Date: Sat, 11 Dec 2010 20:16:59 +0200 From: "Rémi Denis-Courmont" <remi@...lab.net> To: dbus@...ts.freedesktop.org Cc: oss-security@...ts.openwall.com Subject: Re: Clarifications on the D-Bus specification Replying to self... On Friday 10 December 2010, Rémi Denis-Courmont wrote: > On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago@....org> wrote: > > The other thing is protection against an attack vector -- an exploit > > by recursion. If the protection is by applying one of the limits, > > then let's use it. > > The specification does not specify any limits on variant recursion, that I > can find. So it's not a matter of applying a limit that was not applied > this far. It's a first matter of adding a new limit to the protocol - if it > is needed anyhow. So in fact, the bus daemon does crash with a few tens of thousands of nested variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0): http://www.remlab.net/op/dbus-variant-recursion.shtml I already filed the issue as FreeDesktop bug #32321. The issue might also affect other non-libdbus-based implementations but I have not tested any of those. It might also affect programs that parse 'any' message recursively such as dbus-send, but again I have not tested that. I should note that I could not convince libdbus to write a deep enough message. At about two hundred nested containers, libdbus made the glibc heap checks abort - probably a separate bug. If run under valgrind then libdbuds 'cleanly' failed to write a message with about 400 nested containers. -- Rémi Denis-Courmont http://www.remlab.net/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.