From 3f407671ecf821eb38ea7af5b160bfb93a9f4584 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Fri, 11 Nov 2016 16:40:44 +0000
Subject: [PATCH] Make uid 0 immune to pending_fd_timeout limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a workaround for
<https://bugs.freedesktop.org/show_bug.cgi?id=95263>. If a service
sends a file descriptor sufficiently frequently that its queue of
messages never goes down to 0 fds pending, then it will eventually be
disconnected. logind is one such service.

We do not currently have a good solution for this: the proposed
patches either don't work, or reintroduce a denial of service
security vulnerability (CVE-2014-3637). Neither seems desirable.
However, we can avoid the worst symptoms by trusting uid 0 not to be
malicious.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1591411
Reviewed-by: Łukasz Zemczak
Tested-by: Ivan Kozik
Tested-by: Finn Herpich
Tested-by: autostatic
Tested-by: Ben Parafina
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit d5fae1db789d741295ca4746b84915d4bec591fd)
[smcv: omit the test/dbus-daemon.c part, which does not apply unless
a363822f5f58e5513e30dc2f84a30ae03cd91e07 is also applied]
---
 bus/connection.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/bus/connection.c b/bus/connection.c
index a1976768..02d6c220 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -672,10 +672,24 @@ pending_unix_fds_timeout_cb (void *data)
 {
   DBusConnection *connection = data;
   BusConnectionData *d = BUS_CONNECTION_DATA (connection);
+  unsigned long uid;
   int limit;
 
   _dbus_assert (d != NULL);
   limit = bus_context_get_pending_fd_timeout (d->connections->context);
+
+  if (dbus_connection_get_unix_user (connection, &uid) && uid == 0)
+    {
+      bus_context_log (d->connections->context, DBUS_SYSTEM_LOG_WARNING,
+                       "Connection \"%s\" (%s) has had Unix fds pending for "
+                       "too long (pending_fd_timeout=%dms); tolerating it, "
+                       "because it has uid 0",
+                       d->name != NULL ? d->name : "(null)",
+                       bus_connection_get_loginfo (connection),
+                       limit);
+      return TRUE;
+    }
+
   bus_context_log (d->connections->context, DBUS_SYSTEM_LOG_WARNING,
       "Connection \"%s\" (%s) has had Unix fds pending for too long, "
       "closing it (pending_fd_timeout=%d ms)",