current/SOURCES/10005-config-add-new-limit-pending_fd_timeout.patch

From e17a921be676bcc89373ec1a9f368fe8b36f1073 Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban.crequy@collabora.co.uk>
Date: Mon, 21 Jul 2014 17:34:08 +0100
Subject: [PATCH 05/10] config: add new limit: pending_fd_timeout

This is one of four commits needed to address CVE-2014-3637.

When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.

This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit bbf11cd5f92064c7c8af61ad4d9ff41f3a039abc)
Conflicts:
        cmake/bus/dbus-daemon.xml

[Context changes as default auth_timeout was bumped to 15s (mga#14251) / tmb]
Signed-off-by: Thomas Backlund <tmb@mageia.org>

---
 bus/bus.c                 |  6 ++++++
 bus/bus.h                 |  2 ++
 bus/config-parser.c       | 12 ++++++++++++
 bus/session.conf.in       |  1 +
 cmake/bus/dbus-daemon.xml |  6 +++++-
 5 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/bus/bus.c b/bus/bus.c
index 7ffe772..c4eadc2 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1229,6 +1229,12 @@ bus_context_get_auth_timeout (BusContext *context)
 }
 
 int
+bus_context_get_pending_fd_timeout (BusContext *context)
+{
+  return context->limits.pending_fd_timeout;
+}
+
+int
 bus_context_get_max_completed_connections (BusContext *context)
 {
   return context->limits.max_completed_connections;
diff --git a/bus/bus.h b/bus/bus.h
index 400c9d0..7d0b369 100644
--- a/bus/bus.h
+++ b/bus/bus.h
@@ -54,6 +54,7 @@ typedef struct
   long max_message_unix_fds;        /**< Max number of unix fds of a single message*/
   int activation_timeout;           /**< How long to wait for an activation to time out */
   int auth_timeout;                 /**< How long to wait for an authentication to time out */
+  int pending_fd_timeout;           /**< How long to wait for a D-Bus message with a fd to time out */
   int max_completed_connections;    /**< Max number of authorized connections */
   int max_incomplete_connections;   /**< Max number of incomplete connections */
   int max_connections_per_user;     /**< Max number of connections auth'd as same user */
@@ -106,6 +107,7 @@ BusClientPolicy*  bus_context_create_client_policy               (BusContext
                                                                   DBusError        *error);
 int               bus_context_get_activation_timeout             (BusContext       *context);
 int               bus_context_get_auth_timeout                   (BusContext       *context);
+int               bus_context_get_pending_fd_timeout             (BusContext       *context);
 int               bus_context_get_max_completed_connections      (BusContext       *context);
 int               bus_context_get_max_incomplete_connections     (BusContext       *context);
 int               bus_context_get_max_connections_per_user       (BusContext       *context);
diff --git a/bus/config-parser.c b/bus/config-parser.c
index 95d69a4..897667e 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -428,6 +428,11 @@ bus_config_parser_new (const DBusString      *basedir,
        * password) is allowed, then potentially it has to be quite long.
        */
       parser->limits.auth_timeout = 15000; /* 15 seconds */
+
+      /* Do not allow a fd to stay forever in dbus-daemon
+       * https://bugs.freedesktop.org/show_bug.cgi?id=80559
+       */
+      parser->limits.pending_fd_timeout = 150000; /* 2.5 minutes */
       
       parser->limits.max_incomplete_connections = 64;
       parser->limits.max_connections_per_user = 256;
@@ -1891,6 +1896,12 @@ set_limit (BusConfigParser *parser,
       must_be_int = TRUE;
       parser->limits.auth_timeout = value;
     }
+  else if (strcmp (name, "pending_fd_timeout") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.pending_fd_timeout = value;
+    }
   else if (strcmp (name, "reply_timeout") == 0)
     {
       must_be_positive = TRUE;
@@ -3097,6 +3108,7 @@ limits_equal (const BusLimits *a,
      || a->max_message_unix_fds == b->max_message_unix_fds
      || a->activation_timeout == b->activation_timeout
      || a->auth_timeout == b->auth_timeout
+     || a->pending_fd_timeout == b->pending_fd_timeout
      || a->max_completed_connections == b->max_completed_connections
      || a->max_incomplete_connections == b->max_incomplete_connections
      || a->max_connections_per_user == b->max_connections_per_user
diff --git a/bus/session.conf.in b/bus/session.conf.in
index 6ce8503..2ee1c31 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -53,6 +53,7 @@
        limit is also relatively low -->
   <limit name="service_start_timeout">120000</limit>  
   <limit name="auth_timeout">240000</limit>
+  <limit name="pending_fd_timeout">150000</limit>
   <limit name="max_completed_connections">100000</limit>  
   <limit name="max_incomplete_connections">10000</limit>
   <limit name="max_connections_per_user">100000</limit>
diff --git a/cmake/bus/dbus-daemon.xml b/cmake/bus/dbus-daemon.xml
index f331699..fb517e2 100644
--- a/cmake/bus/dbus-daemon.xml
+++ b/cmake/bus/dbus-daemon.xml
@@ -401,7 +401,11 @@ Available limit names are:</para>
       "auth_timeout"               : milliseconds (thousandths) a
                                      connection is given to
                                      authenticate
-      "max_completed_connections"  : max number of authenticated connections  
+      "pending_fd_timeout"         : milliseconds (thousandths) a
+                                     fd is given to be transmitted to
+                                     dbus-daemon before disconnecting the
+                                     connection
+      "max_completed_connections"  : max number of authenticated connections
       "max_incomplete_connections" : max number of unauthenticated
                                      connections
       "max_connections_per_user"   : max number of completed connections from
-- 
2.1.0

1	tmb	731766	From e17a921be676bcc89373ec1a9f368fe8b36f1073 Mon Sep 17 00:00:00 2001
2			From: Alban Crequy <alban.crequy@collabora.co.uk>
3			Date: Mon, 21 Jul 2014 17:34:08 +0100
4			Subject: [PATCH 05/10] config: add new limit: pending_fd_timeout
5
6			This is one of four commits needed to address CVE-2014-3637.
7
8			When a file descriptor is passed to dbus-daemon, the associated D-Bus message
9			might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
10			descriptor in the DBusMessageLoader of the connection, waiting for the rest of
11			the message. If the client stops sending the remaining bytes, dbus-daemon will
12			wait forever and keep that file descriptor.
13
14			This patch adds pending_fd_timeout (milliseconds) in the configuration to
15			disconnect a connection after a timeout when a file descriptor was sent but not
16			the remaining message.
17
18			Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
19			Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
20			(cherry picked from commit bbf11cd5f92064c7c8af61ad4d9ff41f3a039abc)
21			Conflicts:
22			cmake/bus/dbus-daemon.xml
23	tmb	792439
24			[Context changes as default auth_timeout was bumped to 15s (mga#14251) / tmb]
25			Signed-off-by: Thomas Backlund <tmb@mageia.org>
26
27	tmb	731766	---
28			bus/bus.c \| 6 ++++++
29			bus/bus.h \| 2 ++
30			bus/config-parser.c \| 12 ++++++++++++
31			bus/session.conf.in \| 1 +
32			cmake/bus/dbus-daemon.xml \| 6 +++++-
33			5 files changed, 26 insertions(+), 1 deletion(-)
34
35			diff --git a/bus/bus.c b/bus/bus.c
36			index 7ffe772..c4eadc2 100644
37			--- a/bus/bus.c
38			+++ b/bus/bus.c
39			@@ -1229,6 +1229,12 @@ bus_context_get_auth_timeout (BusContext *context)
40			}
41
42			int
43			+bus_context_get_pending_fd_timeout (BusContext *context)
44			+{
45			+ return context->limits.pending_fd_timeout;
46			+}
47			+
48			+int
49			bus_context_get_max_completed_connections (BusContext *context)
50			{
51			return context->limits.max_completed_connections;
52			diff --git a/bus/bus.h b/bus/bus.h
53			index 400c9d0..7d0b369 100644
54			--- a/bus/bus.h
55			+++ b/bus/bus.h
56			@@ -54,6 +54,7 @@ typedef struct
57			long max_message_unix_fds; /*< Max number of unix fds of a single message/
58			int activation_timeout; /*< How long to wait for an activation to time out /
59			int auth_timeout; /*< How long to wait for an authentication to time out /
60			+ int pending_fd_timeout; /*< How long to wait for a D-Bus message with a fd to time out /
61			int max_completed_connections; /*< Max number of authorized connections /
62			int max_incomplete_connections; /*< Max number of incomplete connections /
63			int max_connections_per_user; /*< Max number of connections auth'd as same user /
64			@@ -106,6 +107,7 @@ BusClientPolicy* bus_context_create_client_policy (BusContext
65			DBusError *error);
66			int bus_context_get_activation_timeout (BusContext *context);
67			int bus_context_get_auth_timeout (BusContext *context);
68			+int bus_context_get_pending_fd_timeout (BusContext *context);
69			int bus_context_get_max_completed_connections (BusContext *context);
70			int bus_context_get_max_incomplete_connections (BusContext *context);
71			int bus_context_get_max_connections_per_user (BusContext *context);
72			diff --git a/bus/config-parser.c b/bus/config-parser.c
73			index 95d69a4..897667e 100644
74			--- a/bus/config-parser.c
75			+++ b/bus/config-parser.c
76			@@ -428,6 +428,11 @@ bus_config_parser_new (const DBusString *basedir,
77			* password) is allowed, then potentially it has to be quite long.
78			*/
79	tmb	792439	parser->limits.auth_timeout = 15000; /* 15 seconds */
80	tmb	731766	+
81			+ /* Do not allow a fd to stay forever in dbus-daemon
82			+ * https://bugs.freedesktop.org/show_bug.cgi?id=80559
83			+ */
84			+ parser->limits.pending_fd_timeout = 150000; /* 2.5 minutes */
85
86			parser->limits.max_incomplete_connections = 64;
87			parser->limits.max_connections_per_user = 256;
88			@@ -1891,6 +1896,12 @@ set_limit (BusConfigParser *parser,
89			must_be_int = TRUE;
90			parser->limits.auth_timeout = value;
91			}
92			+ else if (strcmp (name, "pending_fd_timeout") == 0)
93			+ {
94			+ must_be_positive = TRUE;
95			+ must_be_int = TRUE;
96			+ parser->limits.pending_fd_timeout = value;
97			+ }
98			else if (strcmp (name, "reply_timeout") == 0)
99			{
100			must_be_positive = TRUE;
101			@@ -3097,6 +3108,7 @@ limits_equal (const BusLimits *a,
102			\|\| a->max_message_unix_fds == b->max_message_unix_fds
103			\|\| a->activation_timeout == b->activation_timeout
104			\|\| a->auth_timeout == b->auth_timeout
105			+ \|\| a->pending_fd_timeout == b->pending_fd_timeout
106			\|\| a->max_completed_connections == b->max_completed_connections
107			\|\| a->max_incomplete_connections == b->max_incomplete_connections
108			\|\| a->max_connections_per_user == b->max_connections_per_user
109			diff --git a/bus/session.conf.in b/bus/session.conf.in
110			index 6ce8503..2ee1c31 100644
111			--- a/bus/session.conf.in
112			+++ b/bus/session.conf.in
113			@@ -53,6 +53,7 @@
114			limit is also relatively low -->
115			<limit name="service_start_timeout">120000</limit>
116			<limit name="auth_timeout">240000</limit>
117			+ <limit name="pending_fd_timeout">150000</limit>
118			<limit name="max_completed_connections">100000</limit>
119			<limit name="max_incomplete_connections">10000</limit>
120			<limit name="max_connections_per_user">100000</limit>
121			diff --git a/cmake/bus/dbus-daemon.xml b/cmake/bus/dbus-daemon.xml
122			index f331699..fb517e2 100644
123			--- a/cmake/bus/dbus-daemon.xml
124			+++ b/cmake/bus/dbus-daemon.xml
125			@@ -401,7 +401,11 @@ Available limit names are:</para>
126			"auth_timeout" : milliseconds (thousandths) a
127			connection is given to
128			authenticate
129			- "max_completed_connections" : max number of authenticated connections
130			+ "pending_fd_timeout" : milliseconds (thousandths) a
131			+ fd is given to be transmitted to
132			+ dbus-daemon before disconnecting the
133			+ connection
134			+ "max_completed_connections" : max number of authenticated connections
135			"max_incomplete_connections" : max number of unauthenticated
136			connections
137			"max_connections_per_user" : max number of completed connections from
138			--
139			2.1.0
140