oss-sec mailing list archives
Re: Clarifications on the D-Bus specification
From: "Rémi Denis-Courmont" <remi () remlab net>
Date: Sat, 11 Dec 2010 20:16:59 +0200
Replying to self... On Friday 10 December 2010, Rémi Denis-Courmont wrote:
On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago () kde org> wrote:The other thing is protection against an attack vector -- an exploit by recursion. If the protection is by applying one of the limits, then let's use it.The specification does not specify any limits on variant recursion, that I can find. So it's not a matter of applying a limit that was not applied this far. It's a first matter of adding a new limit to the protocol - if it is needed anyhow.
So in fact, the bus daemon does crash with a few tens of thousands of nested variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0): http://www.remlab.net/op/dbus-variant-recursion.shtml I already filed the issue as FreeDesktop bug #32321. The issue might also affect other non-libdbus-based implementations but I have not tested any of those. It might also affect programs that parse 'any' message recursively such as dbus-send, but again I have not tested that. I should note that I could not convince libdbus to write a deep enough message. At about two hundred nested containers, libdbus made the glibc heap checks abort - probably a separate bug. If run under valgrind then libdbuds 'cleanly' failed to write a message with about 400 nested containers. -- Rémi Denis-Courmont http://www.remlab.net/
Current thread:
- Re: Clarifications on the D-Bus specification Rémi Denis-Courmont (Dec 11)
- Re: Clarifications on the D-Bus specification Havoc Pennington (Dec 12)