1. 12 Jun, 2015 1 commit
  2. 06 Feb, 2015 1 commit
  3. 04 Feb, 2015 1 commit
  4. 02 Jan, 2015 1 commit
  5. 24 Nov, 2014 1 commit
  6. 06 Nov, 2014 1 commit
  7. 16 Sep, 2014 1 commit
  8. 15 Sep, 2014 4 commits
    • Simon McVittie's avatar
      Imported Upstream version 1.8.8 · 403920f7
      Simon McVittie authored
      403920f7
    • Simon McVittie's avatar
      Prepare 1.8.8 (embargoed until tomorrow) · 28cba657
      Simon McVittie authored
      28cba657
    • Simon McVittie's avatar
      config: change DEFAULT_MESSAGE_UNIX_FDS to 16 · 6465e37c
      Simon McVittie authored
      This addresses CVE-2014-3636.
      
      Based on a patch by Alban Crequy. Now that it's the same on all
      platforms, there's little point in it being set by configure/cmake.
      
      This change fixes two distinct denials of service:
      
      fd.o#82820, part A
      ------------------
      
      Before this patch, the system bus had the following default configuration:
      - max_connections_per_user: 256
      - DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176)
        as defined by configure.ac
      - max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
      - max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
      - max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024
      
      This means that a single user could create 256 connections and transmit
      256*4096 = 1048576 file descriptors.
      
      The file descriptors stay attached to the dbus-daemon process while they are
      in the message loader, in the outgoing queue or waiting to be dispatched before
      D-Bus activation.
      
      dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the
      limit is reached and dbus-daemon needs to receive a message with a file
      descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC.
      Dbus-daemon cannot recover from that error because the kernel does not have any
      API to retrieve a file descriptor which has been discarded with MSG_CTRUNC.
      Therefore, it closes the connection of the sender. This is not necessarily the
      connection which generated the most file descriptors so it can lead to
      denial-of-service attacks.
      
      In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to
      16:
      
      max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384
      
      This is less than the usual "ulimit -n" (65536) with a good margin to
      accomodate the other sources of file descriptors (stdin/stdout/stderr,
      listening sockets, message loader, etc.).
      
      Distributors on non-Linux may need to configure a smaller limit in
      system.conf, if their limit on the number of fds is smaller than
      Linux's.
      
      fd.o#82820, part B
      ------------------
      
      On Linux, it's not possible to send more than 253 fds in a single sendmsg()
      call: sendmsg() would return -EINVAL.
        #define SCM_MAX_FD      253
      
      SCM_MAX_FD changed value during Linux history:
      - it used to be (OPEN_MAX-1)
      - commit c09edd6eb (Jul 2007) changed it to 255
      - commit bba14de98 (Nov 2010) changed it to 253
      
      Libdbus always sends all of a message's fds, and the beginning
      of the message itself, in a single sendmsg() call. Combining these
      two, a malicious sender could split a message across two or more
      sendmsg() calls to construct a composite message with 254 or more
      fds. When dbus-daemon attempted to relay that message to its
      recipient in a single sendmsg() call, it would receive EINVAL,
      interpret that as a fatal socket error and disconnect the recipient,
      resulting in denial of service.
      
      This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820Reviewed-by: 's avatarAlban Crequy <alban.crequy@collabora.co.uk>
      6465e37c
    • Simon McVittie's avatar
      On Linux, call prctl to disable core dumps · ae50d46f
      Simon McVittie authored
      Whenever I forget to turn off corekeeper, the regression tests
      take ages to record all test-segfault's crashes.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83772Reviewed-by: 's avatarAlban Crequy <alban.crequy@collabora.co.uk>
      ae50d46f
  9. 12 Sep, 2014 1 commit
  10. 02 Jul, 2014 1 commit
  11. 30 Jun, 2014 2 commits
  12. 10 Jun, 2014 1 commit
  13. 05 Jun, 2014 2 commits
  14. 30 Apr, 2014 2 commits
  15. 27 Jan, 2014 1 commit
  16. 20 Jan, 2014 2 commits
  17. 06 Jan, 2014 3 commits
  18. 27 Nov, 2013 1 commit
  19. 01 Nov, 2013 5 commits
  20. 10 Oct, 2013 1 commit
  21. 09 Oct, 2013 2 commits
  22. 08 Oct, 2013 4 commits
  23. 16 Sep, 2013 1 commit