581
+
ea1581
+          /* We still need to close whatever fds we *did* receive,
ea1581
+           * otherwise they'll never get closed. (CVE-2020-12049) */
ea1581
+          for (i = 0; i < *n_fds; i++)
ea1581
+            close (fds[i]);
ea1581
+
ea1581
+          *n_fds = 0;
ea1581
+          errno = ENOSPC;
ea1581
+          _dbus_string_set_length (buffer, start);
ea1581
+          return -1;
ea1581
+        }
ea1581
+
ea1581
       /* put length back (doesn't actually realloc) */
ea1581
       _dbus_string_set_length (buffer, start + bytes_read);
ea1581
 
ea1581
-- 
ea1581
GitLab
ea1581