'Re: [oss-security] CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message
From:       Simon McVittie <smcv () debian ! org>
Date:       2019-02-19 16:48:58
Message-ID: 20190219164858.GC19026 () espresso ! pseudorandom ! co ! uk
[Download RAW message or body]

On Mon, 18 Feb 2019 at 17:41:56 +0100, Chris Coulson wrote:
> According to the dbus specification, the path "may be of any
> length" (with the length being represented on the wire by a uint32),
> but systemd seems to limit the size of incoming messages to 128MB
> (BUS_MESSAGE_SIZE_MAX).

D-Bus is a protocol and dbus is the reference implementation of the
D-Bus protocol, so it's really the D-Bus specification.

The 128M limit also comes from the D-Bus Specification, which isn't
always as good as it might be about taking a rule from one part of the
spec and noting its consequences in another part (patches welcome). The
intention is that wherever rules rule1 and rule2 overlap, messages must
obey (rule1 && rule2) - so for instance when a string or path can be
any 32-bit length, a string or path is part of a message, and a message
is up to 128M, the practical result is that the longest possible string
or path is a bit less than 128M.

> From testing on Ubuntu 18.10, it seems that the
> real limit is actually much less than this - dbus-daemon drops the
> connection when I try to send a message with an object path greater than
> about 32MB.

This lower limit is `dbus-daemon --system` policy/configuration to
mitigate/limit denial-of-service attacks by resource exhaustion (and
accidentally also mitigation for attacks like this one, although I don't
think that was ever intentional) - part of dbus, the reference
implementation of D-Bus, rather than part of the D-Bus spec. It can differ
in other implementations like dbus-broker and gdbus-daemon, and it can
also be changed by distros or sysadmins.

    smcv
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic