Projects
Mega:23.03
systemd
_service:tar_scm:backport-sd-bus-fix-buffer-ove...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-sd-bus-fix-buffer-overflow.patch of Package systemd
From 1a4f4051c3f41b7750dbc904bb4768413bc8bd58 Mon Sep 17 00:00:00 2001 From: Yu Watanabe <watanabe.yu+github@gmail.com> Date: Fri, 27 May 2022 04:23:10 +0900 Subject: [PATCH] sd-bus: fix buffer overflow Fixes #23486. (cherry picked from commit 89b6a3f13e5f3b8a375dc82cb2a1c2c204a5067e) (cherry picked from commit a5c4e29b2ca83b0956ea4635e1db7b02ae007d55) (cherry picked from commit a5b0338e896338774226a3bd8a56f63555c7b9ce) Conflict:NA Reference:https://github.com/systemd/systemd-stable/commit/1a4f4051c3f41b7750dbc904bb4768413bc8bd58 --- src/libsystemd/sd-bus/bus-message.c | 30 ++++++++++++++---- test/fuzz/fuzz-bus-message/issue-23486-case-1 | Bin 0 -> 32 bytes test/fuzz/fuzz-bus-message/issue-23486-case-2 | Bin 0 -> 16 bytes test/fuzz/fuzz-bus-message/issue-23486-case-3 | Bin 0 -> 16 bytes 4 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-1 create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-2 create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-3 diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index 20f7396c74..d74a351e29 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -428,7 +428,7 @@ int bus_message_from_header( _cleanup_free_ sd_bus_message *m = NULL; struct bus_header *h; - size_t a, label_sz; + size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */ assert(bus); assert(header || header_accessible <= 0); @@ -506,7 +506,10 @@ int bus_message_from_header( m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size); m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size); - if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size) + assert(message_size >= sizeof(struct bus_header)); + if (m->fields_size > message_size - sizeof(struct bus_header) || + ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) || + m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size)) return -EBADMSG; } @@ -3062,15 +3065,21 @@ void bus_body_part_unmap(struct bus_body_part *part) { return; } -static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { +static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { size_t k, start, end; assert(rindex); assert(align > 0); - start = ALIGN_TO((size_t) *rindex, align); - end = start + nbytes; + start = ALIGN_TO(*rindex, align); + if (start > sz) + return -EBADMSG; + + /* Avoid overflow below */ + if (nbytes > SIZE_MAX - start) + return -EBADMSG; + end = start + nbytes; if (end > sz) return -EBADMSG; @@ -3273,10 +3282,17 @@ static int message_peek_body( assert(rindex); assert(align > 0); - start = ALIGN_TO((size_t) *rindex, align); + start = ALIGN_TO(*rindex, align); + if (start > m->user_body_size) + return -EBADMSG; + padding = start - *rindex; - end = start + nbytes; + /* Avoid overflow below */ + if (nbytes > SIZE_MAX - start) + return -EBADMSG; + + end = start + nbytes; if (end > m->user_body_size) return -EBADMSG; diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-1 b/test/fuzz/fuzz-bus-message/issue-23486-case-1 new file mode 100644 index 0000000000000000000000000000000000000000..fe8338b42ba6af6c080aa92aa619e05a6e6e1cc8 GIT binary patch literal 32 gcmd1dVrFCj0xbpQd;uUW!<wI;RGG=}=RX7h0Ak|{p8x;= literal 0 HcmV?d00001 diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-2 b/test/fuzz/fuzz-bus-message/issue-23486-case-2 new file mode 100644 index 0000000000000000000000000000000000000000..179124461333198e95e94ac045c3e333bb2063c6 GIT binary patch literal 16 Rcmc~{{?Ewp9|{;47ywYf31|QS literal 0 HcmV?d00001 diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-3 b/test/fuzz/fuzz-bus-message/issue-23486-case-3 new file mode 100644 index 0000000000000000000000000000000000000000..cff8b38037a67c92b0bf5295fbf7dd53378f2d76 GIT binary patch literal 16 Wcmc~{y3fb}1Sc6&82<hL{~rJ)#s+u* literal 0 HcmV?d00001 -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2