Bug 80817 - followup for CVE-2014-3532: messages with abusive recursion are silently dropped
Summary: followup for CVE-2014-3532: messages with abusive recursion are silently dropped
Status: REOPENED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: 1.5
Hardware: All All
: low enhancement
Assignee: D-Bus Maintainers
QA Contact: D-Bus Maintainers
URL:
Whiteboard:
Keywords:
Depends on: 80163
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-02 16:12 UTC by Simon McVittie
Modified: 2014-09-25 14:42 UTC (History)
6 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon McVittie 2014-07-02 16:12:43 UTC
+++ This bug was initially created as a clone of Bug #80163 +++

> An original fd can be inserted in the ancillary data of a message.
> While that message is waiting in the socket queue of the other end,
> the fd of the other end can itself be inserted in the ancillary data
> of another message. [Recent Linux] considers that doing that
> recursively more than 4 times is abusive:
> #define MAX_RECURSION_LEVEL 4
...
> dbus-daemon has no way to check whether a
> received fd will trigger a ETOOMANYREFS when forwarding the D-Bus
> message to recipients. Moreover, the ability to forward the file
> descriptor changes asynchronously when other processes append messages
> on the fd's delivery queue.

Since 1.8.6, if sendmsg() fails with ETOOMANYREFS, dbus-daemon silently drops the message on the floor to avoid DoS.

It would be nice if it sent back an error reply, if the message was one that expects a reply (i.e. a method call). Alban started trying to implement that, but ran into considerable practical difficulties, and we agreed that the patch he proposed was too big for a security fix.

If someone wants to implement the rest of the ideal solution, i.e. sending back an error reply, now is the time.

Alternatively, logging the bad message to syslog might be a reasonable thing to do. This is, again, complicated by the fact that the error condition is hit in generic libdbus code, and we would only want dbus-daemon to syslog it.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.