Blame SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch

72865e
From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
72865e
From: Simon McVittie <smcv@collabora.com>
72865e
Date: Thu, 16 Apr 2020 14:45:11 +0100
72865e
Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
72865e
72865e
MSG_CTRUNC indicates that we have received fewer fds that we should
72865e
have done because the buffer was too small, but we were treating it
72865e
as though it indicated that we received *no* fds. If we received any,
72865e
we still have to make sure we close them, otherwise they will be leaked.
72865e
72865e
On the system bus, if an attacker can induce us to leak fds in this
72865e
way, that's a local denial of service via resource exhaustion.
72865e
72865e
Reported-by: Kevin Backhouse, GitHub Security Lab
72865e
Fixes: dbus#294
72865e
Fixes: CVE-2020-12049
72865e
Fixes: GHSL-2020-057
72865e
---
72865e
 dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
72865e
 1 file changed, 20 insertions(+), 12 deletions(-)
72865e
72865e
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
72865e
index b5fc24663..b176dae1a 100644
72865e
--- a/dbus/dbus-sysdeps-unix.c
72865e
+++ b/dbus/dbus-sysdeps-unix.c
72865e
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
72865e
       struct cmsghdr *cm;
72865e
       dbus_bool_t found = FALSE;
72865e
 
72865e
-      if (m.msg_flags & MSG_CTRUNC)
72865e
-        {
72865e
-          /* Hmm, apparently the control data was truncated. The bad
72865e
-             thing is that we might have completely lost a couple of fds
72865e
-             without chance to recover them. Hence let's treat this as a
72865e
-             serious error. */
72865e
-
72865e
-          errno = ENOSPC;
72865e
-          _dbus_string_set_length (buffer, start);
72865e
-          return -1;
72865e
-        }
72865e
-
72865e
       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
72865e
         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
72865e
           {
72865e
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
72865e
       if (!found)
72865e
         *n_fds = 0;
72865e
 
72865e
+      if (m.msg_flags & MSG_CTRUNC)
72865e
+        {
72865e
+          unsigned int i;
72865e
+
72865e
+          /* Hmm, apparently the control data was truncated. The bad
72865e
+             thing is that we might have completely lost a couple of fds
72865e
+             without chance to recover them. Hence let's treat this as a
72865e
+             serious error. */
72865e
+
72865e
+          /* We still need to close whatever fds we *did* receive,
72865e
+           * otherwise they'll never get closed. (CVE-2020-12049) */
72865e
+          for (i = 0; i < *n_fds; i++)
72865e
+            close (fds[i]);
72865e
+
72865e
+          *n_fds = 0;
72865e
+          errno = ENOSPC;
72865e
+          _dbus_string_set_length (buffer, start);
72865e
+          return -1;
72865e
+        }
72865e
+
72865e
       /* put length back (doesn't actually realloc) */
72865e
       _dbus_string_set_length (buffer, start + bytes_read);
72865e
 
72865e
-- 
72865e
GitLab
72865e