CVE-2023-34969: dbus-daemon crashes when a monitor is active and a message from the driver cannot be delivered
[Vulnerability description added by @smcv]
If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring
interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service vulnerability.
Mitigation: This can only be done if a monitoring process such as dbus-monitor
or busctl monitor
is active on the same dbus-daemon instance, which is a privileged operation that can only be done by root or the Unix uid of the message bus. If no monitoring process is active, then the vulnerable code is not reached.
The situation in which the message bus can be crashed is that an unprivileged user sends a message that will result in a reply from the "bus driver" (most commonly a method call on the org.freedesktop.DBus
interface or a NameOwnerChanged
, NameAcquired
or NameLost
signal), but the reply cannot be delivered, for example because it is forbidden by a <deny>
rule or because the recipient has exceeded the configured limit on its number of queued messages.
Vulnerable versions:
- 1.15.x before 1.15.6
- 1.14.x before 1.14.8
- 1.12.x before 1.12.28
- most end-of-life versions since 1.9.x
Fixed versions:
- all since 1.15.6
- 1.14.x since 1.14.8
- 1.12.x since 1.12.28
Not vulnerable: end-of-life versions 1.8.x or older do not contain the affected code path.
Original report
#0 0x00007f113fa7d3ef in ?? () from /usr/lib64/libc.so.6
#1 0x00007f113fa31006 in raise () from /usr/lib64/libc.so.6
#2 0x00007f113fa1c4f7 in abort () from /usr/lib64/libc.so.6
#3 0x00007f113fd61d62 in _dbus_abort () at dbus-sysdeps.c:93
#4 0x00007f113fd84b50 in _dbus_warn_check_failed (
format=format@entry=0x7f113fd95d28 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at dbus-internals.c:281
#5 0x00007f113fd8528a in _dbus_warn_return_if_fail (function=function@entry=0x7f113fd94a80 <__func__.65> "dbus_message_set_reply_serial",
assertion=assertion@entry=0x7f113fd9332a "reply_serial != 0", file=file@entry=0x7f113fd932ea "dbus-message.c", line=line@entry=1168) at dbus-internals.c:936
#6 0x00007f113fd74027 in dbus_message_set_reply_serial (message=message@entry=0x5611d306c690, reply_serial=<optimized out>) at dbus-message.c:1168
#7 0x00007f113fd77c83 in dbus_message_new_error (reply_to=reply_to@entry=0x5611d306b630, error_name=0x5611d00208e0 "org.freedesktop.DBus.Error.LimitsExceeded",
error_message=<optimized out>) at dbus-message.c:1525
#8 0x00005611ccb898ec in bus_transaction_capture_error_reply (error=<optimized out>, error=<optimized out>, in_reply_to=0x5611d306b630,
addressed_recipient=0x5611cdb65960, transaction=0x5611d67f4030) at connection.c:2314
#9 bus_transaction_capture_error_reply (transaction=0x5611d67f4030, addressed_recipient=0x5611cdb65960, error=0x7ffd16177520, in_reply_to=0x5611d306b630)
at connection.c:2296
#10 0x00005611ccb89a49 in bus_transaction_send_from_driver (transaction=0x5611d67f4030, connection=0x5611cdb65960, message=0x5611d306b630) at connection.c:2379
#11 0x00005611ccb8ef0e in bus_driver_handle_get_connection_unix_user (connection=0x5611cdb65960, transaction=0x5611d67f4030, message=<optimized out>, error=0x7ffd161776a0)
at driver.c:1667
#12 0x00005611ccb9061f in bus_driver_handle_message (connection=connection@entry=0x5611cdb65960, transaction=transaction@entry=0x5611d67f4030,
message=message@entry=0x5611d633ee10, error=error@entry=0x7ffd161776a0) at driver.c:2949
#13 0x00005611ccb8c582 in bus_dispatch (message=0x5611d633ee10, connection=0x5611cdb65960) at dispatch.c:392
#14 bus_dispatch_message_filter (connection=0x5611cdb65960, message=0x5611d633ee10, user_data=<optimized out>) at dispatch.c:548
#15 0x00007f113fd6ac1d in dbus_connection_dispatch (connection=0x5611cdb65960) at dbus-connection.c:4704
#16 dbus_connection_dispatch (connection=connection@entry=0x5611cdb65960) at dbus-connection.c:4576
#17 0x00005611ccb98821 in _dbus_loop_dispatch (loop=<optimized out>) at dbus-mainloop.c:532
#18 _dbus_loop_dispatch (loop=0x5611cdb37d30) at dbus-mainloop.c:513
#19 _dbus_loop_iterate (loop=loop@entry=0x5611cdb37d30, block=block@entry=1) at dbus-mainloop.c:862
#20 0x00005611ccb98c05 in _dbus_loop_run (loop=0x5611cdb37d30) at dbus-mainloop.c:888
#21 0x00005611ccb7dbc3 in main (argc=<optimized out>, argv=<optimized out>) at main.c:722