File _service:tar_scm:backport-sd-bus-fix-buffer-ove... of Package systemd

File _service:tar_scm:backport-sd-bus-fix-buffer-overflow.patch of Package systemd

From 1a4f4051c3f41b7750dbc904bb4768413bc8bd58 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 27 May 2022 04:23:10 +0900
Subject: [PATCH] sd-bus: fix buffer overflow

Fixes #23486.

(cherry picked from commit 89b6a3f13e5f3b8a375dc82cb2a1c2c204a5067e)
(cherry picked from commit a5c4e29b2ca83b0956ea4635e1db7b02ae007d55)
(cherry picked from commit a5b0338e896338774226a3bd8a56f63555c7b9ce)

Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/1a4f4051c3f41b7750dbc904bb4768413bc8bd58
---
 src/libsystemd/sd-bus/bus-message.c           |  30 ++++++++++++++----
 test/fuzz/fuzz-bus-message/issue-23486-case-1 | Bin 0 -> 32 bytes
 test/fuzz/fuzz-bus-message/issue-23486-case-2 | Bin 0 -> 16 bytes
 test/fuzz/fuzz-bus-message/issue-23486-case-3 | Bin 0 -> 16 bytes
 4 files changed, 23 insertions(+), 7 deletions(-)
 create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-1
 create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-2
 create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-3

diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 20f7396c74..d74a351e29 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -428,7 +428,7 @@ int bus_message_from_header(
 
         _cleanup_free_ sd_bus_message *m = NULL;
         struct bus_header *h;
-        size_t a, label_sz;
+        size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */
 
         assert(bus);
         assert(header || header_accessible <= 0);
@@ -506,7 +506,10 @@ int bus_message_from_header(
                 m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size);
                 m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size);
 
-                if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size)
+                assert(message_size >= sizeof(struct bus_header));
+                if (m->fields_size > message_size - sizeof(struct bus_header) ||
+                    ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) ||
+                    m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size))
                         return -EBADMSG;
         }
 
@@ -3062,15 +3065,21 @@ void bus_body_part_unmap(struct bus_body_part *part) {
         return;
 }
 
-static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
+static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
         size_t k, start, end;
 
         assert(rindex);
         assert(align > 0);
 
-        start = ALIGN_TO((size_t) *rindex, align);
-        end = start + nbytes;
+        start = ALIGN_TO(*rindex, align);
+        if (start > sz)
+                return -EBADMSG;
+
+        /* Avoid overflow below */
+        if (nbytes > SIZE_MAX - start)
+                return -EBADMSG;
 
+        end = start + nbytes;
         if (end > sz)
                 return -EBADMSG;
 
@@ -3273,10 +3282,17 @@ static int message_peek_body(
         assert(rindex);
         assert(align > 0);
 
-        start = ALIGN_TO((size_t) *rindex, align);
+        start = ALIGN_TO(*rindex, align);
+        if (start > m->user_body_size)
+                return -EBADMSG;
+
         padding = start - *rindex;
-        end = start + nbytes;
 
+        /* Avoid overflow below */
+        if (nbytes > SIZE_MAX - start)
+                return -EBADMSG;
+
+        end = start + nbytes;
         if (end > m->user_body_size)
                 return -EBADMSG;
 
diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-1 b/test/fuzz/fuzz-bus-message/issue-23486-case-1
new file mode 100644
index 0000000000000000000000000000000000000000..fe8338b42ba6af6c080aa92aa619e05a6e6e1cc8
GIT binary patch
literal 32
gcmd1dVrFCj0xbpQd;uUW!<wI;RGG=}=RX7h0Ak|{p8x;=

literal 0
HcmV?d00001

diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-2 b/test/fuzz/fuzz-bus-message/issue-23486-case-2
new file mode 100644
index 0000000000000000000000000000000000000000..179124461333198e95e94ac045c3e333bb2063c6
GIT binary patch
literal 16
Rcmc~{{?Ewp9|{;47ywYf31|QS

literal 0
HcmV?d00001

diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-3 b/test/fuzz/fuzz-bus-message/issue-23486-case-3
new file mode 100644
index 0000000000000000000000000000000000000000..cff8b38037a67c92b0bf5295fbf7dd53378f2d76
GIT binary patch
literal 16
Wcmc~{y3fb}1Sc6&82<hL{~rJ)#s+u*

literal 0
HcmV?d00001

-- 
2.33.0