On 32 bit systems long will overflow in 2038, causing complete breakage.
This is confirmed by running dbus's test suite on a 32 bit system
with system time set to 2040 (and configured to use 64 bit time_t of course).
Note that both timespec and timeval are specified with time_t for the
seconds component. This should propagate everywhere where that data is
passed and stored, but previously _dbus_get_monotonic_time() and
_dbus_get_monotonic_time() would truncate it to long.
Also add a function for parsing dbus_int64_t from
files, as existing functions can only handle long.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
This makes it easier to verify that _dbus_user_database_unlock_system()
is called on all exit paths. The only early-return is when locking the
userdb failed.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Our implementation always assumed that both code paths set errno, but
according to their API documentation, getpwnam_r and getpwuid_r actually
don't: they *return* a code from the same pseudo-enum as errno. They
also return 0 (but with a NULL struct passwd) if the user is not found,
which these APIs don't count as an error (but we do).
Similarly, in the legacy getpwnam/getpwuid code path, it is unspecified
whether looking up a nonexistent user will set errno or not.
Having retrieved an errno-like error code, we might as well use it in
the human-readable message and not just the machine-readable code,
because the human-readable message is what ends up in the system log.
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we want to get the struct passwd corresponding to uid 42, but we
can't, it's much better to say
User ID "42" unknown
rather than
User "???" unknown
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
The only difference between these was that we only needed to allocate
and free buf in the getpwnam_r case. We expect that all reasonable
Unix platforms will have getpwnam_r (it's in POSIX) so adding a no-op
dbus_free(NULL) to the getpwnam code path seems harmless.
This will be helpful when we make the error handling better, in a
subsequent commit.
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously, if dbus_connection_get_unix_user() succeeded but
_dbus_unix_groups_from_uid() failed, then bus_connection_get_unix_groups()
would incorrectly fail without setting the error indicator, resulting
in "(null)" being logged, which is rather unhelpful.
This also lets us distinguish between ENOMEM and other errors, such as
the uid not existing in the system's user database.
Fixes: 145fb99b (untitled refactoring commit, 2006-12-12)
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
On Unix, dbus has historically used gcc-specific lock-free atomic
intrinsics where available, falling back to a pthreads mutex where
possible. Meanwhile, on Windows, it has historically used
InterlockedIncrement() and similar library functions (in practice
wrappers around lock-free intrinsics on real Windows, but IPC calls into
wineserver on Wine).
ISO C11 provides a new header, stdatomic.h, with standardized support
for atomic operations. Exactly how these are implemented is a compiler
quality-of-implementation decision, but any reasonable compiler
implementation on a modern CPU should be using intrinsics. Let's use
this wherever possible, falling back to our old implementation only if
the C11 implementation is unsupported.
One concrete benefit that we get from this is that when compiling with
mingw-w64 gcc and running via Wine, this makes atomic reference counting
operations into a simple local operation, rather than IPC to wineserver
which can be very slow. This should make our CI tests considerably more
reliable.
In all vaguely modern gcc versions (gcc 5.5 or later) and in contemporary
versions of clang, the default compiler mode is C11 or later with GNU
extensions. We intentionally do not ask for any specific C standard, so
we can use C11 features like this one, as long as we do so conditionally.
The Microsoft Visual C compiler does not currently support this without
special options, so we still use the Interlocked family of functions
when compiling for Windows with MSVC.
Signed-off-by: Simon McVittie <smcv@collabora.com>
I want to use <stdatomic.h> in dbus-sysdeps.h, but if we do that, we
won't be able to include that header into C++ code on all compilers.
Move the declarations for new internal Windows-specific functions
introduced in commit 17a23d08
"dbus_threads_init_default, dbus_threads_init: be safe to call at any time"
into their own header.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The new socket option SO_PEERPIDFD allows to pin the process on the
other side of the socket by file descriptor, which closes a race
condition where a PID can be reused before we can pin it manually.
Available since Linux v6.5.
When storing credentials, pin the process by FD from the PID.
When querying the PID, if the PID FD is available, resolve
it from there first if possible.
Ensure the DBusCredentials object only returns the PID FD if it was
obtained by this call, so that we know for sure we can rely on it
being safe against PID reuse attacks.
Signed-off-by: Luca Boccassi <bluca@debian.org>
It is valid for getsockopt(SO_PEERGROUPS) to return len=0; that
indicates the process has no supplementary groups. Rather than failing,
simply use the returned empty list (and add the primary GID to it).
Without this change, calling GetConnectionCredentials on a bus name
owned by a process with no supplementary groups does not return the
UnixGroupIDs field, even though it is easy to determine that the process
only has one GID (the primary GID).
Since meson 0.54.0, it is possible to override a dependency name,
so do that to make it easy to use dbus as a subproject. After this
change, simply
dependency('dbus-1')
will fall back to the subproject automatically and there is no need
for using `fallback` keyword argument. Of course this assumes that
the dbus source tree is at subprojects/dbus-1 and not subprojects/dbus
but it is easy to achieve that.
If the dbus source tree for some reason needs to be at subprojects/dbus,
dependency('dbus-1', fallback: 'dbus')
may be used, which still has the advantage of not needing to
depend on the variable names in the dbus build definitions.
Linux generally declares syscalls with flags as type int. It's the same
ABI, but a slightly different API, and it seems better for our fallback
definition to match it exactly.
Related to dbus/dbus#453.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Normally, it's enough to rely on a message being given a serial number
by the DBusConnection just before it is actually sent. However, in the
rare case where the policy blocks the driver from sending a message
(due to a deny rule or the outgoing message quota being full), we need
to get a valid serial number sooner, so that we can copy it into the
DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
message sent to monitors. Otherwise, the dbus-daemon will crash with
an assertion failure if at least one Monitoring client is attached,
because zero is not a valid serial number to copy.
This fixes a denial-of-service vulnerability: if a privileged user is
monitoring the well-known system bus using a Monitoring client like
dbus-monitor or `busctl monitor`, then an unprivileged user can cause
denial-of-service by triggering this crash. A mitigation for this
vulnerability is to avoid attaching Monitoring clients to the system
bus when they are not needed. If there are no Monitoring clients, then
the vulnerable code is not reached.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus/dbus#457
procfs has special semantics: most files are 0 size,
only one read can be done on a file, and they are
not larger than 4MB. Enhance _dbus_file_get_content()
so that we can read files from /proc with it.
Signed-off-by: Luca Boccassi <bluca@debian.org>
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
Previously, `retstr` would not be freed when `_dbus_string_append_len()`
or `_dbus_string_steal_data()` failed.
Fix those by:
* jumping to `_dbus_string_free()` when `_dbus_string_append_len()` fails
* ignoring the return value of `_dbus_string_free()`.
The latter works because in case of failure, `ret` will be set
to NULL by `_dbus_string_steal_data()`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
This appears to have been a copy/paste mistake. If only blanks (defined as
spaces or tabs) were removed, then it cannot be right to check for white
space (defined as spaces, tabs, carriage return or linefeed) afterwards.
If libdbus was compiled with assertions enabled, then this is a
denial-of-service issue for dbus-daemon or other users of DBusServer:
an unauthenticated user with access to the server's socket can send
whitespace that triggers this assertion failure. We recommend that
production versions of dbus, for example in OS distributions, should be
compiled with checks but without assertions.
[smcv: expanded commit message]
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/421
WG14 N2350 made very clear that it is an UB having type definitions
within "offsetof" [1]. This patch changes the implementation of macro
_DBUS_ALIGNOF to builtin "_Alignof" to avoid undefined behavior.
clang 16+ has started to diagnose this [2]
Fixes build when using -std >= gnu11 and using clang16+
[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm
[2] https://reviews.llvm.org/D133574
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit fixes a data race condition discovered by the
gcc thread sanitizer by also locking the associated mutex
when reading the corresponding counter.
Fixes#426
Allow other Meson project to consume libdbus as subproject. For this
we need to instantiate a dependency object.
Signed-off-by: Daniel Wagner <dwagner@suse.de>
The full license texts are not added because they were already
added in a previous commit.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
see #394
Like many relatively-low-level codebases, dbus has historically assumed
that data pointers are interchangeable with function pointers (which is
implied by POSIX and also true on Windows, but not guaranteed by ISO C).
Before dbus!335 was merged, we also assumed that size_t is the same
size as a pointer (which is frequently assumed, but not guaranteed by
ISO C, and notably not true on CHERI). dbus!335 is believed to have
removed all uses of that assumption.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This file was added to simplify the license documentation, because the
code moved from dbus-sysdeps-win.c is subject to a different license.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
[smcv: keep license grant; add to Meson build system]
Co-authored-by: Simon McVittie <smcv@collabora.com>
This was probably meant to be relicensed from AFL-2.0 to AFL-2.1 at the
same time as the rest of the codebase, but it wasn't. For now, just
convert its documented license status into machine-readable form.
The history of this file seems to be completely Red Hat and Collabora,
so we should be able to relicense it to (AFL-2.1 OR GPL-2.0-or-later)
or even to MIT, but let's start by making the stated license more
obvious.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The TCL-derived code is under its own license, so the overall license
of the file is (AFL-2.1 OR GPL-2.0-or-later) AND TCL.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This permissive license does not appear to be a match for anything
on the SPDX license list, so we need to use the LicenseRef- prefix
for a custom license.
Co-authored-by: Simon McVittie <smcv@collabora.com>
This permissive license does not appear to be a match for anything
on the SPDX license list, so we need to use the LicenseRef- prefix
for a custom license.
It's referred to as GAP (presumably short for "GNU all-permissive") in
https://sources.debian.org/src/libassuan/2.5.5-1/debian/copyright/
so use the same abbreviation here.
Co-authored-by: Simon McVittie <smcv@collabora.com>
We have 16-bit types with 2-byte alignment, but this comment claimed
we only have 1-, 4- or 8-byte alignment. The actual implementation is
fine, and correctly reports 2-byte alignment for the 16-bit types.
Signed-off-by: Simon McVittie <smcv@collabora.com>
We recommend disabling assertions in production builds of dbus, so it
is "cheap" to add them even in relatively fast-path locations.
Signed-off-by: Simon McVittie <smcv@collabora.com>
array_reader_check_finished() no longer returns a type, only a boolean,
so this comment isn't accurate any more.
Signed-off-by: Simon McVittie <smcv@collabora.com>
We already checked that claimed_len <= (end - p), therefore we can
assume that claimed_len + p <= end. Make this a bit more obvious.
Signed-off-by: Simon McVittie <smcv@collabora.com>
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
