Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Dec 2010 20:16:59 +0200
From: "Rémi Denis-Courmont" <remi@...lab.net>
To: dbus@...ts.freedesktop.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Clarifications on the D-Bus specification

Replying to self...

On Friday 10 December 2010, Rémi Denis-Courmont wrote:
> On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago@....org> wrote:
> > The other thing is protection against an attack vector -- an exploit
> > by recursion. If the protection is by applying one of the limits,
> > then let's use it.
> 
> The specification does not specify any limits on variant recursion, that I
> can find. So it's not a matter of applying a limit that was not applied
> this far. It's a first matter of adding a new limit to the protocol - if it
> is needed anyhow.

So in fact, the bus daemon does crash with a few tens of thousands of nested 
variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0):
http://www.remlab.net/op/dbus-variant-recursion.shtml

I already filed the issue as FreeDesktop bug #32321.

The issue might also affect other non-libdbus-based implementations but I have 
not tested any of those. It might also affect programs that parse 'any' message 
recursively such as dbus-send, but again I have not tested that.


I should note that I could not convince libdbus to write a deep enough 
message. At about two hundred nested containers, libdbus made the glibc heap 
checks abort - probably a separate bug. If run under valgrind then libdbuds 
'cleanly' failed to write a message with about 400 nested containers.

-- 
Rémi Denis-Courmont
http://www.remlab.net/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.