On 9/2/21 7:55 PM, Steve Sakoman wrote: > On Thu, Sep 2, 2021 at 8:38 AM Steve Sakoman <[email protected]> wrote: >> On Thu, Sep 2, 2021 at 8:10 AM Armin Kuster <[email protected]> wrote: >>> ping or did I miss a response to this patch? >> No you didn't miss anything! >> >> I mistakenly stashed this patch along with your "lz4: Security Fix for >> CVE-2021-3520" patch in a branch waiting for the lz4 equivalent to hit >> master. >> >> Richard pushed the lz4 patch to master so now both patches are merged >> and in test for dunfell. > We're getting reproducible autobuilder ptest errors with this patch: > > AssertionError: Failed ptests: > {'dbus-test': ['test/test-dbus-daemon', > 'test/test-dbus-daemon-eavesdrop', > 'test/test-monitor']} Hmm. What is odd the dbus-daemon does run on the target.
I can reproduce this locally. will dig into -armin > > https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/2179 > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/2460 > > Steve > >>> -armin >>> >>> On 8/27/21 8:37 PM, Armin Kuster via lists.openembedded.org wrote: >>>> From: Armin Kuster <[email protected]> >>>> >>>> Source: https://gitlab.freedesktop.org/dbu >>>> MR: 108825 >>>> Type: Security Fix >>>> Disposition: Backport from >>>> https://gitlab.freedesktop.org/dbus/dbus/-/commit/e75c67a28fa2bc41a8ab0de433a52355c71a8abf >>>> ChangeID: dea9518b9c13dab66e7d553c622000b9c6e268cc >>>> Description: >>>> >>>> Affects: < 1.12.20 >>>> >>>> Signed-off-by: Armin Kuster <[email protected]> >>>> --- >>>> .../dbus/dbus/CVE-2020-35512.patch | 301 ++++++++++++++++++ >>>> meta/recipes-core/dbus/dbus_1.12.16.bb | 1 + >>>> 2 files changed, 302 insertions(+) >>>> create mode 100644 meta/recipes-core/dbus/dbus/CVE-2020-35512.patch >>>> >>>> diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-35512.patch >>>> b/meta/recipes-core/dbus/dbus/CVE-2020-35512.patch >>>> new file mode 100644 >>>> index 0000000000..27f5d58675 >>>> --- /dev/null >>>> +++ b/meta/recipes-core/dbus/dbus/CVE-2020-35512.patch >>>> @@ -0,0 +1,301 @@ >>>> +From 2b7948ef907669e844b52c4fa2268d6e3162a70c Mon Sep 17 00:00:00 2001 >>>> +From: Simon McVittie <[email protected]> >>>> +Date: Tue, 30 Jun 2020 19:29:06 +0100 >>>> +Subject: [PATCH] userdb: Reference-count DBusUserInfo, DBusGroupInfo >>>> + >>>> +Previously, the hash table indexed by uid (or gid) took ownership of the >>>> +single reference to the heap-allocated struct, and the hash table >>>> +indexed by username (or group name) had a borrowed pointer to the same >>>> +struct that exists in the other hash table. >>>> + >>>> +However, this can break down if you have two or more distinct usernames >>>> +that share a numeric identifier. This is generally a bad idea, because >>>> +the user-space model in such situations does not match the kernel-space >>>> +reality, and in particular there is no effective kernel-level security >>>> +boundary between such users, but it is sometimes done anyway. >>>> + >>>> +In this case, when the second username is looked up in the userdb, it >>>> +overwrites (replaces) the entry in the hash table that is indexed by >>>> +uid, freeing the DBusUserInfo. This results in both the key and the >>>> +value in the hash table that is indexed by username becoming dangling >>>> +pointers (use-after-free), leading to undefined behaviour, which is >>>> +certainly not what we want to see when doing access control. >>>> + >>>> +An equivalent situation can occur with groups, in the rare case where >>>> +a numeric group ID has two names (although I have not heard of this >>>> +being done in practice). >>>> + >>>> +Solve this by reference-counting the data structure. There are up to >>>> +three references in practice: one held temporarily while the lookup >>>> +function is populating and storing it, one held by the hash table that >>>> +is indexed by uid, and one held by the hash table that is indexed by >>>> +name. >>>> + >>>> +Closes: dbus#305 >>>> +Signed-off-by: Simon McVittie <[email protected]> >>>> + >>>> +Upsteam-Status: Backport >>>> +https://gitlab.freedesktop.org/dbus/dbus/-/commit/e75c67a28fa2bc41a8ab0de433a52355c71a8abf >>>> +CVE: CVE-2020-35512 >>>> +Signed-off-by: Armin Kuster <[email protected]> >>>> + >>>> +--- >>>> + dbus/dbus-sysdeps-unix.h | 2 ++ >>>> + dbus/dbus-userdb-util.c | 38 ++++++++++++++++++----- >>>> + dbus/dbus-userdb.c | 67 ++++++++++++++++++++++++++++++---------- >>>> + dbus/dbus-userdb.h | 6 ++-- >>>> + 4 files changed, 86 insertions(+), 27 deletions(-) >>>> + >>>> +Index: dbus-1.12.16/dbus/dbus-sysdeps-unix.h >>>> +=================================================================== >>>> +--- dbus-1.12.16.orig/dbus/dbus-sysdeps-unix.h >>>> ++++ dbus-1.12.16/dbus/dbus-sysdeps-unix.h >>>> +@@ -105,6 +105,7 @@ typedef struct DBusGroupInfo DBusGroupIn >>>> + */ >>>> + struct DBusUserInfo >>>> + { >>>> ++ size_t refcount; /**< Reference count */ >>>> + dbus_uid_t uid; /**< UID */ >>>> + dbus_gid_t primary_gid; /**< GID */ >>>> + dbus_gid_t *group_ids; /**< Groups IDs, *including* above primary >>>> group */ >>>> +@@ -118,6 +119,7 @@ struct DBusUserInfo >>>> + */ >>>> + struct DBusGroupInfo >>>> + { >>>> ++ size_t refcount; /**< Reference count */ >>>> + dbus_gid_t gid; /**< GID */ >>>> + char *groupname; /**< Group name */ >>>> + }; >>>> +Index: dbus-1.12.16/dbus/dbus-userdb-util.c >>>> +=================================================================== >>>> +--- dbus-1.12.16.orig/dbus/dbus-userdb-util.c >>>> ++++ dbus-1.12.16/dbus/dbus-userdb-util.c >>>> +@@ -38,6 +38,15 @@ >>>> + * @{ >>>> + */ >>>> + >>>> ++static DBusGroupInfo * >>>> ++_dbus_group_info_ref (DBusGroupInfo *info) >>>> ++{ >>>> ++ _dbus_assert (info->refcount > 0); >>>> ++ _dbus_assert (info->refcount < SIZE_MAX); >>>> ++ info->refcount++; >>>> ++ return info; >>>> ++} >>>> ++ >>>> + /** >>>> + * Checks to see if the UID sent in is the console user >>>> + * >>>> +@@ -240,9 +249,9 @@ _dbus_get_user_id_and_primary_group (con >>>> + * @param gid the group ID or #DBUS_GID_UNSET >>>> + * @param groupname group name or #NULL >>>> + * @param error error to fill in >>>> +- * @returns the entry in the database >>>> ++ * @returns the entry in the database (borrowed, do not free) >>>> + */ >>>> +-DBusGroupInfo* >>>> ++const DBusGroupInfo* >>>> + _dbus_user_database_lookup_group (DBusUserDatabase *db, >>>> + dbus_gid_t gid, >>>> + const DBusString *groupname, >>>> +@@ -287,13 +296,14 @@ _dbus_user_database_lookup_group (DBusUs >>>> + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); >>>> + return NULL; >>>> + } >>>> ++ info->refcount = 1; >>>> + >>>> + if (gid != DBUS_GID_UNSET) >>>> + { >>>> + if (!_dbus_group_info_fill_gid (info, gid, error)) >>>> + { >>>> + _DBUS_ASSERT_ERROR_IS_SET (error); >>>> +- _dbus_group_info_free_allocated (info); >>>> ++ _dbus_group_info_unref (info); >>>> + return NULL; >>>> + } >>>> + } >>>> +@@ -302,7 +312,7 @@ _dbus_user_database_lookup_group (DBusUs >>>> + if (!_dbus_group_info_fill (info, groupname, error)) >>>> + { >>>> + _DBUS_ASSERT_ERROR_IS_SET (error); >>>> +- _dbus_group_info_free_allocated (info); >>>> ++ _dbus_group_info_unref (info); >>>> + return NULL; >>>> + } >>>> + } >>>> +@@ -314,7 +324,7 @@ _dbus_user_database_lookup_group (DBusUs >>>> + if (!_dbus_hash_table_insert_uintptr (db->groups, info->gid, info)) >>>> + { >>>> + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); >>>> +- _dbus_group_info_free_allocated (info); >>>> ++ _dbus_group_info_unref (info); >>>> + return NULL; >>>> + } >>>> + >>>> +Index: dbus-1.12.16/dbus/dbus-userdb.c >>>> +=================================================================== >>>> +--- dbus-1.12.16.orig/dbus/dbus-userdb.c >>>> ++++ dbus-1.12.16/dbus/dbus-userdb.c >>>> +@@ -35,34 +35,57 @@ >>>> + * @{ >>>> + */ >>>> + >>>> ++static DBusUserInfo * >>>> ++_dbus_user_info_ref (DBusUserInfo *info) >>>> ++{ >>>> ++ _dbus_assert (info->refcount > 0); >>>> ++ _dbus_assert (info->refcount < SIZE_MAX); >>>> ++ info->refcount++; >>>> ++ return info; >>>> ++} >>>> ++ >>>> + /** >>>> +- * Frees the given #DBusUserInfo's members with _dbus_user_info_free() >>>> ++ * Decrements the reference count. If it reaches 0, >>>> ++ * frees the given #DBusUserInfo's members with _dbus_user_info_free() >>>> + * and also calls dbus_free() on the block itself >>>> + * >>>> + * @param info the info >>>> + */ >>>> + void >>>> +-_dbus_user_info_free_allocated (DBusUserInfo *info) >>>> ++_dbus_user_info_unref (DBusUserInfo *info) >>>> + { >>>> + if (info == NULL) /* hash table will pass NULL */ >>>> + return; >>>> + >>>> ++ _dbus_assert (info->refcount > 0); >>>> ++ _dbus_assert (info->refcount < SIZE_MAX); >>>> ++ >>>> ++ if (--info->refcount > 0) >>>> ++ return; >>>> ++ >>>> + _dbus_user_info_free (info); >>>> + dbus_free (info); >>>> + } >>>> + >>>> + /** >>>> +- * Frees the given #DBusGroupInfo's members with _dbus_group_info_free() >>>> ++ * Decrements the reference count. If it reaches 0, >>>> ++ * frees the given #DBusGroupInfo's members with _dbus_group_info_free() >>>> + * and also calls dbus_free() on the block itself >>>> + * >>>> + * @param info the info >>>> + */ >>>> + void >>>> +-_dbus_group_info_free_allocated (DBusGroupInfo *info) >>>> ++_dbus_group_info_unref (DBusGroupInfo *info) >>>> + { >>>> + if (info == NULL) /* hash table will pass NULL */ >>>> + return; >>>> + >>>> ++ _dbus_assert (info->refcount > 0); >>>> ++ _dbus_assert (info->refcount < SIZE_MAX); >>>> ++ >>>> ++ if (--info->refcount > 0) >>>> ++ return; >>>> ++ >>>> + _dbus_group_info_free (info); >>>> + dbus_free (info); >>>> + } >>>> +@@ -124,7 +147,7 @@ _dbus_is_a_number (const DBusString *str >>>> + * @param error error to fill in >>>> + * @returns the entry in the database >>>> + */ >>>> +-DBusUserInfo* >>>> ++const DBusUserInfo* >>>> + _dbus_user_database_lookup (DBusUserDatabase *db, >>>> + dbus_uid_t uid, >>>> + const DBusString *username, >>>> +@@ -170,13 +193,14 @@ _dbus_user_database_lookup (DBusUserData >>>> + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); >>>> + return NULL; >>>> + } >>>> ++ info->refcount = 1; >>>> + >>>> + if (uid != DBUS_UID_UNSET) >>>> + { >>>> + if (!_dbus_user_info_fill_uid (info, uid, error)) >>>> + { >>>> + _DBUS_ASSERT_ERROR_IS_SET (error); >>>> +- _dbus_user_info_free_allocated (info); >>>> ++ _dbus_user_info_unref (info); >>>> + return NULL; >>>> + } >>>> + } >>>> +@@ -185,7 +209,7 @@ _dbus_user_database_lookup (DBusUserData >>>> + if (!_dbus_user_info_fill (info, username, error)) >>>> + { >>>> + _DBUS_ASSERT_ERROR_IS_SET (error); >>>> +- _dbus_user_info_free_allocated (info); >>>> ++ _dbus_user_info_unref (info); >>>> + return NULL; >>>> + } >>>> + } >>>> +@@ -198,7 +222,7 @@ _dbus_user_database_lookup (DBusUserData >>>> + if (!_dbus_hash_table_insert_uintptr (db->users, info->uid, info)) >>>> + { >>>> + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); >>>> +- _dbus_user_info_free_allocated (info); >>>> ++ _dbus_user_info_unref(info); >>>> + return NULL; >>>> + } >>>> + >>>> +@@ -568,24 +592,24 @@ _dbus_user_database_new (void) >>>> + db->refcount = 1; >>>> + >>>> + db->users = _dbus_hash_table_new (DBUS_HASH_UINTPTR, >>>> +- NULL, (DBusFreeFunction) >>>> _dbus_user_info_free_allocated); >>>> ++ NULL, (DBusFreeFunction) >>>> _dbus_user_info_unref); >>>> + >>>> + if (db->users == NULL) >>>> + goto failed; >>>> + >>>> + db->groups = _dbus_hash_table_new (DBUS_HASH_UINTPTR, >>>> +- NULL, (DBusFreeFunction) >>>> _dbus_group_info_free_allocated); >>>> ++ NULL, (DBusFreeFunction) >>>> _dbus_group_info_unref); >>>> + >>>> + if (db->groups == NULL) >>>> + goto failed; >>>> + >>>> + db->users_by_name = _dbus_hash_table_new (DBUS_HASH_STRING, >>>> +- NULL, NULL); >>>> ++ NULL, (DBusFreeFunction) >>>> _dbus_user_info_unref); >>>> + if (db->users_by_name == NULL) >>>> + goto failed; >>>> + >>>> + db->groups_by_name = _dbus_hash_table_new (DBUS_HASH_STRING, >>>> +- NULL, NULL); >>>> ++ NULL, (DBusFreeFunction) >>>> _dbus_group_info_unref); >>>> + if (db->groups_by_name == NULL) >>>> + goto failed; >>>> + >>>> +Index: dbus-1.12.16/dbus/dbus-userdb.h >>>> +=================================================================== >>>> +--- dbus-1.12.16.orig/dbus/dbus-userdb.h >>>> ++++ dbus-1.12.16/dbus/dbus-userdb.h >>>> +@@ -76,19 +76,19 @@ dbus_bool_t _dbus_user_database_ge >>>> + DBusError >>>> *error); >>>> + >>>> + DBUS_PRIVATE_EXPORT >>>> +-DBusUserInfo* _dbus_user_database_lookup (DBusUserDatabase *db, >>>> ++const DBusUserInfo* _dbus_user_database_lookup (DBusUserDatabase >>>> *db, >>>> + dbus_uid_t uid, >>>> + const DBusString >>>> *username, >>>> + DBusError >>>> *error); >>>> + DBUS_PRIVATE_EXPORT >>>> +-DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase *db, >>>> ++const DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase >>>> *db, >>>> + dbus_gid_t gid, >>>> + const DBusString >>>> *groupname, >>>> + DBusError >>>> *error); >>>> ++ >>>> ++void _dbus_user_info_unref (DBusUserInfo *info); >>>> + DBUS_PRIVATE_EXPORT >>>> +-void _dbus_user_info_free_allocated (DBusUserInfo *info); >>>> +-DBUS_PRIVATE_EXPORT >>>> +-void _dbus_group_info_free_allocated (DBusGroupInfo *info); >>>> ++void _dbus_group_info_unref (DBusGroupInfo *info); >>>> + #endif /* DBUS_USERDB_INCLUDES_PRIVATE */ >>>> + >>>> + DBUS_PRIVATE_EXPORT >>>> diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb >>>> b/meta/recipes-core/dbus/dbus_1.12.16.bb >>>> index 10d1b34448..13d453eb32 100644 >>>> --- a/meta/recipes-core/dbus/dbus_1.12.16.bb >>>> +++ b/meta/recipes-core/dbus/dbus_1.12.16.bb >>>> @@ -17,6 +17,7 @@ SRC_URI = >>>> "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ >>>> file://dbus-1.init \ >>>> file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ >>>> file://CVE-2020-12049.patch \ >>>> + file://CVE-2020-35512.patch \ >>>> " >>>> >>>> SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890" >>>> >>>> >>>> >>> >>> >>> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155685): https://lists.openembedded.org/g/openembedded-core/message/155685 Mute This Topic: https://lists.openembedded.org/mt/85202264/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
