Simon McVittie [Fri, 7 Oct 2016 20:26:36 +0000 (21:26 +0100)]
Ignore ActivationFailure if not using systemd activation
This isn't security-related, just defensive programming: if
dbus-daemon wasn't run with --systemd-activation, then there is no
reason why systemd would legitimately send us this signal, and if it
does we should just ignore it.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:25:08 +0000 (21:25 +0100)]
bus_driver_handle_message: reject ActivationFailure if unprivileged
Specifically, this will allow ActivationFailure messages from our
own uid or from root, but reject them otherwise, even if the bus
configuration for who can own org.freedesktop.systemd1 is entirely
wrong due to something like CVE-2014-8148.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 18:13:01 +0000 (19:13 +0100)]
dbus_activation_systemd_failure: do not use non-literal format string
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Philip Withnall [Sat, 1 Oct 2016 13:59:47 +0000 (15:59 +0200)]
bus: Add sender name to bus activation log messages
This clarifies
Activating via systemd: service name='com.example.Example'
unit='example.service'
to
Activating via systemd: service name='com.example.Example'
unit='example.service' requested by ':1.23' (uid 1000 pid 123
comm "whatever-activat")
Similarly for the non-systemd code paths.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68212 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Philip Withnall [Sat, 1 Oct 2016 19:23:16 +0000 (21:23 +0200)]
doc: Install introspection and busconfig DTDs
Install them to $(datadir)/xml/dbus-1, which seems to be the standard
location for installed DTDs. This means that developers can use them to
validate their introspection XML, and sysadmins can use them to validate
their bus configuration files.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89011 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Marc Mutz [Mon, 3 Oct 2016 20:19:45 +0000 (22:19 +0200)]
DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic()
The const void* 'value' pointer that is passed the address of a
uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
casts it to a DBusBasicValue, a union type that has an alignment of
eight on 64-bit platforms and is therefore more-aligned than the
uint32.
The read of a value of a more-aligned type through a pointer to a less
-aligned type is undefined behaviour.
Fix by storing the uint32 in a DBusBasicValue and passing that instead.
Found by UBSan:
dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
0x7fdb8dac3a04: note: pointer points here
4a 87 b5 71 01 00 00 00 40 7d 01 00 00 61 00 00 10 3b ac 8d db 7f 00 00 2c 2a 3e 94 db 7f 00 00
^
#0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
#1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
#2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
#3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
#4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
#5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
Signed-off-by: Marc Mutz <marc@kdab.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
Philip Withnall [Sat, 1 Oct 2016 11:47:27 +0000 (13:47 +0200)]
spec: Allow <annotation> in <arg> elements in introspection XML
This is widely used in practice (especially by GLib — just look at files
in /usr/share/dbus-1/interfaces/), and there is no reason not to allow
it. Update the specification, introspection DTD and XSL file to allow
and represent it.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86162 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Philip Withnall [Sat, 1 Oct 2016 11:22:30 +0000 (13:22 +0200)]
spec: Recommend against using ‘/’ for object paths
As discussed in http://0pointer.de/blog/projects/versioning-dbus.html
and in https://dbus.freedesktop.org/doc/dbus-api-design.html,
un-versioned object paths make it hard to work out which interface a
signal was emitted from.
Clarify this in the specification to try and avoid people making this
mistake.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=37095 Reviewed-by: Simon McVittie <smcv@debian.org>
Like --fork and --nofork, these override what the configuration says.
Use --syslog-only to force the systemd services to log to the Journal
(via syslog, which means we see the severity metadata) instead of
testing sd_booted() in the configuration implementation.
Simon McVittie [Wed, 20 Jul 2016 08:25:57 +0000 (09:25 +0100)]
_dbus_warn, _dbus_warn_check_failed: unify with _dbus_logv
This means that dbus-daemon will log something like
dbus-daemon[123]: Unable to add reload watch to main loop
to syslog and/or stderr according to its configuration, while other
libdbus users will print something like this to stderr:
dbus[4567]: arguments to dbus_foo() were incorrect, assertion
"connection != NULL" failed at file dbus-foo.c line 123.
This is normally a bug in some application using the D-Bus library.
This slightly changes the meaning of the argument to _dbus_warn()
and _dbus_warn_check_failed. Previously, a trailing newline was
expected, and a missing newline would have resulted in incorrect
output. Now, a newline is supplied automatically by the
library (like g_warning()), and messages that end with a newline will
result in an unnecessary extra newline in output.
This extra newline is harmless, so I'm not going to change all the
callers immediately.
Simon McVittie [Fri, 12 Aug 2016 16:59:45 +0000 (17:59 +0100)]
_dbus_logv: configurably log to syslog and/or stderr
This changes the behaviour of _dbus_logv() if _dbus_init_system_log() was
not called. Previously, _dbus_logv() would always log to syslog;
additionally, it would log to stderr, unless the process is dbus-daemon
and it was started by systemd. Now, it will log to stderr only,
unless _dbus_init_system_log() was called first.
This is the desired behaviour because when we hook up
_dbus_warn_check_failed() to _dbus_logv() in the next commit, we don't
want typical users of libdbus to start logging their check failures to
syslog - we only want the dbus-daemon to do that.
In practice this is not usually a behaviour change, because there was
only one situation in which we called _dbus_logv() without first calling
_dbus_init_system_log(), namely an error while parsing configuration
files. Initialize the system log "just in time" in that situation
to preserve existing behaviour.
Simon McVittie [Tue, 16 Aug 2016 15:12:35 +0000 (16:12 +0100)]
Log to syslog when pending_fd_timeout is exceeded
This is either a denial-of-service attempt, a pathological performance
problem or a dbus-daemon bug. Sysadmins should be told about any of
these.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86442
[smcv: add units to timeout: it is in milliseconds] Signed-off-by: Simon McVittie <smcv@debian.org>
We were not actually doing what was intended (flooding the bus with
10k or 100k messages for the other side) because the bus was limiting
the sender to 128 parallel method calls.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86442 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 11 Feb 2016 20:43:23 +0000 (20:43 +0000)]
Only compile test-bus-launch-helper, etc. if embedded tests are enabled
These source files are specific to the embedded tests and make no sense
otherwise.
Also remove a comment in the CMake build system about fixing the
build of the activation helper on Windows: the activation helper
is Unix-specific and always will be, since it relies on Unix setuid
to function.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=94094
DBus uses custom rules in its Makefiles to implement test-coverage
statistics.
This patch implements test-coverage statistics with the autoconf macro
AX_CODE_COVERAGE. The script automatically tests for tools (e.g., gcov,
lcov), sets build variables and creates Makefile rules.
Run 'configure' with '--enable-code-coverage' to enable support for
test-coverage statistics. Run 'make check-code-coverage' to run the
tests and generate the statistics.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: do not alter compiler.m4; move AM_CXXFLAGS to the one place we
compile C++] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88922
Simon McVittie [Thu, 21 Jul 2016 07:24:38 +0000 (08:24 +0100)]
dbus-daemon, dbus-launch: cope with callers having closed standard fds
In Debian bug <https://bugs.debian.org/829348>, lightdm appears to
have been starting dbus-launch with at least one of the three
standard fds 0, 1, 2 (stdin, stdout, stderr) closed. This resulted
in the dbus-daemon's epoll_create1() returning a fd less than 3.
Later, _dbus_become_daemon() replaces fds 0-2 with /dev/null. As a
result, a subsequent call to _dbus_loop_add_watch() for the reload
pipe resulted in calling epoll_ctl on the non-epoll fd pointing to
/dev/null, which fails with EINVAL, resulting in the dbus-daemon
exiting unsuccessfully.
Unix programs are not normally expected to behave correctly when
launched with the standard fds not already open; but at the same time,
X11 autolaunching means that dbus-launch (and hence the dbus-daemon)
can get started from an arbitrarily precarious situation.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97008 Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Thiago Macieira <thiago@kde.org>
(cherry picked from commit c8f73a2a3a9d9d10587f596a62ebb64e8963197e)
Simon McVittie [Thu, 21 Jul 2016 07:23:12 +0000 (08:23 +0100)]
_dbus_ensure_standard_fds: new function to ensure std* fds are open
This function opens stdin, stdout, stderr pointing to /dev/null
if they aren't already open. Optionally, it can also replace
whatever is available on those fds with /dev/null.
To allow for use in contexts where only async-signal-safe functions
should be used, such as between fork() and a following exec(),
this function does not use conventional libdbus error handling
(which would require malloc). Instead, it sets errno and returns
an explanatory string.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97008 Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Thiago Macieira <thiago@kde.org>
(cherry picked from commit 69123a6bd2adabbaec1f770fc4573fc3ed4ceca6)
Simon McVittie [Thu, 11 Aug 2016 15:08:39 +0000 (16:08 +0100)]
Mark WaitingForOK state as unused
It should probably be used (see #97298) but the fact that it isn't
is breaking compatibility with gcc 6, so apply a quick workaround
while we look into what's wrong here.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
(cherry picked from commit 21d61180819c141e779d6ecf9919e62e768b6fd9)
Simon McVittie [Mon, 11 Jul 2016 09:52:44 +0000 (10:52 +0100)]
update-activation-environment: produce better diagnostics on error
If dbus-daemon or systemd replied to our method call with an error,
we would report it as "invalid arguments" instead of the true error
name and message.
Same root cause as <https://bugs.freedesktop.org/show_bug.cgi?id=96653>.
Simon McVittie [Wed, 20 Jul 2016 09:07:12 +0000 (10:07 +0100)]
sysdeps: move _dbus_system_log() into the shared library
This is in preparation for optionally making _dbus_warn() use it.
dbus-daemon closes its stderr under some circumstances, including
when launched by dbus-launch, which makes failures in that
situation rather hard to debug.
_dbus_system_log() is the same on Unix and Windows, so move it
to dbus-sysdeps.c. _dbus_system_logv() remains platform-specific.
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97009
[smcv: move the #include for syslog.h, too] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Fix misleading indentation to avoid respective compiler warning
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
Protect 'i' in _handle_inotify_watch by DBUS_ENABLE_VERBOSE_MODE
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
Initialize 'klass' in _dbus_type_reader_recurse to NULL
Initializing 'klass' in _dbus_type_reader_recurse avoids a
compile-time warning about the variable being uninitialized.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
Protect 'orig_len' in recover_unused_bytes by DBUS_ENABLE_VERBOSE_MODE
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
dbus-launch: Protect concat2 by DBUS_ENABLE_EMBEDDED_TESTS
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
Simon McVittie [Thu, 11 Aug 2016 15:08:39 +0000 (16:08 +0100)]
Mark WaitingForOK state as unused
It should probably be used (see #97298) but the fact that it isn't
is breaking compatibility with gcc 6, so apply a quick workaround
while we look into what's wrong here.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
Otherwise HAVE_STDINT_H will not be defined or the var will not be
picked up from cache so builds could fail with errors like:
| ../../dbus-1.10.8/dbus/dbus-internals.h:239:8: error: ‘uintptr_t’ undeclared (first use in this function)
projects / thirdparty / dbus.git / log
