| Summary: | Lots of nested variants crash the bus | ||
|---|---|---|---|
| Product: | dbus | Reporter: | Remi Denis-Courmont <courmisch> |
| Component: | core | Assignee: | Havoc Pennington <hp> |
| Status: | RESOLVED FIXED | QA Contact: | John (J5) Palmieri <johnp> |
| Severity: | critical | ||
| Priority: | medium | CC: | jlieskov, walters, will |
| Version: | 1.4.x | ||
| Hardware: | x86 (IA32) | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
Proof of concept code
Add failing test case Detect deep nesting during validation squashed patch |
||
Created attachment 41049 [details] [review] Add failing test case Created attachment 41050 [details] [review] Detect deep nesting during validation I haven't tested these patches much (and still don't have working ssh to push them) but hope they are helpful. Someone might want to run the proof of concept exploit with these patches to see if the fix works. There should also be a patch to the spec but I couldn't decide where to put the new text so I just left it as an exercise for the patch applier. ;-) I'd prefer one patch with the fix and additional unit test; having failing tests without the fix is bad for bisecting. Also this will need to reference a CVE number; i'm getting one assigned now. yeah, feel free to squash This issue has been assigned CVE-2010-4352. Created attachment 41245 [details] [review] squashed patch Squashed patch, with update to specification. I can verify the patch fixes this against dbus-1.4 git master. Empirically, the maximum variant nesting depth on my Fedora 14 system does not exceed 2. I can barely think of a rational situation in which it's larger than 5 or 7, much less 64. While it's sort of lame to add a restriction, there's no reason for us to bend over backwards to support this either, so I think this patch is a reasonable fix. Will, can we get this patch queued for the Monday release? (In reply to comment #10) > Will, can we get this patch queued for the Monday release? Absolutely. Are there mailing lists—besides the D-Bus list—that I should announce it to? |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 41018 [details] Proof of concept code Justification for critical severity: crashes Sending a "valid" D-Bus message with a (really) a lot of nested variants triggers a segmentation fault and termination of the bus. This seems like a security concern in the case of the system bus. Proof of concept code is attached.