1. 15 Aug, 2017 1 commit
    • Lennart Poettering's avatar
      sysdeps: increase listen() backlog of AF_UNIX sockets to SOMAXCONN · a8dc1ebd
      Lennart Poettering authored
      Previously, the listen() backlog was set to an arbitrary 30. This means
      that if dbus-daemon is overloaded only 30 more connections may be queued
      by the kernel, before connect() fails with EAGAIN. (Note that EAGAIN !=
      EINPROGRESS -- the latter is what is returned if a connection is queued
      and being processed for asynchronous sockets; EAGAIN in this case is
      really an error, that cannot be recovered from).
      
      Most software simply sets SOMAXCONN as backlog for AF_UNIX sockets, to
      allow queuing of as many connections as the kernel allows. SOMAXCONN is
      128 on Linux, which is not particularly high, but at least higher than
      30.
      
      This patch changes dbus-daemon to do the same.
      
      I noticed this when flooding dbus-daemon with a lot of connections,
      where it pretty quickly ceased to respond, much earlier than it really
      should.
      
      Note that the backlog has nothing to do with the number of concurrent
      connections allowed, it simply controls how many queued, but not
      accept()ed connections there may be on the listening socket.
      
      (cherry picked from commit 12bd6e89)
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95264
      Bug-Debian: https://bugs.debian.org/872144Reviewed-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
      Reviewed-by: Thiago Macieira's avatarThiago Macieira <thiago@kde.org>
      a8dc1ebd
  2. 05 Jul, 2017 3 commits
  3. 27 Jun, 2017 2 commits
  4. 16 Feb, 2017 1 commit
    • Simon McVittie's avatar
      Change _dbus_create_directory to fail for existing directories · be51bfe9
      Simon McVittie authored
      If we don't trap EEXIST and its Windows equivalent, we are unable to
      detect the situation where we create an ostensibly unique
      subdirectory in a shared /tmp, but an attacker has already created it.
      This affects dbus-nonce (the nonce-tcp transport) and the activation
      reload test.
      
      Add a new _dbus_ensure_directory() for the one case where we want it to
      succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
      we are creating in our own trusted "official" $HOME. In the new
      transient service support on Bug #99825, ensure_owned_directory()
      would need the same treatment.
      
      We are not treating this as a serious security problem, because the
      nonce-tcp transport is rarely enabled on Unix and there are multiple
      mitigations.
      
      The nonce-tcp transport creates a new unique file with O_EXCL and 0600
      (private to user) permissions, then overwrites the requested filename
      via atomic-overwrite, so the worst that could happen there is that an
      attacker could place a symbolic link matching the name of a directory
      we are going to create, causing a dbus-daemon configured for nonce-tcp
      to traverse the symlink and atomically overwrite a file named "nonce"
      in a directory of the attacker's choice, with new random contents that
      are not known to the attacker. This seems unlikely to be exploitable
      for anything worse than denial of service in practice. In mainline
      Linux since 3.6, this attack is also defeated by the
      fs.protected_symlinks sysctl, which many distributions enable by default.
      
      The activation reload test suffers from a classic symlink attack
      due to time-of-check/time-of-use errors in its implementation, but as
      part of the developer-only "embedded tests" that are only intended
      to be run on a trusted machine, it is not treated as security-sensitive.
      That code path will be fixed in a subsequent commit.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828Signed-off-by: 's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
      be51bfe9
  5. 04 Oct, 2016 1 commit
    • Marc Mutz's avatar
      DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic() · 178872ea
      Marc Mutz authored
      The const void* 'value' pointer that is passed the address of a
      uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
      casts it to a DBusBasicValue, a union type that has an alignment of
      eight on 64-bit platforms and is therefore more-aligned than the
      uint32.
      
      The read of a value of a more-aligned type through a pointer to a less
      -aligned type is undefined behaviour.
      
      Fix by storing the uint32 in a DBusBasicValue and passing that instead.
      
      Found by UBSan:
      
        dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
        0x7fdb8dac3a04: note: pointer points here
          4a 87 b5 71 01 00 00 00  40 7d 01 00 00 61 00 00  10 3b ac 8d db 7f 00 00  2c 2a 3e 94 db 7f 00 00
                      ^
          #0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
          #1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
          #2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
          #3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
          #4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
          #5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
      Signed-off-by: 's avatarMarc Mutz <marc@kdab.net>
      Reviewed-by: 's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
      178872ea
  6. 12 Aug, 2016 2 commits
  7. 30 Jun, 2016 1 commit
  8. 16 May, 2016 1 commit
  9. 13 May, 2016 2 commits
  10. 29 Apr, 2016 1 commit
  11. 02 Mar, 2016 4 commits
  12. 12 Feb, 2016 3 commits
  13. 11 Feb, 2016 3 commits
  14. 08 Feb, 2016 1 commit
  15. 02 Dec, 2015 2 commits
  16. 18 Nov, 2015 1 commit
  17. 17 Nov, 2015 1 commit
  18. 16 Nov, 2015 1 commit
  19. 11 Nov, 2015 1 commit
  20. 04 Nov, 2015 1 commit
  21. 03 Nov, 2015 1 commit
  22. 02 Nov, 2015 3 commits
  23. 27 Oct, 2015 2 commits
  24. 30 Sep, 2015 1 commit