diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch deleted file mode 100644 index 9284dd666..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001 -From: Simon McVittie <smcv@collabora.com> -Date: Mon, 12 Sep 2022 13:14:18 +0100 -Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of - fixed-length items - -This fast-path previously did not check that the array was made up -of an integer number of items. This could lead to assertion failures -and out-of-bounds accesses during subsequent message processing (which -assumes that the message has already been validated), particularly after -the addition of _dbus_header_remove_unknown_fields(), which makes it -more likely that dbus-daemon will apply non-trivial edits to messages. - -Thanks: Evgeny Vereshchagin -Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 -Resolves: CVE-2022-42011 -Signed-off-by: Simon McVittie <smcv@collabora.com> ---- - dbus/dbus-marshal-validate.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c -index ae68414dd..7d0d6cf72 100644 ---- a/dbus/dbus-marshal-validate.c -+++ b/dbus/dbus-marshal-validate.c -@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, - */ - if (dbus_type_is_fixed (array_elem_type)) - { -+ /* Note that fixed-size types all have sizes equal to -+ * their alignments, so this is really the item size. */ -+ alignment = _dbus_type_get_alignment (array_elem_type); -+ _dbus_assert (alignment == 1 || alignment == 2 || -+ alignment == 4 || alignment == 8); -+ -+ /* Because the alignment is a power of 2, this is -+ * equivalent to: (claimed_len % alignment) != 0, -+ * but avoids slower integer division */ -+ if ((claimed_len & (alignment - 1)) != 0) -+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; -+ - /* bools need to be handled differently, because they can - * have an invalid value - */ - if (array_elem_type == DBUS_TYPE_BOOLEAN) - { - dbus_uint32_t v; -- alignment = _dbus_type_get_alignment (array_elem_type); - - while (p < array_end) - { --- -GitLab - |