I'm assuming here that any version of clang will be new enough to
understand gcc 2.4 features, which seems rather safe.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is not a security vulnerability because it's test code that
should never be compiled in production.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Since early 2015, a DBusSocket has been a struct containing either
an int or a pointer-sized Windows SOCKET. Print them with
"%" DBUS_SOCKET_FORMAT and _dbus_socket_printable().
Bug found by adding more _DBUS_GNUC_PRINTF attributes.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This was not a security vulnerability because
_dbus_validity_to_error_message() doesn't return anything containing
"%", but the compiler can't know that.
Found by adding more _DBUS_GNUC_PRINTF attributes.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
The autoconf macros AX_COMPILER_FLAGS_{CFLAGS|CXXFLAGS|LDFLAGS} test
for compiler and linker support of various flags, and add the flags to
the generated output.
If the command-line option '--enable-compile-warnings' is specified to
'configure', a number of additional warning options is also added to the
output. This is the default.
The AX_COMPILER_FLAGS_* macros add stricter warnings then before. The
patch disables some of them to make dbus build without errors. A later
patch set should fix the warnings and remove the compiler flags.
This patch integrates all tests for compiler flags into the call to
AX_COMPILER_FLAGS_CFLAGS. All tests for compiler flags are now done
in a single place. The old macros have been removed.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: add missing $ to DISABLE_WARNINGS]
[smcv: drop -Wno-discarded-qualifiers]
[smcv: drop non-C++ option -Wpointer-sign in C++ mode]
[smcv: work around an AX_COMPILER_FLAGS_CFLAGS bug]
[smcv: this source tree is called dbus, not DBus]
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
When reviewing this commit, I said
Looks OK, although this is going to become impossible if we start
using the externally-curated list of warnings from
<https://www.gnu.org/software/autoconf-archive/ax_compiler_flags.html>,
which I've been quite tempted to do.
That time has now come. I think it's more valuable to have comprehensive
warnings under our primary build system, Autotools, than to have
some fairly elaborate CMake scripting to pick up the same compiler
warnings in both build systems; the CMake build system is primarily
there to give us the ability to compile with MSVC, which has orthogonal
compiler warning options anyway.
This reverts commit 41427560af.
Signed-off-by: Simon McVittie <smcv@debian.org>
Acked-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Vaguely based on a patch from Thomas Zimmermann, but with a different
solution to RECURSIVE_MARSHAL_WRITE_TRACE, and additionally fixing
a build failure that only occurs when targeting Unix without libsystemd,
and another that occurs when targeting Windows.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Annoyingly, the POSIX way to declare environ (as
"extern char **environ") is a redundant declaration in glibc with
_GNU_SOURCE; work around that.
We also have a workaround for _NSGetEnviron() needing to be used
instead of direct access to environ in at least some circumstances on
Mac OS. Attempt to sync that up between all the files that use environ,
consistently sorting the most special special-cases first (Windows
for files that are compiled there, then Mac, then GNU, with
lowest-common-denominator POSIX last).
The affected files are already OS-specific, so I'm not bothering to
introduce a nicer or higher-level API for this.
Based on the best bits of an earlier patch from me, and an earlier
patch from Thomas Zimmermann.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
We can avoid duplicating the format string between translation units,
without the compiler warning us that it can't check non-literal
format strings for format-string security vulnerabilities based on %p,
by breaking out the "assertion failed" case into a slow-path.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
glibc >= 2.24 marks readdir_r() as deprecated. It is meant to be a
thread-safe version of readdir(), but modern implementations of readdir()
are thread-safe anyway (when called with a distinct DIR * argument),
and readdir_r() has some design issues involving PATH_MAX.
This code path is in Linux-specific code, so we can safely assume a
high-quality implementation of readdir().
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
As a general design principle, strings that we aren't going to modify
should usually be const. When compiling with -Wwrite-strings, quoted
string constants are of type "const char *", causing compiler warnings
when they are assigned to char * variables.
Unfortunately, we need to add casts in a few places:
* _dbus_list_append(), _dbus_test_oom_handling() and similar generic
"user-data" APIs take a void *, not a const void *, so we have
to cast
* For historical reasons the execve() family of functions take a
(char * const *), i.e. a constant pointer to an array of mutable
strings, so again we have to cast
* _dbus_spawn_async_with_babysitter similarly takes a char **,
although we can make it a little more const-correct by making it
take (char * const *) like execve() does
This also incorporates a subsequent patch by Thomas Zimmermann to
put various string constants in static storage, which is a little
more efficient.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This avoids confusion with the meaning of "release" used by
AX_IS_RELEASE. AX_IS_RELEASE is about facts about the source tree,
namely the distinction between releases (tags) and random snapshots.
The build variants in .travis.yml are about facts about the build
being done, namely the distinction between production and
debug/developer builds.
Production builds are sometimes referred to as "release builds",
for example in typical CMake and MSVC build environments, but a
different term seems better here.
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This patch fixes warnings from '-Wsuggest-attribute=noreturn'. We cannot
enable it unconditionally as it would break libtool.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: omit the part involving environ, which was more involved]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: split out from a larger commit]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This path removes the obsolete configure option
'--disable-compiler-optimisations'. Users can control compiler flags
by setting CFLAGS, CXXFLAGS, etc in the build environment.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Several internal functions are not used on Windows. This patch
hides them behind DBUS_WIN.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: add space after cast, that is our coding style]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This patch adds 'void' to function declarations without parameters.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: fix coding style while we're touching these lines anyway]
Reviewed-by: Simon McVittie <smcv@debian.org>
The command-line option '--enable-debug' controls the debugging and
profiling flags of the build. Debugging is disabled by default and only
enabled on developer builds. Profiling is always disabled. Both options
can be overridden from the command line (e.g., for profiling of release
builds).
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: remove trailing whitespace from new lines]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This isn't security-related, just defensive programming: if
dbus-daemon wasn't run with --systemd-activation, then there is no
reason why systemd would legitimately send us this signal, and if it
does we should just ignore it.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Specifically, this will allow ActivationFailure messages from our
own uid or from root, but reject them otherwise, even if the bus
configuration for who can own org.freedesktop.systemd1 is entirely
wrong due to something like CVE-2014-8148.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
If it is set (i.e. if an LSM is in use) this will make it appear in
various places in log output.
With SELinux, for example, this appends something like:
label="system_u:object_r:unlabeled_t:s0"
This commit partially rearranges the code which sets the loginfo string,
so that it consistently puts a space between fields, and not one at the
end.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68212
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This clarifies
Activating via systemd: service name='com.example.Example'
unit='example.service'
to
Activating via systemd: service name='com.example.Example'
unit='example.service' requested by ':1.23' (uid 1000 pid 123
comm "whatever-activat")
Similarly for the non-systemd code paths.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68212
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Install them to $(datadir)/xml/dbus-1, which seems to be the standard
location for installed DTDs. This means that developers can use them to
validate their introspection XML, and sysadmins can use them to validate
their bus configuration files.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89011
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>