1. 05 Jun, 2014 1 commit
    • Alban Crequy's avatar
      CVE-2014-3477: deliver activation errors correctly, fixing Denial of Service · 72a8759c
      Alban Crequy authored
      How it should work:
      
      When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
      whether the message can be delivered after the service has been activated. The
      service is considered activated when its well-known name is requested with
      org.freedesktop.DBus.RequestName. When the message delivery is denied, the
      service stays activated but should not receive the activating message (the
      message which triggered the activation). dbus-daemon is supposed to drop the
      activating message and reply to the sender with a D-Bus error message.
      
      However, it does not work as expected:
      
      1. The error message is delivered to the service instead of being delivered to
         the sender. As an example, the error message could be something like:
      
           An SELinux policy prevents this sender from sending this
           message to this recipient, [...] member="MaliciousMethod"
      
         If the sender and the service are malicious confederates and agree on a
         protocol to insert information in the member name, the sender can leak
         information to the service, even though the LSM attempted to block the
         communication between the sender and the service.
      
      2. The error message is delivered as a reply to the RequestName call from
         service. It means the activated service will believe it cannot request the
         name and might exit. The sender could activate the service frequently and
         systemd will give up activating it. Thus the denial of service.
      
      The following changes fix the bug:
      - bus_activation_send_pending_auto_activation_messages() only returns an error
        in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
        (and its only caller sets the OOM error).
      - When a client is not allowed to talk to the service, a D-Bus error message
        is pre-allocated to be delivered to the client as part of the transaction.
        The error is not propagated to the caller so RequestName will not fail
        (except on OOM).
      
      [fixed a misleading comment -smcv]
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
      
      Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      Backported: to dbus-1.2, whitespace conflicts in bus/activation.c
      72a8759c
  2. 04 Oct, 2012 3 commits
  3. 02 Oct, 2012 4 commits
  4. 21 Sep, 2011 1 commit
  5. 10 Jun, 2011 3 commits
  6. 14 Jan, 2011 1 commit
  7. 21 Dec, 2010 5 commits
  8. 09 Jul, 2010 1 commit
  9. 08 Jul, 2010 1 commit
  10. 22 Jun, 2010 1 commit
  11. 11 Jun, 2010 1 commit
    • Johannes Carlsson's avatar
      Corrected thread problem causing some calls to hang for 25s · 882a2e11
      Johannes Carlsson authored
      Since the connection lock is released for a short while in
      _dbus_connection_acquire_io_path there can already be a method return
      received by another thread. The fix is to do an extra check after the
      I/O path has been aquired both.
      
      Approved-by: Thiago Macieira
      882a2e11
  12. 21 May, 2010 1 commit
    • Will Thompson's avatar
      kqueue set_watched_dirs: fix termination condition · 82a77d6a
      Will Thompson authored
      num_fds is the number of elements of dirs currently in use. This bug
      meant that encountering a previously un-watched directory would cause j
      to increment forever, and so dirs[j] would eventually segfault.
      
      (I've checked the corresponding code for inotify, and it's correct. I
      wonder if some of the duplication could be eliminated.)
      
      Thanks to Pablo Martí Gamboa <pmarti@warp.es> for reporting this issue!
      82a77d6a
  13. 23 Apr, 2010 1 commit
  14. 23 Mar, 2010 3 commits
  15. 22 Mar, 2010 3 commits
  16. 21 Mar, 2010 1 commit
  17. 19 Mar, 2010 2 commits
  18. 17 Mar, 2010 3 commits
  19. 16 Mar, 2010 4 commits