From c30287f43fbf2c0a8f87eac56121ba0514770d29 Mon Sep 17 00:00:00 2001 From: Yangyang Shen Date: Mon, 22 Jun 2020 11:12:15 +0800 Subject: [PATCH] Add more test cases modify for solving CVE-2020-12049 --- ...vatives-do-not-adjust-cmsg_len-on-MS.patch | 49 ++++++++++++++ dbus.spec | 7 +- ...rt-that-we-don-t-leak-file-descripto.patch | 64 +++++++++++++++++++ 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch create mode 100644 fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch diff --git a/Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch b/Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch new file mode 100644 index 0000000..5d06706 --- /dev/null +++ b/Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch @@ -0,0 +1,49 @@ +From b96ef23e406baa08648339a53b0161fc80de7ce4 Mon Sep 17 00:00:00 2001 +From: Andy Fiddaman +Date: Fri, 12 Jun 2020 12:32:20 +0000 +Subject: [PATCH] Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNC + +--- + dbus/dbus-sysdeps-unix.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index b176dae1..0288dbc9 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -441,13 +441,32 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + size_t i; + int *payload = (int *) CMSG_DATA (cm); + size_t payload_len_bytes = (cm->cmsg_len - CMSG_LEN (0)); +- size_t payload_len_fds = payload_len_bytes / sizeof (int); ++ size_t payload_len_fds; + size_t fds_to_use; + + /* Every unsigned int fits in a size_t without truncation, so + * casting (size_t) *n_fds is OK */ + _DBUS_STATIC_ASSERT (sizeof (size_t) >= sizeof (unsigned int)); + ++ if ((m.msg_flags & MSG_CTRUNC) && CMSG_NXTHDR(&m, cm) == NULL && ++ (char *) payload + payload_len_bytes > ++ (char *) m.msg_control + m.msg_controllen) ++ { ++ /* This is the last cmsg in a truncated message and using ++ * cmsg_len would apparently overrun the allocated buffer. ++ * Some operating systems (illumos and Solaris are known) do ++ * not adjust cmsg_len in the last cmsg when truncation occurs. ++ * Adjust the payload length here. The calculation for ++ * payload_len_fds below will discard any trailing bytes that ++ * belong to an incomplete file descriptor - the kernel will ++ * have already closed that (at least for illumos and Solaris) ++ */ ++ payload_len_bytes = m.msg_controllen - ++ ((char *) payload - (char *) m.msg_control); ++ } ++ ++ payload_len_fds = payload_len_bytes / sizeof (int); ++ + if (_DBUS_LIKELY (payload_len_fds <= (size_t) *n_fds)) + { + /* The fds in the payload will fit in our buffer */ +-- + diff --git a/dbus.spec b/dbus.spec index d5ac4a1..2b25357 100644 --- a/dbus.spec +++ b/dbus.spec @@ -1,7 +1,7 @@ Name: dbus Epoch: 1 Version: 1.12.16 -Release: 14 +Release: 15 Summary: System Message Bus License: AFLv2.1 or GPLv2+ URL: http://www.freedesktop.org/Software/dbus/ @@ -10,6 +10,8 @@ Source1: 00-start-message-bus.sh # fix CVE-2020-12049 Patch0000: sysdeps-unix-On-MSG_CTRUNC-close-the-fds-we-did-rece.patch +Patch0001: fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch +Patch0002: Solaris-and-derivatives-do-not-adjust-cmsg_len-on-MS.patch Patch0010: bugfix-let-systemd-restart-dbus-when-the-it-enters-failed.patch @@ -218,6 +220,9 @@ make check %exclude %{_pkgdocdir}/README %changelog +* Mon Jun 22 2020 shenyangyang - 1:1.12.16-15 +- Add more test cases modify for solving CVE-2020-12049 + * Sat Jun 20 2020 shenyangyang - 1:1.12.16-14 - Fix CVE-2020-12049 diff --git a/fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch b/fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch new file mode 100644 index 0000000..fbb1266 --- /dev/null +++ b/fdpass-test-Assert-that-we-don-t-leak-file-descripto.patch @@ -0,0 +1,64 @@ +From 8bc1381819e5a845331650bfa28dacf6d2ac1748 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 16 Apr 2020 14:41:48 +0100 +Subject: [PATCH] fdpass test: Assert that we don't leak file descriptors + +This version is for the dbus-1.12 branch, and doesn't rely on dbus!153 +or dbus!120. + +Reproduces: dbus#294 +Reproduces: CVE-2020-12049 +Reproduces: GHSL-2020-057 +Signed-off-by: Simon McVittie +--- + test/fdpass.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/test/fdpass.c b/test/fdpass.c +index 4a3edc4e..8bad675f 100644 +--- a/test/fdpass.c ++++ b/test/fdpass.c +@@ -50,6 +50,14 @@ + + #include "test-utils-glib.h" + ++#ifdef DBUS_ENABLE_EMBEDDED_TESTS ++#include ++#else ++typedef struct _DBusInitialFDs DBusInitialFDs; ++#define _dbus_check_fdleaks_enter() NULL ++#define _dbus_check_fdleaks_leave(fds) do {} while (0) ++#endif ++ + /* Arbitrary; included here to avoid relying on the default */ + #define MAX_MESSAGE_UNIX_FDS 20 + /* This test won't work on Linux unless this is true. */ +@@ -92,6 +100,7 @@ typedef struct { + GQueue messages; + + int fd_before; ++ DBusInitialFDs *initial_fds; + } Fixture; + + static void oom (const gchar *doing) G_GNUC_NORETURN; +@@ -176,6 +185,8 @@ test_connect (Fixture *f, + if (f->skip) + return; + ++ f->initial_fds = _dbus_check_fdleaks_enter (); ++ + g_assert (f->left_server_conn == NULL); + g_assert (f->right_server_conn == NULL); + +@@ -871,6 +882,9 @@ teardown (Fixture *f, + if (f->fd_before >= 0 && close (f->fd_before) < 0) + g_error ("%s", g_strerror (errno)); + #endif ++ ++ if (f->initial_fds != NULL) ++ _dbus_check_fdleaks_leave (f->initial_fds); + } + + int +-- + -- Gitee