Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 936437 Details for
Bug 1140525
CVE-2014-3636 dbus: denial of service by queuing or splitting file descriptors
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
initial patch from upstream
0002-config-reduce-DEFAULT_MESSAGE_UNIX_FDS-to-16.patch (text/plain), 3.56 KB, created by
Murray McAllister
on 2014-09-11 08:34:32 UTC
(
hide
)
Description:
initial patch from upstream
Filename:
MIME Type:
Creator:
Murray McAllister
Created:
2014-09-11 08:34:32 UTC
Size:
3.56 KB
patch
obsolete
>From c030bec2eba61b80179e0fc50ebb10b1ffd91454 Mon Sep 17 00:00:00 2001 >From: Alban Crequy <alban.crequy@collabora.co.uk> >Date: Tue, 19 Aug 2014 15:31:10 +0100 >Subject: [PATCH 02/11] config: reduce DEFAULT_MESSAGE_UNIX_FDS to 16 > >This changes fixes two distinct denials of service: > >fd.o#82820, part A >------------------ > >Before this patch, the system bus had the following default configuration: >- max_connections_per_user: 256 >- DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176) > as defined by configure.ac >- max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 >- max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 >- max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024 > >This means that a single user could create 256 connections and transmit >256*4096 = 1048576 file descriptors. > >The file descriptors stay attached to the dbus-daemon process while they are >in the message loader, in the outgoing queue or waiting to be dispatched before >D-Bus activation. > >dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the >limit is reached and dbus-daemon needs to receive a message with a file >descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC. >Dbus-daemon cannot recover from that error because the kernel does not have any >API to retrieve a file descriptor which has been discarded with MSG_CTRUNC. >Therefore, it closes the connection of the sender. This is not necessarily the >connection which generated the most file descriptors so it can lead to >denial-of-service attacks. > >In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to >16: > >max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384 > >This is less than the usual "ulimit -n" (65536) with a good margin to >accomodate the other sources of file descriptors (stdin/stdout/stderr, >listening sockets, message loader, etc.) > >fd.o#82820, part B >------------------ > >On Linux, it's not possible to send more than 253 fds in a single sendmsg() >call: sendmsg() would return -EINVAL. > #define SCM_MAX_FD 253 > >SCM_MAX_FD changed value during Linux history: >- it used to be (OPEN_MAX-1) >- commit c09edd6eb (Jul 2007) changed it to 255 >- commit bba14de98 (Nov 2010) changed it to 253 > >Libdbus always sends all of a message's fds, and the beginning >of the message itself, in a single sendmsg() call. Combining these >two, a malicious sender could split a message across two or more >sendmsg() calls to construct a composite message with 254 or more >fds. When dbus-daemon attempted to relay that message to its >recipient in a single sendmsg() call, it would receive EINVAL, >interpret that as a fatal socket error and disconnect the recipient, >resulting in denial of service. > >This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD. > >https://bugs.freedesktop.org/show_bug.cgi?id=82820 >--- > configure.ac | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > >diff --git a/configure.ac b/configure.ac >index cbaf874..1aaa1cb 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -1238,12 +1238,8 @@ if test x$with_valgrind != xno; then > AC_DEFINE([WITH_VALGRIND], [1], [Define to add Valgrind instrumentation]) > fi > >-# Determine maximum number of Unix fds which may be passed >-AS_CASE([$host_os], >- [*qnx*], >- [DEFAULT_MESSAGE_UNIX_FDS=256], >- [*], >- [DEFAULT_MESSAGE_UNIX_FDS=1024]) >+# Keep the default low to avoid DoS issues, see fd.o #82820 >+DEFAULT_MESSAGE_UNIX_FDS=16 > AC_DEFINE_UNQUOTED([DBUS_DEFAULT_MESSAGE_UNIX_FDS], > [$DEFAULT_MESSAGE_UNIX_FDS], > [Default for dbus_connection_get_max_message_unix_fds()]) >-- >2.1.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=936437">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1140525
: 936437