登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 33

Aixxxx/dbus

forked from src-openEuler/dbus 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-CVE-2022-42011.patch 2.47 KB
一键复制 编辑 原始数据 按行查看 历史
hongjinghao 提交于 2022-10-14 11:27 . fix CVE-2022-42010,CVE-2022-42011,CVE-2022-42012
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001

From: Simon McVittie <smcv@collabora.com>

Date: Mon, 12 Sep 2022 13:14:18 +0100

Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of

 fixed-length items



This fast-path previously did not check that the array was made up

of an integer number of items. This could lead to assertion failures

and out-of-bounds accesses during subsequent message processing (which

assumes that the message has already been validated), particularly after

the addition of _dbus_header_remove_unknown_fields(), which makes it

more likely that dbus-daemon will apply non-trivial edits to messages.



Thanks: Evgeny Vereshchagin

Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"

Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413

Resolves: CVE-2022-42011

Signed-off-by: Simon McVittie <smcv@collabora.com>

---

 dbus/dbus-marshal-validate.c | 13 ++++++++++++-

 1 file changed, 12 insertions(+), 1 deletion(-)



diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c

index ae68414d..7d0d6cf7 100644

--- a/dbus/dbus-marshal-validate.c

+++ b/dbus/dbus-marshal-validate.c

@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,

                  */ 

                 if (dbus_type_is_fixed (array_elem_type))

                   {

+                    /* Note that fixed-size types all have sizes equal to

+                     * their alignments, so this is really the item size. */

+                    alignment = _dbus_type_get_alignment (array_elem_type);

+                    _dbus_assert (alignment == 1 || alignment == 2 ||

+                                  alignment == 4 || alignment == 8);

+

+                    /* Because the alignment is a power of 2, this is

+                     * equivalent to: (claimed_len % alignment) != 0,

+                     * but avoids slower integer division */

+                    if ((claimed_len & (alignment - 1)) != 0)

+                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;

+

                     /* bools need to be handled differently, because they can

                      * have an invalid value

                      */

                     if (array_elem_type == DBUS_TYPE_BOOLEAN)

                       {

                         dbus_uint32_t v;

-                        alignment = _dbus_type_get_alignment (array_elem_type);

 

                         while (p < array_end)

                           {

-- 

2.33.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/aixxxx/dbus.git
git@gitee.com:aixxxx/dbus.git
aixxxx
dbus
dbus
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部