Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 19 Feb 2019 16:48:58 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-6454: systemd (PID1) crash with
 specially crafted D-Bus message

On Mon, 18 Feb 2019 at 17:41:56 +0100, Chris Coulson wrote:
> According to the dbus specification, the path "may be of any
> length" (with the length being represented on the wire by a uint32),
> but systemd seems to limit the size of incoming messages to 128MB
> (BUS_MESSAGE_SIZE_MAX).

D-Bus is a protocol and dbus is the reference implementation of the
D-Bus protocol, so it's really the D-Bus specification.

The 128M limit also comes from the D-Bus Specification, which isn't
always as good as it might be about taking a rule from one part of the
spec and noting its consequences in another part (patches welcome). The
intention is that wherever rules rule1 and rule2 overlap, messages must
obey (rule1 && rule2) - so for instance when a string or path can be
any 32-bit length, a string or path is part of a message, and a message
is up to 128M, the practical result is that the longest possible string
or path is a bit less than 128M.

> From testing on Ubuntu 18.10, it seems that the
> real limit is actually much less than this - dbus-daemon drops the
> connection when I try to send a message with an object path greater than
> about 32MB.

This lower limit is `dbus-daemon --system` policy/configuration to
mitigate/limit denial-of-service attacks by resource exhaustion (and
accidentally also mitigation for attacks like this one, although I don't
think that was ever intentional) - part of dbus, the reference
implementation of D-Bus, rather than part of the D-Bus spec. It can differ
in other implementations like dbus-broker and gdbus-daemon, and it can
also be changed by distros or sysadmins.

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.