mirror of
https://gitlab.freedesktop.org/dbus/dbus.git
synced 2026-01-19 06:50:27 +01:00
read-only mirror of https://gitlab.freedesktop.org/dbus/dbus
6465e37c8f
This addresses CVE-2014-3636. Based on a patch by Alban Crequy. Now that it's the same on all platforms, there's little point in it being set by configure/cmake. This change fixes two distinct denials of service: fd.o#82820, part A ------------------ Before this patch, the system bus had the following default configuration: - max_connections_per_user: 256 - DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176) as defined by configure.ac - max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024 This means that a single user could create 256 connections and transmit 256*4096 = 1048576 file descriptors. The file descriptors stay attached to the dbus-daemon process while they are in the message loader, in the outgoing queue or waiting to be dispatched before D-Bus activation. dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the limit is reached and dbus-daemon needs to receive a message with a file descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC. Dbus-daemon cannot recover from that error because the kernel does not have any API to retrieve a file descriptor which has been discarded with MSG_CTRUNC. Therefore, it closes the connection of the sender. This is not necessarily the connection which generated the most file descriptors so it can lead to denial-of-service attacks. In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to 16: max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384 This is less than the usual "ulimit -n" (65536) with a good margin to accomodate the other sources of file descriptors (stdin/stdout/stderr, listening sockets, message loader, etc.). Distributors on non-Linux may need to configure a smaller limit in system.conf, if their limit on the number of fds is smaller than Linux's. fd.o#82820, part B ------------------ On Linux, it's not possible to send more than 253 fds in a single sendmsg() call: sendmsg() would return -EINVAL. #define SCM_MAX_FD 253 SCM_MAX_FD changed value during Linux history: - it used to be (OPEN_MAX-1) - commit c09edd6eb (Jul 2007) changed it to 255 - commit bba14de98 (Nov 2010) changed it to 253 Libdbus always sends all of a message's fds, and the beginning of the message itself, in a single sendmsg() call. Combining these two, a malicious sender could split a message across two or more sendmsg() calls to construct a composite message with 254 or more fds. When dbus-daemon attempted to relay that message to its recipient in a single sendmsg() call, it would receive EINVAL, interpret that as a fatal socket error and disconnect the recipient, resulting in denial of service. This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk> |
||
|---|---|---|
| bus | ||
| cmake | ||
| dbus | ||
| doc | ||
| m4 | ||
| test | ||
| tools | ||
| .gitignore | ||
| .mailmap | ||
| AUTHORS | ||
| autogen.sh | ||
| ChangeLog | ||
| ChangeLog.pre-1-0 | ||
| ChangeLog.pre-1-2 | ||
| cleanup-man-pages.sh | ||
| configure.ac | ||
| COPYING | ||
| dbus-1-uninstalled.pc.in | ||
| dbus-1.pc.in | ||
| Doxyfile.in | ||
| HACKING | ||
| INSTALL | ||
| Makefile.am | ||
| Makefile.cvs | ||
| NEWS | ||
| NEWS.pre-1-0 | ||
| NEWS.pre-1-2 | ||
| README | ||
| README.cmake | ||
| README.cygwin | ||
| README.launchd | ||
| README.valgrind | ||
| README.win | ||
| README.wince | ||
Sections in this file describe:
- introduction and overview
- low-level vs. high-level API
- version numbers
- options to the configure script
- ABI stability policy
Introduction
===
D-Bus is a simple system for interprocess communication and coordination.
The "and coordination" part is important; D-Bus provides a bus daemon that does things like:
- notify applications when other apps exit
- start services on demand
- support single-instance applications
See http://www.freedesktop.org/software/dbus/ for lots of documentation,
mailing lists, etc.
See also the file HACKING for notes of interest to developers working on D-Bus.
If you're considering D-Bus for use in a project, you should be aware
that D-Bus was designed for a couple of specific use cases, a "system
bus" and a "desktop session bus." These are documented in more detail
in the D-Bus specification and FAQ available on the web site.
If your use-case isn't one of these, D-Bus may still be useful, but
only by accident; so you should evaluate carefully whether D-Bus makes
sense for your project.
Note: low-level API vs. high-level binding APIs
===
A core concept of the D-Bus implementation is that "libdbus" is
intended to be a low-level API. Most programmers are intended to use
the bindings to GLib, Qt, Python, Mono, Java, or whatever. These
bindings have varying levels of completeness and are maintained as
separate projects from the main D-Bus package. The main D-Bus package
contains the low-level libdbus, the bus daemon, and a few command-line
tools such as dbus-launch.
If you use the low-level API directly, you're signing up for some
pain. Think of the low-level API as analogous to Xlib or GDI, and the
high-level API as analogous to Qt/GTK+/HTML.
Version numbers
===
D-Bus uses the common "Linux kernel" versioning system, where
even-numbered minor versions are stable and odd-numbered minor
versions are development snapshots.
So for example, development snapshots: 1.1.1, 1.1.2, 1.1.3, 1.3.4
Stable versions: 1.0, 1.0.1, 1.0.2, 1.2.1, 1.2.3
All pre-1.0 versions were development snapshots.
Development snapshots make no ABI stability guarantees for new ABI
introduced since the last stable release. Development snapshots are
likely to have more bugs than stable releases, obviously.
Configuration
===
dbus could be build by using autotools or cmake.
When using autotools the configure step is initiated by running ./configure
with or without additional configuration flags. dbus requires GNU Make
(on BSD systems, this is typically called gmake) or a "make" implementation
with compatible extensions.
When using cmake the configure step is initiated by running the cmake
program with or without additional configuration flags.
Configuration flags
===
When using autotools, run "./configure --help" to see the possible
configuration options and environment variables.
When using cmake, inspect README.cmake to see the possible
configuration options and environment variables.
API/ABI Policy
===
Now that D-Bus has reached version 1.0, the objective is that all
applications dynamically linked to libdbus will continue working
indefinitely with the most recent system and session bus daemons.
- The protocol will never be broken again; any message bus should
work with any client forever. However, extensions are possible
where the protocol is extensible.
- If the library API is modified incompatibly, we will rename it
as in http://ometer.com/parallel.html - in other words,
it will always be possible to compile against and use the older
API, and apps will always get the API they expect.
Interfaces can and probably will be _added_. This means both new
functions and types in libdbus, and new methods exported to
applications by the bus daemon.
The above policy is intended to make D-Bus as API-stable as other
widely-used libraries (such as GTK+, Qt, Xlib, or your favorite
example). If you have questions or concerns they are very welcome on
the D-Bus mailing list.
NOTE ABOUT DEVELOPMENT SNAPSHOTS AND VERSIONING
Odd-numbered minor releases (1.1.x, 1.3.x, 2.1.x, etc. -
major.minor.micro) are devel snapshots for testing, and any new ABI
they introduce relative to the last stable version is subject to
change during the development cycle.
Any ABI found in a stable release, however, is frozen.
ABI will not be added in a stable series if we can help it. i.e. the
ABI of 1.2.0 and 1.2.5 you can expect to be the same, while the ABI of
1.4.x may add more stuff not found in 1.2.x.
NOTE ABOUT STATIC LINKING
We are not yet firmly freezing all runtime dependencies of the libdbus
library. For example, the library may read certain files as part of
its implementation, and these files may move around between versions.
As a result, we don't yet recommend statically linking to
libdbus. Also, reimplementations of the protocol from scratch might
have to work to stay in sync with how libdbus behaves.
To lock things down and declare static linking and reimplementation to
be safe, we'd like to see all the internal dependencies of libdbus
(for example, files read) well-documented in the specification, and
we'd like to have a high degree of confidence that these dependencies
are supportable over the long term and extensible where required.
NOTE ABOUT HIGH-LEVEL BINDINGS
Note that the high-level bindings are _separate projects_ from the
main D-Bus package, and have their own release cycles, levels of
maturity, and ABI stability policies. Please consult the documentation
for your binding.
Bootstrapping D-Bus on new platforms
===
A full build of D-Bus, with all regression tests enabled and run, has some
dependencies which themselves depend on D-Bus, either for compilation or
for some of *their* regression tests: GLib, dbus-glib and dbus-python are
currently affected.
To avoid circular dependencies, when bootstrapping D-Bus for the first time
on a new OS or CPU architecture, you can either cross-compile some of
those components, or choose the build order and options carefully:
* build and install D-Bus without tests
- do not use the --enable-modular-tests=yes configure option
- do not use the --enable-tests=yes configure option
* build and install GLib, again without tests
* use those versions of libdbus and GLib to build and install dbus-glib
* ... and use those to install dbus-python
* rebuild libdbus; this time you can run all of the tests
* rebuild GLib; this time you can run all of the tests