Do not crash with > 128 dirs

2024-02-21 14:42:57 +08:00 · 2024-02-21 14:42:57 +08:00 · ccf9658000
commit ccf9658000
parent dddf1b004f
3 changed files with 137 additions and 1 deletions
--- a/backport-Do-not-crash-when-reloading-configuration.patch
+++ b/backport-Do-not-crash-when-reloading-configuration.patch
@ -0,0 +1,66 @@
+From c3b1e4daa5b0ed5729f0f12bc6a3ba50a391f7f6 Mon Sep 17 00:00:00 2001
+From: hongjinghao <hongjinghao@huawei.com>
+Date: Thu, 4 Jan 2024 15:15:53 +0800
+Subject: [PATCH] Do not crash when reloading configuration with > 128 dirs
+
+When `dbus-daemon` sets more than 128 directories for `XDG_DATA_DIRS`,
+none of the elements in `new_dirs` will be `NULL`, which resulted in
+these loops reading out-of-bounds (undefined behaviour). In practice
+this led to a crash.
+
+To avoid this, make sure to stop iteration at the end of the array.
+
+[smcv: Expanded commit message]
+Resolves: dbus/dbus#481
+---
+ bus/dir-watch-inotify.c | 4 ++--
+ bus/dir-watch-kqueue.c  | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/bus/dir-watch-inotify.c b/bus/dir-watch-inotify.c
+index 77b2d5a92..4f269777f 100644
+--- a/bus/dir-watch-inotify.c
+++ b/bus/dir-watch-inotify.c
+@@ -131,7 +131,7 @@ _set_watched_dirs_internal (BusContext *context,
+   /* Look for directories in both the old and new sets, if
+    * we find one, move its data into the new set.
+    */
+-  for (i = 0; new_dirs[i]; i++)
+  for (i = 0; i < MAX_DIRS_TO_WATCH && new_dirs[i]; i++)
+     {
+       for (j = 0; j < num_wds; j++)
+         {
+@@ -160,7 +160,7 @@ _set_watched_dirs_internal (BusContext *context,
+         }
+     }
+ 
+-  for (i = 0; new_dirs[i]; i++)
+  for (i = 0; i < MAX_DIRS_TO_WATCH && new_dirs[i]; i++)
+     {
+       if (new_wds[i] == -1)
+         {
+diff --git a/bus/dir-watch-kqueue.c b/bus/dir-watch-kqueue.c
+index b419606e3..07b505c99 100644
+--- a/bus/dir-watch-kqueue.c
+++ b/bus/dir-watch-kqueue.c
+@@ -235,7 +235,7 @@ bus_set_watched_dirs (BusContext *context, DBusList **directories)
+   /* Look for directories in both the old and new sets, if
+    * we find one, move its data into the new set.
+    */
+-  for (i = 0; new_dirs[i]; i++)
+  for (i = 0; i < MAX_DIRS_TO_WATCH && new_dirs[i]; i++)
+     {
+       for (j = 0; j < num_fds; j++)
+         {
+@@ -264,7 +264,7 @@ bus_set_watched_dirs (BusContext *context, DBusList **directories)
+         }
+     }
+ 
+-  for (i = 0; new_dirs[i]; i++)
+  for (i = 0; i < MAX_DIRS_TO_WATCH && new_dirs[i]; i++)
+     {
+       if (new_fds[i] == -1)
+         {
+-- 
+GitLab
+
--- a/backport-bus-dir-watch-Do-not-crash-with-128-dirs.patch
+++ b/backport-bus-dir-watch-Do-not-crash-with-128-dirs.patch
@ -0,0 +1,64 @@
+From b551b3e9737958216a1a9d359150a4110a9d0549 Mon Sep 17 00:00:00 2001
+From: Jan Tojnar <jtojnar@gmail.com>
+Date: Wed, 20 Apr 2022 11:07:25 +0200
+Subject: [PATCH] bus/dir-watch: Do not crash with > 128 dirs
+
+Without this running, dbus-daemon with long XDG_DATA_DIRS
+will crash on out-of-bounds write:
+
+	$ XDG_DATA_DIRS=$(seq  -f "/foo/%g" -s ':' 129) dbus-daemon --session
+	*** stack smashing detected ***: terminated
+---
+ bus/dir-watch-inotify.c | 7 ++++++-
+ bus/dir-watch-kqueue.c  | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/bus/dir-watch-inotify.c b/bus/dir-watch-inotify.c
+index b52a24c0f..9beadb0ec 100644
+--- a/bus/dir-watch-inotify.c
+++ b/bus/dir-watch-inotify.c
+@@ -108,12 +108,17 @@ _set_watched_dirs_internal (DBusList **directories)
+ 
+   i = 0;
+   link = _dbus_list_get_first_link (directories);
+-  while (link != NULL)
+  while (link != NULL && i < MAX_DIRS_TO_WATCH)
+     {
+       new_dirs[i++] = (char *)link->data;
+       link = _dbus_list_get_next_link (directories, link);
+     }
+ 
+  if (link != NULL)
+    {
+      _dbus_warn ("Too many directories to watch them all, only watching first %d.", MAX_DIRS_TO_WATCH);
+    }
+
+   /* Look for directories in both the old and new sets, if
+    * we find one, move its data into the new set.
+    */
+diff --git a/bus/dir-watch-kqueue.c b/bus/dir-watch-kqueue.c
+index 183db241c..15519fcb5 100644
+--- a/bus/dir-watch-kqueue.c
+++ b/bus/dir-watch-kqueue.c
+@@ -218,12 +218,17 @@ bus_set_watched_dirs (BusContext *context, DBusList **directories)
+ 
+   i = 0;
+   link = _dbus_list_get_first_link (directories);
+-  while (link != NULL)
+  while (link != NULL && i < MAX_DIRS_TO_WATCH)
+     {
+       new_dirs[i++] = (char *)link->data;
+       link = _dbus_list_get_next_link (directories, link);
+     }
+ 
+  if (link != NULL)
+    {
+      _dbus_warn ("Too many directories to watch them all, only watching first %d.", MAX_DIRS_TO_WATCH);
+    }
+
+   /* Look for directories in both the old and new sets, if
+    * we find one, move its data into the new set.
+    */
+-- 
+GitLab
+
--- a/dbus.spec
+++ b/dbus.spec
@ -1,7 +1,7 @@
 Name:     dbus
 Epoch:    1
 Version:  1.12.20
-Release:  8
+Release:  9
 Summary:  System Message Bus
 License:  AFLv3.0 or GPLv2+
 URL:      http://www.freedesktop.org/Software/dbus/
@ -20,6 +20,8 @@ Patch6005:  backport-Stop-using-selinux_set_mapping-function.patch
 Patch6006:  backport-CVE-2022-42010.patch
 Patch6007:  backport-CVE-2022-42011.patch
 Patch6008:  backport-CVE-2022-42012.patch
+Patch6009:  backport-bus-dir-watch-Do-not-crash-with-128-dirs.patch	
+Patch6010:  backport-Do-not-crash-when-reloading-configuration.patch

 BuildRequires:  systemd-devel expat-devel libselinux-devel audit-libs-devel doxygen xmlto cmake
 BuildRequires:  autoconf-archive libtool libX11-devel libcap-ng-devel libxslt
@ -232,6 +234,10 @@ fi
 %exclude %{_pkgdocdir}/README

 %changelog
+* Wed Feb 21 2024 hongjinghao <hongjinghao@huawei.com> - 1:1.12.20-9
+- add backport-bus-dir-watch-Do-not-crash-with-128-dirs.patch	
+backport-Do-not-crash-when-reloading-configuration.patch
+
 * Mon Oct 17 2022 hongjinghao <hongjinghao@huawei.com> - 1:1.12.20-8
 - fix CVE-2022-42010,CVE-2022-42011,CVE-2022-42012