This includes fixing a memory leak in _dbus_hash_iter_lookup(), which is
not one of the unit tests; but it is only ever called from the unit
tests, so this is not a user-facing leak.
Coverity IDs: 54730, 54740
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99793
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Creating a directory is atomic, stat'ing it to see whether to remove
it is very much not.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
If we don't trap EEXIST and its Windows equivalent, we are unable to
detect the situation where we create an ostensibly unique
subdirectory in a shared /tmp, but an attacker has already created it.
This affects dbus-nonce (the nonce-tcp transport) and the activation
reload test.
Add a new _dbus_ensure_directory() for the one case where we want it to
succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
we are creating in our own trusted "official" $HOME. In the new
transient service support on Bug #99825, ensure_owned_directory()
would need the same treatment.
We are not treating this as a serious security problem, because the
nonce-tcp transport is rarely enabled on Unix and there are multiple
mitigations.
The nonce-tcp transport creates a new unique file with O_EXCL and 0600
(private to user) permissions, then overwrites the requested filename
via atomic-overwrite, so the worst that could happen there is that an
attacker could place a symbolic link matching the name of a directory
we are going to create, causing a dbus-daemon configured for nonce-tcp
to traverse the symlink and atomically overwrite a file named "nonce"
in a directory of the attacker's choice, with new random contents that
are not known to the attacker. This seems unlikely to be exploitable
for anything worse than denial of service in practice. In mainline
Linux since 3.6, this attack is also defeated by the
fs.protected_symlinks sysctl, which many distributions enable by default.
The activation reload test suffers from a classic symlink attack
due to time-of-check/time-of-use errors in its implementation, but as
part of the developer-only "embedded tests" that are only intended
to be run on a trusted machine, it is not treated as security-sensitive.
That code path will be fixed in a subsequent commit.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Hopefully this has better uptime than snapshot.debian.org, which is
really an archival service rather than a production component.
This particular autoconf-archive version was in Ubuntu 16.10, so it
should stay around for a while.
Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 9935a5b7d1)
Odd that this one was missing but all the other ones were in place.
Coverity ID: 54721
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99724
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This reverts commit 5f0cd1a24c,
which appears to trigger a timeout:
dbus-daemon[26876]: Activating service name='org.freedesktop.DBus.TestSuiteEchoService' requested by ':1.2415' (uid=1000 pid=26876 comm=".../bus/.libs/test-bus ")
dbus-daemon[26876]: Failed to activate service 'org.freedesktop.DBus.TestSuiteEchoService': timed out (service_start_timeout=25000ms)
dbus-daemon[26876]: Did not expect error org.freedesktop.DBus.Error.TimedOut
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Hopefully this has better uptime than snapshot.debian.org, which is
really an archival service rather than a production component.
This particular autoconf-archive version was in Ubuntu 16.10, so it
should stay around for a while.
Signed-off-by: Simon McVittie <smcv@debian.org>
This test is run repeatedly, with simulated out-of-memory conditions
at different points. If one of these was during run_decompose_tests(),
the test was recorded as failing. Before Philip fixed it, this was
masked by the failure not being reported correctly (CID: #54711).
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99758
Reviewed-by: Philip Withnall <withnall@endlessm.com>
cmake provides a macro named GnuInstallDirs to let install locations
be compatible with GNU's install location layout on several plattforms.
Using that layout makes cmake installs be more compatible to what
autotools use and also supports 32 and 64 bit installations out of the box.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99721
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This includes fixing a memory leak in _dbus_hash_iter_lookup(), which is
not one of the unit tests; but it is only ever called from the unit
tests, so this is not a user-facing leak.
Coverity IDs: 54730, 54740
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99793
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is a fairly pointless feature to add, since the current behaviour
was to abort due to a NULL pointer dereference shortly after the OOM
failure. At least now people will get a helpful error message when they
try to use dbus-send on a machine with incurable memory pressure.
Coverity ID: 54710
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99759
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
I am increasingly of the opinion that this is a gigantic waste of time.
But at least Coverity will be happy.
Coverity IDs: 60585, 60586
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99724
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is mostly pointless, but will shut Coverity up.
Coverity ID: 54718
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99724
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This should shut up Coverity from complaining about not checking the
return value of dbus_set_error_from_message(), which is equivalent to
the (type == DBUS_MESSAGE_TYPE_ERROR) check.
Coverity ID: 54697
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99723
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is mostly pointless, but should shut Coverity up.
Coverity ID: 54693
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99722
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
As a hash table becomes unbelievably large and full, the down_shift
tends towards 0. The overflow detection code in rebuild_table() does not
prevent down_shift becoming negative, which then causes undefined
behaviour in RANDOM_INDEX for int-keyed tables.
Note that this can only happen with approaching INT_MAX entries in the
hash table, at which point we’ve almost certainly hit OOM somewhere, so
this is vanishingly unlikely to happen. This is why I can’t add a test
for the bug.
As always, thanks to Coverity.
Coverity ID: 54682
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99641
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This will shut Coverity up. All the paths are checks on the return value
from dbus_message_set_destination().
Coverity IDs: 54822, 54823, 54824, 54825
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99712
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Also take the opportunity to tweak the test-threads-init messages
slightly to make it more TAP-compliant. It is not entirely TAP compliant
because it doesn’t print a test plan before starting its tests.
Coverity IDs: 54701, 54714, 54726
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99694
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Check that at most one argument which sets the payload is provided, so
the allocated payload is not overwritten and leaked.
Coverity ID: 54759
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99693
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
check_parse() can return NULL on OOM, which we might as well handle
gracefully in the tests with an assertion, rather than an explosion. At
least it will shut Coverity up.
Coverity ID: 54724
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99643
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
context is definitely non-NULL at this point, and has been dereferenced
already on all paths leading to it.
Coverity ID: 141062
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99642
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This adds a "sysusers.d" snippet for creating the system user "dbus" at
boot, if it is missing, in order to support stateless systems that boot
up with an empty /etc and need static information for determining which
system users to create.
This is only installed on systemd-based systems.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99162
Using expanded paths make no sense in install commands because they
may be patched by cmake for example by specifying DESTDIR on install.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Previously, executables like dbus-daemon were installed to
the lib subdirectory, but this was unintended. RUNTIME DESTINATION
is the equivalent of Autotools ${bindir}.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
On Windows, dbus can be configured to send DBUS_VERBOSE messages
to the Windows debug port instead of stderr. If we're in that
configuration, we already avoided printing thread information to
stderr before each verbose message; do the same for timestamps.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99749
Previously, all implemented mechanisms were included, even if the
sysadmin had configured them not to be allowed.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99621
With recent code starting dbus-daemon with an unsupported auth mechanism
let dbus-daemon silently ignore this issue. Clients connecting to this
server fails to connect without any descriptive explanation of the
root cause, only the message 'Rejected client connection due to lack
of memory' error is reported in dbus-daemon verbose log, which is disabled
in production environments.
With this patch dbus-daemon checks the supported auth mechanisms on startup
and shuts down with a descriptive error message, which gives admins an
immediate feedback on service startup/restart.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99622
This is almost certainly not going to make a difference, as it’s on the
OOM handling path; but the fewer leaks the better.
Coverity ID: 141058
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99612
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
systemd-logind's OpenSession() API call returns a fd. If there is a
flood of new sessions, it is possible that by the time we finish reading
message 1, message 2 will already be in our incoming buffer and so on.
This results in systemd-logind consistently having one or more fds enqueued
for an extended period, which we interpret as a denial of service
attack, and handle by kicking it off the bus (at least until we worked
around the resulting logind failure by making uid 0 immune to that
particular anti-DoS mechanism, but that workaround doesn't work for
other uids).
To avoid this without the complexity of tracking multiple countdowns
per connection (one for each message with fds), we can avoid reading
any additional messages while we already have a message with a fd
attached pending processing. To avoid stalling, we have to read the rest
of any partial message we might have, but we stop after that.
Assuming we are able to get rid of the pending fds within a reasonable
time, we'll eventually drain the incoming queue to a level of 0 bytes
and 0 fds, at which point the countdown stops.
To make this actually work, we need fd.o #95619 to be fixed first, so
that when we receive more fds and restart the countdown, it restarts
with its correct time remaining.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tested-by: Kai-Heng Feng
The code counting pending fds relied on restart of timeouts when they are
enabled. This patch adds function that ensures that such enabled timeouts
have their timekeeping data reset (and not only when timeout is
registered into event loop processing).
When timeouts weren't reset, they'd fire at rather random and mainly
incorrect moments leading to interruption of connections of dbus-daemon.
Every time we reset the interval, we also need to re-enable the timeout
and mark its end time to be recalculated by the event loop, so combine
the old set_enabled(TRUE) with set_interval() as a new restart() method.
This leaves all the set_enabled() calls having a FALSE parameter, so
remove the parameter and rename the method to disable().
[smcv: fix minor coding style issues]
[smcv: replace set_reenabled()/set_interval() pair with restart()]
[smcv: replace set_enabled(FALSE) with disable()]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95619
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
