Merge pull request #16237 from keszybz/revert-message-type-check

Revert "bus-message: immediately reject messages with invalid type"
bus-message: add macro for calculation of offset from the page
2020-06-22 22:46:13 +02:00 · 2020-06-22 17:18:35 +02:00 · 2020-06-22 17:09:49 +02:00 · 2020-06-22 16:54:15 +02:00
3 changed files with 7 additions and 7 deletions
--- a/src/basic/memory-util.h
+++ b/src/basic/memory-util.h
@ -13,6 +13,7 @@
 size_t page_size(void) _pure_;
 #define PAGE_ALIGN(l) ALIGN_TO((l), page_size())
 #define PAGE_ALIGN_DOWN(l) ((l) & ~(page_size() - 1))
+#define PAGE_OFFSET(l) ((l) & (page_size() - 1))

 /* Normal memcpy requires src to be nonnull. We do nothing if n is 0. */
 static inline void memcpy_safe(void *dst, const void *src, size_t n) {
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@ -451,7 +451,7 @@ int bus_message_from_header(
        if (!IN_SET(h->version, 1, 2))
                return -EBADMSG;

-        if (h->type <= _SD_BUS_MESSAGE_TYPE_INVALID || h->type >= _SD_BUS_MESSAGE_TYPE_MAX)
+        if (h->type == _SD_BUS_MESSAGE_TYPE_INVALID)
                return -EBADMSG;

        if (!IN_SET(h->endian, BUS_LITTLE_ENDIAN, BUS_BIG_ENDIAN))
@ -589,7 +589,8 @@ _public_ int sd_bus_message_new(
        assert_return(bus = bus_resolve(bus), -ENOPKG);
        assert_return(bus->state != BUS_UNSET, -ENOTCONN);
        assert_return(m, -EINVAL);
-        assert_return(type > _SD_BUS_MESSAGE_TYPE_INVALID && type < _SD_BUS_MESSAGE_TYPE_MAX, -EINVAL);
+        /* Creation of messages with _SD_BUS_MESSAGE_TYPE_INVALID is allowed. */
+        assert_return(type < _SD_BUS_MESSAGE_TYPE_MAX, -EINVAL);

        sd_bus_message *t = malloc0(ALIGN(sizeof(sd_bus_message)) + sizeof(struct bus_header));
        if (!t)
@ -3021,7 +3022,7 @@ int bus_body_part_map(struct bus_body_part *part) {
                return 0;
        }

-        shift = part->memfd_offset - ((part->memfd_offset / page_size()) * page_size());
+        shift = PAGE_OFFSET(part->memfd_offset);
        psz = PAGE_ALIGN(part->size + shift);

        if (part->memfd >= 0)
@ -3158,7 +3159,8 @@ static struct bus_body_part* find_part(sd_bus_message *m, size_t index, size_t s
                                return NULL;

                        if (p)
-                                *p = (uint8_t*) part->data + index - begin;
+                                *p = part->data ? (uint8_t*) part->data + index - begin
+                                        : NULL; /* Avoid dereferencing a NULL pointer. */

                        m->cached_rindex_part = part;
                        m->cached_rindex_part_begin = begin;
@ -5497,9 +5499,6 @@ int bus_message_parse_fields(sd_bus_message *m) {
                if (m->reply_cookie == 0 || !m->error.name)
                        return -EBADMSG;
                break;
-
-        default:
-                assert_not_reached("Bad message type");
        }

        /* Refuse non-local messages that claim they are local */
--- a/test/fuzz/fuzz-bus-message/zero-offset-to-null-pointer
+++ b/test/fuzz/fuzz-bus-message/zero-offset-to-null-pointer
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	2edc494216	Merge pull request #16237 from keszybz/revert-message-type-check Revert "bus-message: immediately reject messages with invalid type"	2020-06-22 22:46:13 +02:00
Zbigniew Jędrzejewski-Szmek	b98f393d88	bus-message: add macro for calculation of offset from the page	2020-06-22 17:18:35 +02:00
Zbigniew Jędrzejewski-Szmek	b17af3e503	bus-message: avoid dereferencing a NULL pointer We'd try to map a zero-byte buffer from a NULL pointer, which is undefined behaviour. src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60: runtime error: applying zero offset to null pointer #0 0x7f6ff064e691 in find_part /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60 #1 0x7f6ff0640788 in message_peek_body /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3283:16 #2 0x7f6ff064e8db in enter_struct_or_dict_entry /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3967:21 #3 0x7f6ff06444ac in bus_message_enter_struct /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4009:13 #4 0x7f6ff0641dde in sd_bus_message_enter_container /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4136:21 #5 0x7f6ff0619874 in sd_bus_message_dump /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-dump.c:178:29 #6 0x4293d9 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bus-message.c:39:9 #7 0x441986 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15 #8 0x44121e in fuzzer::Fuzzer::RunOne(unsigned char const, unsigned long, bool, fuzzer::InputInfo, bool) /src/libfuzzer/FuzzerLoop.cpp:470:3 #9 0x443164 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7 #10 0x4434bc in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3 #11 0x42d2bc in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6 #12 0x42978a in main /src/libfuzzer/FuzzerMain.cpp:19:10 #13 0x7f6fef13c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x407808 in _start (out/fuzz-bus-message+0x407808)	2020-06-22 17:09:49 +02:00
Zbigniew Jędrzejewski-Szmek	a9c9f79ece	Revert "bus-message: immediately reject messages with invalid type" This reverts commit `a2dd991d0f`. Creation of such messages is evidently useful, and at least sdbus-c++ test suite depends on that. Fixes #16193.	2020-06-22 16:54:15 +02:00