From f0ae945ecc4631c538b845d807a60c5b72903a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 11 Apr 2019 14:01:38 +0200 Subject: [PATCH 1/3] bus-message: validate signature in gvariant messages We would accept a message with 40k signature and spend a lot of time iterating over the nested arrays. Let's just reject it early, as we do for !gvariant messages. --- src/libsystemd/sd-bus/bus-message.c | 5 ++++- test/fuzz/fuzz-bus-message/oss-fuzz-14016 | Bin 0 -> 49343 bytes 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 test/fuzz/fuzz-bus-message/oss-fuzz-14016 diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index 11c4648f91..a2464e1a46 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -5152,7 +5152,7 @@ int bus_message_parse_fields(sd_bus_message *m) { return -EBADMSG; if (*p == 0) { - char *k; + _cleanup_free_ char *k = NULL; size_t l; /* We found the beginning of the signature @@ -5170,6 +5170,9 @@ int bus_message_parse_fields(sd_bus_message *m) { if (!k) return -ENOMEM; + if (!signature_is_valid(k, true)) + return -EBADMSG; + free_and_replace(m->root_container.signature, k); break; } diff --git a/test/fuzz/fuzz-bus-message/oss-fuzz-14016 b/test/fuzz/fuzz-bus-message/oss-fuzz-14016 new file mode 100644 index 0000000000000000000000000000000000000000..c82d1ba4adfbc829ef148bfc61907c51f1fc9b74 GIT binary patch literal 49343 zcmeHPOO7PR4Q&W8prww{S{h#XJZcQQGN6UMkTyPqbX6U|3^JK~43d!%oz>k{HQ9?u z^6~K#WaMXhM*8l{ET!ef^gI z{MvrL@v4gu-zI-7EI1GdS`^tS!nZ;C)Vi z2wD``DZ;lw`qVJ4Qj}dJ`Ab8>HAuX0HCrbcsWXsjwlBVIwuA2~EPFX)ke#`Bs|tr0 zI6?DRq_WCq0uho(IhqhV$iIcQcDQLKwas)*IO5#pY-(nJOpo~Ftc7MWV8Xk-_4>nQ?wReT%iRiLsHmE z6<+6Z;#{sw(vPueqb}>1yqBWsm8nos;tJMvF^QMfF#tKlkzMleI_eM+l1Mq45IZOx z_Tgh^x{0!&k2XCA}MU8?B#oySn3AX90fulULSQZX%(TFGLxct8B8(6M}zG^#@?RVz&$Ja zf}2JW%fqBKc`rrbDg-D_fUts#7mW!xfuKc^og#c2q)!c-D@EBwlD{-0T!X|5SF?4J zkvapZX1hM>Vs~hm(jb_s0Fm1ewuxy(Q|A*ObsB{T{i-pjDhG+L(_ecAvI`Ja-B!37 z6HEkx7DaZ7@NJMjHEgaFWfw{Q(vWZs5-(iM)=5U{45XUv`a?_X4h>Tp1XC3tavQ=n zF^y>Ie0^iIE@?ORtF&%g$DIf3x+od;w5iY@f#Jv9Hm+Jy0(%6MC1eK3^oTDxE+3ka zY!R&MViGSM=>X&qM|R1>D-~J3ABm7e%F%?_LFuu&&f(r-8A{i*kxHWzA2?{EAZ!Ef zS<&Ze8bvG*lkUWODGFC1Kyd9X%G#48QJiK2Mn8aW$cq)0Iv4g1;uEGV0eO(+pM|KbDp&L{}mB-)6k`A&S&Y6yO- znUY9QQ(`>{T{i-pjDhG+L(_C%ZG+ur2EllJ{zsYiV%u)lw~7gx&m)0==ImD4&^6*MEm3JT!l1Mq45Id;d?As4#?#zcO`LZ9x z*?`;?l89eUQ}o1Zh<7D%R*Tf^$Jc%oTPuf`a^Iz)tfTZO4P~fi5HDOyx{)HqY}bcd z?9S?81IM$k{t)c=vu6f4e)pd5?@UBf@cseCKE4eMQD?R>&7WMO#_$%-Y1N zSfDz}(a9Lv-*;?Weh%Rfuk<^ldOrUf!x6H?i`%&@0uf6RIIUn=MU;7w0- za+cy7+cfel50k5+ztz>)t`ZiC5Fo7R<78t3Odx1cWTyz<2I*77=1Ng^k>oE83D+R; z!qse@WTehOs@cAS8%H)9n@}P&O!0xKj)JgFqK#;p@5D!)hTsXBl1NZfVm%36Hv*iD zf#^>|(};Zj(V9%}0VXo&Q)lvRgWYBZ!FavC0lG#`tG=;KBiHi>Rl-6Q0)!Pt>_uY& zP9SJeWTyz<2I*77=1Ng^k>oE83D+R;!qse@WTehOs@bk@fY==xrZfnqDnR5mgl%FP z(bW0GH-Hp0OfocT33z?L-NIbf#pMQZv+lf0GSJl`@faM)?Uiu-rz2^TmJihGm^gu? zp2_tQ&zJSv3_NCvj-9>pE=j?wMcOu@KSR+suW3ZTKF_R?yL5e?4G+?8{Gb!H&tVfN zpJdt-E8v;F9B)gt*}&?|2}GI6^%0LxEk(b)P46V=m5RRRrjh0R1E5QMC-3&weBQ8> z=l9;1Ec%zuE0*+tr&CYbyRI`Mid}LD4BX+WND5m==bu>W2G<;A!r9{^SyrbGwH=Aq zmv=hS);2j3M-2q~>Xuy777!Rvur)v$&>x`X zw%kicbUS?2A@9Yd9nc;W#thyAPG;b0B+yJ}ue;h9c6YL3ha6>^^cXkQ8V-1 z$xT=t({;z`qiNLYPwtXTbaj;O91NBI!&X}`x|Z!J4dW8T4c3xw9H0;gS`^tS!nZ;C z)T6$sO?HvwFAWLTAo0T0Y@KAJ&OoZ!p7O8nV0$9Q4s3`qfkGf?QDmnG-v;SZ>p>b_ z%T1PsVXfkYYe_d!q?qj~51HSvY}R8#jpivnFxWCk`{HGzge-ZG@gqKxE&NOc#wKZL zyTreP-NInj#pMQZx5SHAN?HDnmI$u7qU2~o?4b7R;PB(#5m1)a792`IoV%P&%?yx< z?vJPXzkapbJ#?Y$8W^%ZaiG!=(jWjW-bA!I*{A>$2wD``DZ;lw`qa>-Qj}dJ`Ab8> zHAuX0HCrbcsWXsjw(IQ}yFx^;0h?5tx6c69J0g{@TN=ieRH8TXxHRf%M@ z2}xY4j&x@WGEM$5;IPm#Kb6EbDQ!g4;;*lV@q3MWsI7u)jsl?&(^vH2xF=4eP|AU4 z2EllpJeSjT5YcCB8iD2AukG?)il$elLPd!ySl7iQURuWhJ4zocKW8Q4qEP_pIo1HH{*kzuhD(6emDf_dfK3F~LG0Xi;RR z2;T{bq#KRcXaqucBV88ixe+hOS+LF z#cU6JBha=UU?PVnWGBc_;;^<~$$P_7OpvxN``CM+fZwcYOa|_;NFL64*Az{!eI6;& zQIAs(7)d-Ad_v(61D>R?m8vN}A&Hel%F%?_LG3$g`{DGR`A{WaDO;oLK<)}j#4o2Q zdg3+21xcK}rpY2T`|-6O1tciNa^Iz)tfTZO4P~fi5HDOyx{)HqY!CdtnmseJ+1P{< znGLJ~IDsfLxz64(+wH8`yX#B^&gB7jTi&=chUErvx9+@4GSSr{-8mR4U;GqpwaMIY zEh{#Xqs*L+lJmY}$%W1B{vfE|UDE zA>kS%UbvdAlZ@0ENHyDcaO22kV-re*hABQU)lm?(Nwg77^PTvp(-1sCQxXYkN~|ZL z>qdZ+F%bP}Xd02vKU$ONJ-|c;edccdtL8!+}~C zXGRoH-MyTNSXn^eI0jn-qyhcizucC4>4Ocitr# z>}rwOaVW6sz0^Ne_C_rqsMRrX0!cTM>m%O6>$e$r%oM$Ma~D3iOZ&@0s%z_>x)%xx zY;j$bn0=-tokI*ftZb2}$lHBM5AxEBIO~VKpZmf{&m2lj{F4eY10uE#53W<-tiaEm5KPu^wmAQ25(s;|sW(G*~ z{Et8#3U7L;r(?2jY}1H;eLHBo;TmtCac7&=cNc@P1%OJt)j<0AdvUOdvRZP6dPlVI o7rZ68H1w4^UA%C0W>k!XsK{n(((kXYZ*RZ-{QCBD`}yhR|MEbWjsO4v literal 0 HcmV?d00001 From cfcc0059bfb8be7d1da80cb6a75d9ba71f4662f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 11 Apr 2019 14:02:59 +0200 Subject: [PATCH 2/3] sd-bus: add define for the maximum signature length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Less magic numbers in the code… --- src/libsystemd/sd-bus/bus-message.c | 2 +- src/libsystemd/sd-bus/bus-signature.c | 2 +- src/systemd/sd-bus.h | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index a2464e1a46..427d42f296 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -284,7 +284,7 @@ static int message_append_field_signature( /* dbus1 doesn't allow signatures over 8bit, let's enforce * this globally, to not risk convertability */ l = strlen(s); - if (l > 255) + if (l > SD_BUS_MAXIMUM_SIGNATURE_LENGTH) return -EINVAL; /* Signature "(yv)" where the variant contains "g" */ diff --git a/src/libsystemd/sd-bus/bus-signature.c b/src/libsystemd/sd-bus/bus-signature.c index 1ecd6e8b7e..b420ba3688 100644 --- a/src/libsystemd/sd-bus/bus-signature.c +++ b/src/libsystemd/sd-bus/bus-signature.c @@ -144,5 +144,5 @@ bool signature_is_valid(const char *s, bool allow_dict_entry) { p += t; } - return p - s <= 255; + return p - s <= SD_BUS_MAXIMUM_SIGNATURE_LENGTH; } diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h index 129cc93328..311602d048 100644 --- a/src/systemd/sd-bus.h +++ b/src/systemd/sd-bus.h @@ -33,6 +33,9 @@ _SD_BEGIN_DECLARATIONS; #define SD_BUS_DEFAULT_USER ((sd_bus *) 2) #define SD_BUS_DEFAULT_SYSTEM ((sd_bus *) 3) +/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-marshaling-signature */ +#define SD_BUS_MAXIMUM_SIGNATURE_LENGTH 255 + /* Types */ typedef struct sd_bus sd_bus; From fb270a26b20e5e3997fb88ffa5e257af194a6cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 11 Apr 2019 14:07:22 +0200 Subject: [PATCH 3/3] sd-bus: add define for the maximum name length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Less magic numbers in the code… --- src/libsystemd/sd-bus/bus-internal.c | 6 +++--- src/systemd/sd-bus.h | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c index 598b7f110c..dff39cb13f 100644 --- a/src/libsystemd/sd-bus/bus-internal.c +++ b/src/libsystemd/sd-bus/bus-internal.c @@ -97,7 +97,7 @@ bool interface_name_is_valid(const char *p) { dot = false; } - if (q - p > 255) + if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH) return false; if (dot) @@ -139,7 +139,7 @@ bool service_name_is_valid(const char *p) { dot = false; } - if (q - p > 255) + if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH) return false; if (dot) @@ -170,7 +170,7 @@ bool member_name_is_valid(const char *p) { return false; } - if (q - p > 255) + if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH) return false; return true; diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h index 311602d048..84ceb62dc7 100644 --- a/src/systemd/sd-bus.h +++ b/src/systemd/sd-bus.h @@ -36,6 +36,9 @@ _SD_BEGIN_DECLARATIONS; /* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-marshaling-signature */ #define SD_BUS_MAXIMUM_SIGNATURE_LENGTH 255 +/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names */ +#define SD_BUS_MAXIMUM_NAME_LENGTH 255 + /* Types */ typedef struct sd_bus sd_bus;