From e00ded769dcdddea0169dd813c5878c915a63f6a Mon Sep 17 00:00:00 2001

From: Alexander Larsson <alexl@redhat.com>

Date: Sun, 28 Jan 2018 20:51:54 +0100

Subject: [PATCH] Fix vulnerability in dbus proxy

During the authentication all client data is directly forwarded

to the dbus daemon as is, until we detect the BEGIN command after

which we start filtering the binary dbus protocol.

Unfortunately the detection of the BEGIN command in the proxy

did not exactly match the detection in the dbus daemon. A BEGIN

followed by a space or tab was considered ok in the daemon but

not by the proxy. This could be exploited to send arbitrary

dbus messages to the host, which can be used to break out of

the sandbox.

This was noticed by Gabriel Campana of The Google Security Team.

This fix makes the detection of the authentication phase end

match the dbus code. In addition we duplicate the authentication

line validation from dbus, which includes ensuring all data is

ASCII, and limiting the size of a line to 16k. In fact, we add

some extra stringent checks, disallowing ASCII control chars and

requiring that auth lines start with a capital letter.

---

 dbus-proxy/flatpak-proxy.c | 127 ++++++++++++++++++++++++++-----------

 1 file changed, 89 insertions(+), 38 deletions(-)

diff --git a/dbus-proxy/flatpak-proxy.c b/dbus-proxy/flatpak-proxy.c

index aee73993..ec90cba7 100644

--- a/dbus-proxy/flatpak-proxy.c

+++ b/dbus-proxy/flatpak-proxy.c

@@ -173,10 +173,11 @@ typedef struct FlatpakProxyClient FlatpakProxyClient;

 FlatpakPolicy flatpak_proxy_get_policy (FlatpakProxy *proxy,

                                         const char   *name);

-/* We start looking ignoring the first cr-lf

-   since there is no previous line initially */

-#define AUTH_END_INIT_OFFSET 2

-#define AUTH_END_STRING "\r\nBEGIN\r\n"

+#define FIND_AUTH_END_CONTINUE -1

+#define FIND_AUTH_END_ABORT -2

+

+#define AUTH_LINE_SENTINEL "\r\n"

+#define AUTH_BEGIN "BEGIN"

 typedef enum {

   EXPECTED_REPLY_NONE,

@@ -251,7 +252,7 @@ struct FlatpakProxyClient

   FlatpakProxy *proxy;

   gboolean      authenticated;

-  int           auth_end_offset;

+  GByteArray   *auth_buffer;

   ProxySide     client_side;

   ProxySide     bus_side;

@@ -363,6 +364,7 @@ flatpak_proxy_client_finalize (GObject *object)

   client->proxy->clients = g_list_remove (client->proxy->clients, client);

   g_clear_object (&client->proxy);

+  g_byte_array_free (client->auth_buffer, TRUE);

   g_hash_table_destroy (client->rewrite_reply);

   g_hash_table_destroy (client->get_owner_reply);

   g_hash_table_destroy (client->unique_id_policy);

@@ -398,7 +400,7 @@ flatpak_proxy_client_init (FlatpakProxyClient *client)

   init_side (client, &client->client_side);

   init_side (client, &client->bus_side);

-  client->auth_end_offset = AUTH_END_INIT_OFFSET;

+  client->auth_buffer = g_byte_array_new ();

   client->rewrite_reply = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, g_object_unref);

   client->get_owner_reply = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, g_free);

   client->unique_id_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);

@@ -2203,51 +2205,92 @@ got_buffer_from_side (ProxySide *side, Buffer *buffer)

     got_buffer_from_bus (client, side, buffer);

 }

+#define _DBUS_ISASCII(c) ((c) != '\0' && (((c) & ~0x7f) == 0))

+

+static gboolean

+auth_line_is_valid (guint8 *line, guint8 *line_end)

+{

+  guint8 *p;

+

+  for (p = line; p < line_end; p++)

+    {

+      if (!_DBUS_ISASCII(*p))

+        return FALSE;

+

+      /* Technically, the dbus spec allows all ASCII characters, but for robustness we also

+         fail if we see any control characters. Such low values will appear in  potential attacks,

+         but will never happen in real sasl (where all binary data is hex encoded). */

+      if (*p < ' ')

+        return FALSE;

+    }

+

+  /* For robustness we require the first char of the line to be an upper case letter.

+     This is not technically required by the dbus spec, but all commands are upper

+     case, and there is no provisioning for whitespace before the command, so in practice

+     this is true, and this means we're not confused by e.g. initial whitespace. */

+  if (line[0] < 'A' || line[0] > 'Z')

+    return FALSE;

+

+  return TRUE;

+}

+

+static gboolean

+auth_line_is_begin (guint8 *line)

+{

+  guint8 next_char;

+

+  if (!g_str_has_prefix ((char *)line, AUTH_BEGIN))

+    return FALSE;

+

+  /* dbus-daemon accepts either nothing, or a whitespace followed by anything as end of auth */

+  next_char = line[strlen (AUTH_BEGIN)];

+  return (next_char == 0 ||

+          next_char == ' ' ||

+          next_char == '\t');

+}

+

 static gssize

 find_auth_end (FlatpakProxyClient *client, Buffer *buffer)

 {

-  guchar *match;

-  int i;

+  goffset offset = 0;

+  gsize original_size = client->auth_buffer->len;

+

+  /* Add the new data to the remaining data from last iteration */

+  g_byte_array_append (client->auth_buffer, buffer->data, buffer->pos);

-  /* First try to match any leftover at the start */

-  if (client->auth_end_offset > 0)

+  while (TRUE)

     {

-      gsize left = strlen (AUTH_END_STRING) - client->auth_end_offset;

-      gsize to_match = MIN (left, buffer->pos);

-      /* Matched at least up to to_match */

-      if (memcmp (buffer->data, &AUTH_END_STRING[client->auth_end_offset], to_match) == 0)

+      guint8 *line_start = client->auth_buffer->data + offset;

+      gsize remaining_data = client->auth_buffer->len - offset;

+      guint8 *line_end;

+

+      line_end = memmem (line_start, remaining_data,

+                         AUTH_LINE_SENTINEL, strlen (AUTH_LINE_SENTINEL));

+      if (line_end) /* Found end of line */

         {

-          client->auth_end_offset += to_match;

+          offset = (line_end + strlen (AUTH_LINE_SENTINEL) - line_start);

-          /* Matched all */

-          if (client->auth_end_offset == strlen (AUTH_END_STRING))

-            return to_match;

+          if (!auth_line_is_valid (line_start, line_end))

+            return FIND_AUTH_END_ABORT;

-          /* Matched to end of buffer */

-          return -1;

-        }

+          *line_end = 0;

+          if (auth_line_is_begin (line_start))

+            return offset - original_size;

-      /* Did not actually match at start */

-      client->auth_end_offset = -1;

-    }

+          /* continue with next line */

+        }

+      else

+        {

+          /* No end-of-line in this buffer */

+          g_byte_array_remove_range (client->auth_buffer, 0, offset);

-  /* Look for whole match inside buffer */

-  match = memmem (buffer, buffer->pos,

-                  AUTH_END_STRING, strlen (AUTH_END_STRING));

-  if (match != NULL)

-    return match - buffer->data + strlen (AUTH_END_STRING);

+          /* Abort if more than 16k before newline, similar to what dbus-daemon does */

+          if (client->auth_buffer->len >= 16*1024)

+            return FIND_AUTH_END_ABORT;

-  /* Record longest prefix match at the end */

-  for (i = MIN (strlen (AUTH_END_STRING) - 1, buffer->pos); i > 0; i--)

-    {

-      if (memcmp (buffer->data + buffer->pos - i, AUTH_END_STRING, i) == 0)

-        {

-          client->auth_end_offset = i;

-          break;

+          return FIND_AUTH_END_CONTINUE;

         }

     }

-

-  return -1;

 }

 static gboolean

@@ -2306,6 +2349,14 @@ side_in_cb (GSocket *socket, GIOCondition condition, gpointer user_data)

                       if (extra_data > 0)

                         side->extra_input_data = g_bytes_new (buffer->data + buffer->size, extra_data);

                     }

+                  else if (auth_end == FIND_AUTH_END_ABORT)

+                    {

+                      buffer_unref (buffer);

+                      if (client->proxy->log_messages)

+                        g_print ("Invalid AUTH line, aborting\n");

+                      side_closed (side);

+                      break;

+                    }

                 }

               got_buffer_from_side (side, buffer);