Closed evverx closed 2 years ago
@dvdhrm I created a private repository where I added a file triggering a segfault and invited you as a collaborator. That particular crash can be triggered with
(printf '\0AUTH EXTERNAL\r\nDATA\r\nBEGIN\r\n'; cat ./04b135f7ce7c0e2250f892f607fedf4e6ecbb2e7) | nc -N -U /run/dbus/system_bus_socket
I can add the files to a public repository instead if it's more convenient. It's just that all those issues can be triggered by unprivileged users so I thought it would be better to share them privately first.
I added three more files there. I think they cover all the issues mentioned here.
Oh dear, thanks for catching that! I fixed it in: https://github.com/c-util/c-dvar/commit/7944893cd263ec58cabcd34adf2c13ae4f45bd24
I only verified one of the dumps so far, I will check the other ones later. But maybe this already solves the issue for them all.
But maybe this already solves the issue for them all
Looks like those four crashes are gone. Thanks!
https://github.com/c-util/c-dvar/commit/7944893cd263ec58cabcd34adf2c13ae4f45bd24
It would be great if it would be possible to point dbus-broker
to that commit. It took me a while to figure out that it isn't included in v1
(which subprojects/libcdvar-1.wrap
currently points to) :-)
@dvdhrm with that patch applied dbus-broker
no longer triggers ASan/UBSan but it appears malformed DBus messages can cause dbus-broker
to fail with
Jun 15 17:44:55 H dbus-broker[29456]: Peer :1.270 is being disconnected as it sent a message with an invalid body.
Jun 15 17:44:56 H dbus-broker-launch[29456]: message_parse_header @ ../src/dbus/message.c +360
Jun 15 17:44:56 H dbus-broker-launch[29456]: message_parse_metadata @ ../src/dbus/message.c +452
Jun 15 17:44:56 H dbus-broker-launch[29456]: peer_dispatch_connection @ ../src/bus/peer.c +123
Jun 15 17:44:56 H dbus-broker-launch[29456]: peer_dispatch @ ../src/bus/peer.c +225
Jun 15 17:44:56 H dbus-broker-launch[29456]: dispatch_context_dispatch @ ../src/util/dispatch.c +344
Jun 15 17:44:56 H dbus-broker-launch[29456]: broker_run @ ../src/broker/broker.c +219
Jun 15 17:44:56 H dbus-broker-launch[29456]: run @ ../src/broker/main.c +261
Jun 15 17:44:56 H dbus-broker[29456]: Dispatched 529 messages @ 24(±218)μs / message.
Jun 15 17:44:56 H dbus-broker-launch[29456]: main @ ../src/broker/main.c +295
Jun 15 17:44:56 H dbus-broker-launch[29454]: ERROR launcher_run @ ../src/launch/launcher.c +1451: Return code 1
Jun 15 17:44:56 H dbus-broker-launch[29454]: run @ ../src/launch/main.c +152
Jun 15 17:44:56 H dbus-broker-launch[29454]: main @ ../src/launch/main.c +178
Jun 15 17:44:56 H dbus-broker-launch[29454]: Exiting due to fatal error: -131
Jun 15 17:44:56 H dbus-broker-launch[29454]: Caught SIGCHLD of broker.
I'm not sure if it's expected or not.
Looks like it can be reproduced without that patch as well so it seems to be a different issue. I added a file triggering it to https://github.com/evverx/dbus-message just in case.
But maybe this already solves the issue for them all
Looks like those four crashes are gone. Thanks!
Thanks for verifying!
It would be great if it would be possible to point
dbus-broker
to that commit. It took me a while to figure out that it isn't included inv1
(whichsubprojects/libcdvar-1.wrap
currently points to) :-)
Once I update v1
, it will immediately hit distributions that build from git rather than tarballs, so I do that carefully. Instead, for temporary builds I update the git-checkouts in dbus-broker/subprojects/libc*-1/
. Meson only fetches the v1
branch if nothing is there, so you can safely change branches or apply patches there.
Note that there is a long bank-holiday weekend right now in Germany, so I am unlikely to push out a new release. I will definitely do so next week!
Thanks for digging this all out and the effort to get the fuzzer to run! Very much appreciated!
Looks like it can be reproduced without that patch as well so it seems to be a different issue. I added a file triggering it to https://github.com/evverx/dbus-message just in case.
Again, nice catch! Fixed in c-dvar fdfe98534012309c082b94014a2074a6f62dbe9b. Needs a minor adjustment in dbus-broker, though not a crucial one.
Meson only fetches the v1 branch if nothing is there, so you can safely change branches or apply patches there.
I pointed subprojects/libcdvar-1.wrap
to main
in the end. It's just that for some reason I thought that the commit went to v1
and it was supposed to be pulled automatically with v1
.
Fixed in c-dvar fdfe98534012309c082b94014a2074a6f62dbe9b
Thanks! I can confirm that those backtraces are gone.
Note that there is a long bank-holiday weekend right now in Germany
Sorry. I didn't know that. Of course any patches/releases can be put on hold.
FWIW since match rules caused systemd
and dbus-daemon
to crash back in the day I also fuzzed the code parsing match rules in dbus-broker
for some time and it looks solid to me. I'll try to polish that fuzz target and add it as well to unleash OSS-Fuzz on it.
I collected a bunch of dbus-broker backtraces all of which can be triggered by sending various DBus messages to
dbus-broker
. The idea was to send that stuff tosystemd
via/run/systemd/private
but it was accidentally redirected to/run/dbus/system_bus_socket
. I'll attach the files triggering those backtraces once I resurrect that container. It might take a while.