mirror of
https://gitlab.freedesktop.org/dbus/dbus.git
synced 2025-12-30 06:00:10 +01:00
read-only mirror of https://gitlab.freedesktop.org/dbus/dbus
451192ba8a
Hash buckets are simply entries in an array owned by the hash table, so every time the hash table's array of buckets is reallocated, we must invalidate all pointers to buckets and recalculate them to point into the new array of buckets. This was not always done. Luckily, we appear to have avoided causing any actual memory corruption like this. The only place where we reallocate the array of buckets is in rebuild_table(), which is only called by add_allocated_entry(), which is only called by add_entry(), which is only called by find_generic_function() when create_if_not_found is true. find_generic_function(), in turn, is only called by the table->find_function() implementations. The table->find_function() implementations have an optional "out" parameter which returns a pointer to the hash bucket in which the returned entry would be found. It is set in find_generic_function() for existing entries, or in add_allocated_entry() if a new entry is created; after that it is returned through callers unchanged until the caller of table->find_function() is reached. The only callers that make use of the "out" parameter in practice are _dbus_hash_iter_lookup(), to populate a DBusHashIter, and the _dbus_hash_table_remove_TYPE() family, to pass it to remove_entry(). We can ignore the _dbus_hash_table_remove_TYPE() family for two reasons: they call the find function with create_if_not_found set to FALSE, which never reallocates the hash table, and they do not store the pointer to the bucket in the long-term. So we only need to consider _dbus_hash_iter_lookup(). It is documented to be unsafe to add hash entries while a DBusHashIter is open, and only adding a hash entry can trigger rebuild_table(); so we can assume that if _dbus_hash_iter_lookup() returns a valid bucket, it remains valid forever. The remaining case that must be considered is whether reallocation can occur after setting the "out" parameter for the bucket, but before returning it to _dbus_hash_iter_lookup(). We can see that it can: we call rebuild_table() after recalculating the correct bucket. If we do, and it actually causes a rebuild, then we must recalculate the bucket accordingly. Looking at the worst-case impact of this bug, if it is going to cause any problem, it would only be when _dbus_hash_iter_lookup() is called with create_if_not_found set true. This makes three uses of the bucket: it stores it in the DBusHashTableIter, it calculates the next bucket by finding the offset of the bucket in table->buckets and advancing by one pointer, and it makes an assertion that should be tautologous, enforcing that the next bucket corresponds to what it should. When running under the AddressSanitizer, which makes allocations in widely spaced regions of memory, on a 32-bit platform, we could (and indeed do) find that the tautologous assertion fails. The current bucket returned from the "out" parameter is a pointer into the old value of table->buckets. If it's far enough before or after the new table->buckets in the address space, then the offset in next_bucket could overflow a 32-bit integer, resulting in the assertion no longer being true. The next commit will add extra assertions, which reproduce the bug even without AddressSanitizer. In production code without assertions, the impact is that the ->bucket and ->next_bucket members of the DBusHashIter can be invalid. They are used in _dbus_hash_iter_next() and _dbus_hash_iter_remove_entry(). However, the only callers of _dbus_hash_iter_lookup() outside test code are in bus/containers.c, and neither calls either of those functions, so we dodge that bullet. Signed-off-by: Simon McVittie <smcv@collabora.com> |
||
|---|---|---|
| bus | ||
| cmake | ||
| dbus | ||
| doc | ||
| m4 | ||
| test | ||
| tools | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .mailmap | ||
| .travis.yml | ||
| AUTHORS | ||
| autogen.sh | ||
| cleanup-man-pages.sh | ||
| configure.ac | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| dbus-1-uninstalled.pc.in | ||
| dbus-1.pc.in | ||
| Doxyfile.in | ||
| INSTALL | ||
| Makefile.am | ||
| NEWS | ||
| NEWS.pre-1-0 | ||
| NEWS.pre-1-2 | ||
| README | ||
| README.cmake | ||
| README.cygwin | ||
| README.launchd | ||
| README.valgrind | ||
| README.win | ||
| README.wince | ||
Sections in this file describe:
- introduction and overview
- low-level vs. high-level API
- version numbers
- options to the configure script
- ABI stability policy
Introduction
===
D-Bus is a simple system for interprocess communication and coordination.
The "and coordination" part is important; D-Bus provides a bus daemon that does things like:
- notify applications when other apps exit
- start services on demand
- support single-instance applications
See http://www.freedesktop.org/software/dbus/ for lots of documentation,
mailing lists, etc.
See also the file CONTRIBUTING.md for notes of interest to developers
working on D-Bus.
If you're considering D-Bus for use in a project, you should be aware
that D-Bus was designed for a couple of specific use cases, a "system
bus" and a "desktop session bus." These are documented in more detail
in the D-Bus specification and FAQ available on the web site.
If your use-case isn't one of these, D-Bus may still be useful, but
only by accident; so you should evaluate carefully whether D-Bus makes
sense for your project.
Security
==
If you find a security vulnerability that is not known to the public,
please report it privately to dbus-security@lists.freedesktop.org
or by reporting a Gitlab issue at
https://gitlab.freedesktop.org/dbus/dbus/issues/new and marking it
as "confidential".
On Unix systems, the system bus (dbus-daemon --system) is designed
to be a security boundary between users with different privileges.
On Unix systems, the session bus (dbus-daemon --session) is designed
to be used by a single user, and only accessible by that user.
We do not currently consider D-Bus on Windows to be security-supported,
and we do not recommend allowing untrusted users to access Windows
D-Bus via TCP.
Note: low-level API vs. high-level binding APIs
===
A core concept of the D-Bus implementation is that "libdbus" is
intended to be a low-level API. Most programmers are intended to use
the bindings to GLib, Qt, Python, Mono, Java, or whatever. These
bindings have varying levels of completeness and are maintained as
separate projects from the main D-Bus package. The main D-Bus package
contains the low-level libdbus, the bus daemon, and a few command-line
tools such as dbus-launch.
If you use the low-level API directly, you're signing up for some
pain. Think of the low-level API as analogous to Xlib or GDI, and the
high-level API as analogous to Qt/GTK+/HTML.
Version numbers
===
D-Bus uses the common "Linux kernel" versioning system, where
even-numbered minor versions are stable and odd-numbered minor
versions are development snapshots.
So for example, development snapshots: 1.1.1, 1.1.2, 1.1.3, 1.3.4
Stable versions: 1.0, 1.0.1, 1.0.2, 1.2.1, 1.2.3
All pre-1.0 versions were development snapshots.
Development snapshots make no ABI stability guarantees for new ABI
introduced since the last stable release. Development snapshots are
likely to have more bugs than stable releases, obviously.
Configuration
===
dbus could be build by using autotools or cmake.
When using autotools the configure step is initiated by running ./configure
with or without additional configuration flags. dbus requires GNU Make
(on BSD systems, this is typically called gmake) or a "make" implementation
with compatible extensions.
When using cmake the configure step is initiated by running the cmake
program with or without additional configuration flags.
Configuration flags
===
When using autotools, run "./configure --help" to see the possible
configuration options and environment variables.
When using cmake, inspect README.cmake to see the possible
configuration options and environment variables.
API/ABI Policy
===
Now that D-Bus has reached version 1.0, the objective is that all
applications dynamically linked to libdbus will continue working
indefinitely with the most recent system and session bus daemons.
- The protocol will never be broken again; any message bus should
work with any client forever. However, extensions are possible
where the protocol is extensible.
- If the library API is modified incompatibly, we will rename it
as in http://ometer.com/parallel.html - in other words,
it will always be possible to compile against and use the older
API, and apps will always get the API they expect.
Interfaces can and probably will be _added_. This means both new
functions and types in libdbus, and new methods exported to
applications by the bus daemon.
The above policy is intended to make D-Bus as API-stable as other
widely-used libraries (such as GTK+, Qt, Xlib, or your favorite
example). If you have questions or concerns they are very welcome on
the D-Bus mailing list.
NOTE ABOUT DEVELOPMENT SNAPSHOTS AND VERSIONING
Odd-numbered minor releases (1.1.x, 1.3.x, 2.1.x, etc. -
major.minor.micro) are devel snapshots for testing, and any new ABI
they introduce relative to the last stable version is subject to
change during the development cycle.
Any ABI found in a stable release, however, is frozen.
ABI will not be added in a stable series if we can help it. i.e. the
ABI of 1.2.0 and 1.2.5 you can expect to be the same, while the ABI of
1.4.x may add more stuff not found in 1.2.x.
NOTE ABOUT STATIC LINKING
We are not yet firmly freezing all runtime dependencies of the libdbus
library. For example, the library may read certain files as part of
its implementation, and these files may move around between versions.
As a result, we don't yet recommend statically linking to
libdbus. Also, reimplementations of the protocol from scratch might
have to work to stay in sync with how libdbus behaves.
To lock things down and declare static linking and reimplementation to
be safe, we'd like to see all the internal dependencies of libdbus
(for example, files read) well-documented in the specification, and
we'd like to have a high degree of confidence that these dependencies
are supportable over the long term and extensible where required.
NOTE ABOUT HIGH-LEVEL BINDINGS
Note that the high-level bindings are _separate projects_ from the
main D-Bus package, and have their own release cycles, levels of
maturity, and ABI stability policies. Please consult the documentation
for your binding.
Bootstrapping D-Bus on new platforms
===
A full build of D-Bus, with all regression tests enabled and run, has some
dependencies which themselves depend on D-Bus, either for compilation or
for some of *their* regression tests: GLib, dbus-glib and dbus-python are
currently affected.
To avoid circular dependencies, when bootstrapping D-Bus for the first time
on a new OS or CPU architecture, you can either cross-compile some of
those components, or choose the build order and options carefully:
* build and install D-Bus without tests
- do not use the --enable-modular-tests=yes configure option
- do not use the --enable-tests=yes configure option
* build and install GLib, again without tests
* use those versions of libdbus and GLib to build and install dbus-glib
* ... and use those to install dbus-python
* rebuild libdbus; this time you can run all of the tests
* rebuild GLib; this time you can run all of the tests