search

bus1 / dbus-broker

Linux D-Bus Message Broker
https://github.com/bus1/dbus-broker/wiki
Apache License 2.0
667 stars 78 forks source link

Several ASan/UBsan backtraces #291

Closed evverx closed 2 years ago

evverx commented 2 years ago

I collected a bunch of dbus-broker backtraces all of which can be triggered by sending various DBus messages to dbus-broker. The idea was to send that stuff to systemd via /run/systemd/private but it was accidentally redirected to /run/dbus/system_bus_socket. I'll attach the files triggering those backtraces once I resurrect that container. It might take a while.

Jun 13 00:10:40 H dbus-broker-launch[74]: ../subprojects/libcdvar-1/src/c-dvar-reader.c:73:26: runtime error: load of misaligned address 0x00000047525a for type 'const uint32_t', which requires 4 byte al>
Jun 13 00:10:40 H dbus-broker-launch[74]: 0x00000047525a: note: pointer points here
Jun 13 00:10:40 H dbus-broker-launch[74]:  92 2d  01 00 89 85 40 ff ff ff  83 bd 40 ff ff ff 00 74  79 83 bd 40 ff ff ff 03  75 0b 41 bd 03 00
Jun 13 00:10:40 H dbus-broker-launch[74]:               ^
Jun 13 00:10:40 H dbus-broker-launch[74]:     #0 0x4ab07f in c_dvar_read_u32 ../subprojects/libcdvar-1/src/c-dvar-reader.c:73
Jun 13 00:10:40 H dbus-broker-launch[74]:     #1 0x4adefc in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:376
Jun 13 00:10:40 H dbus-broker-launch[74]:     #2 0x4b1351 in c_dvar_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:632
Jun 13 00:10:40 H dbus-broker-launch[74]:     #3 0x475a77 in c_dvar_read ../subprojects/libcdvar-1/src/c-dvar.h:307
Jun 13 00:10:40 H dbus-broker-launch[74]:     #4 0x47b4f6 in message_parse_body ../src/dbus/message.c:405
Jun 13 00:10:40 H dbus-broker-launch[74]:     #5 0x47bc02 in message_parse_metadata ../src/dbus/message.c:468
Jun 13 00:10:40 H dbus-broker-launch[74]:     #6 0x455160 in peer_dispatch_connection ../src/bus/peer.c:87
Jun 13 00:10:40 H dbus-broker-launch[74]:     #7 0x4572a4 in peer_dispatch ../src/bus/peer.c:201
Jun 13 00:10:40 H dbus-broker-launch[74]:     #8 0x439dff in listener_dispatch ../src/bus/listener.c:63
Jun 13 00:10:40 H dbus-broker-launch[74]:     #9 0x4917e8 in dispatch_context_dispatch ../src/util/dispatch.c:343
Jun 13 00:10:40 H dbus-broker-launch[74]:     #10 0x4090a7 in broker_run ../src/broker/broker.c:213
Jun 13 00:10:40 H dbus-broker-launch[74]:     #11 0x4052e1 in run ../src/broker/main.c:259
Jun 13 00:10:40 H dbus-broker-launch[74]:     #12 0x40549d in main ../src/broker/main.c:289
Jun 13 00:10:40 H dbus-broker-launch[74]:     #13 0x7fd20251d43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
Jun 13 00:10:40 H dbus-broker-launch[74]:     #14 0x7fd20251d4ef in __libc_start_main_alias_2 (/lib64/libc.so.6+0x404ef)
Jun 13 00:10:40 H dbus-broker-launch[74]:     #15 0x403704 in _start (/usr/bin/dbus-broker+0x403704)
Jun 13 00:10:40 H dbus-broker-launch[74]: SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../subprojects/libcdvar-1/src/c-dvar-reader.c:73:26 in
Jun 13 00:10:47 H dbus-broker-launch[74]: =================================================================
Jun 13 00:10:47 H dbus-broker-launch[74]: ==74==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffc34729870 at pc 0x0000004ab0b6 bp 0x7ffc34729760 sp 0x7ffc34729758
Jun 13 00:10:47 H dbus-broker-launch[74]: READ of size 4 at 0x7ffc34729870 thread T0
Jun 13 00:10:47 H dbus-broker-launch[74]:     #0 0x4ab0b5 in c_dvar_read_u32 ../subprojects/libcdvar-1/src/c-dvar-reader.c:73
Jun 13 00:10:47 H dbus-broker-launch[74]:     #1 0x4adefc in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:376
Jun 13 00:10:47 H dbus-broker-launch[74]:     #2 0x4b1351 in c_dvar_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:632
Jun 13 00:10:47 H dbus-broker-launch[74]:     #3 0x475a77 in c_dvar_read ../subprojects/libcdvar-1/src/c-dvar.h:307
Jun 13 00:10:47 H dbus-broker-launch[74]:     #4 0x47b4f6 in message_parse_body ../src/dbus/message.c:405
Jun 13 00:10:47 H dbus-broker-launch[74]:     #5 0x47bc02 in message_parse_metadata ../src/dbus/message.c:468
Jun 13 00:10:47 H dbus-broker-launch[74]:     #6 0x455160 in peer_dispatch_connection ../src/bus/peer.c:87
Jun 13 00:10:47 H dbus-broker-launch[74]:     #7 0x4572a4 in peer_dispatch ../src/bus/peer.c:201
Jun 13 00:10:47 H dbus-broker-launch[74]:     #8 0x4917e8 in dispatch_context_dispatch ../src/util/dispatch.c:343
Jun 13 00:10:47 H dbus-broker-launch[74]:     #9 0x4090a7 in broker_run ../src/broker/broker.c:213
Jun 13 00:10:47 H dbus-broker-launch[74]:     #10 0x4052e1 in run ../src/broker/main.c:259
Jun 13 00:10:47 H dbus-broker-launch[74]:     #11 0x40549d in main ../src/broker/main.c:289
Jun 13 00:10:47 H dbus-broker-launch[74]:     #12 0x7fd20251d43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
Jun 13 00:10:47 H dbus-broker-launch[74]:     #13 0x7fd20251d4ef in __libc_start_main_alias_2 (/lib64/libc.so.6+0x404ef)
Jun 13 00:10:47 H dbus-broker-launch[74]:     #14 0x403704 in _start (/usr/bin/dbus-broker+0x403704)
Jun 13 00:10:47 H dbus-broker-launch[74]: Address 0x7ffc34729870 is located in stack of thread T0 at offset 32 in frame
Jun 13 00:10:47 H dbus-broker-launch[74]:     #0 0x4ac00e in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:178
Jun 13 00:10:47 H dbus-broker-launch[74]:   This frame has 6 object(s):
Jun 13 00:10:47 H dbus-broker-launch[74]:     [48, 49) 'u8' (line 184) <== Memory access at offset 32 underflows this variable
Jun 13 00:10:47 H dbus-broker-launch[74]:     [64, 66) 'u16' (line 183)
Jun 13 00:10:47 H dbus-broker-launch[74]:     [80, 84) 'u32' (line 182)
Jun 13 00:10:47 H dbus-broker-launch[74]:     [96, 104) 'type' (line 179)
Jun 13 00:10:47 H dbus-broker-launch[74]:     [128, 136) 'str' (line 180)
Jun 13 00:10:47 H dbus-broker-launch[74]:     [160, 168) 'u64' (line 181)
Jun 13 00:10:47 H dbus-broker-launch[74]: HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
Jun 13 00:10:47 H dbus-broker-launch[74]:       (longjmp and C++ exceptions *are* supported)
Jun 13 00:10:47 H dbus-broker-launch[74]: SUMMARY: AddressSanitizer: stack-buffer-underflow ../subprojects/libcdvar-1/src/c-dvar-reader.c:73 in c_dvar_read_u32
Jun 13 00:10:47 H dbus-broker-launch[74]: Shadow bytes around the buggy address:
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd2f0: 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]: =>0x1000068dd300: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1[f1]f1
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd310: 01 f2 02 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f3
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd320: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd330: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd340: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]:   0x1000068dd350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jun 13 00:10:47 H dbus-broker-launch[74]: Shadow byte legend (one shadow byte represents 8 application bytes):
Jun 13 00:10:47 H dbus-broker-launch[74]:   Addressable:           00
Jun 13 00:10:47 H dbus-broker-launch[74]:   Partially addressable: 01 02 03 04 05 06 07
Jun 13 00:10:47 H dbus-broker-launch[74]:   Heap left redzone:       fa
Jun 13 00:10:47 H dbus-broker-launch[74]:   Freed heap region:       fd
Jun 13 00:10:47 H dbus-broker-launch[74]:   Stack left redzone:      f1
Jun 13 00:10:47 H dbus-broker-launch[74]:   Stack mid redzone:       f2
Jun 13 00:10:47 H dbus-broker-launch[74]:   Stack right redzone:     f3
Jun 13 00:10:47 H dbus-broker-launch[74]:   Stack after return:      f5
Jun 13 00:10:47 H dbus-broker-launch[74]:   Stack use after scope:   f8
Jun 13 00:10:47 H dbus-broker-launch[74]:   Global redzone:          f9
Jun 13 00:10:47 H dbus-broker-launch[74]:   Global init order:       f6
Jun 13 00:10:47 H dbus-broker-launch[74]:   Poisoned by user:        f7
Jun 13 00:10:47 H dbus-broker-launch[74]:   Container overflow:      fc
Jun 13 00:10:47 H dbus-broker-launch[74]:   Array cookie:            ac
Jun 13 00:10:47 H dbus-broker-launch[74]:   Intra object redzone:    bb
Jun 13 00:10:47 H dbus-broker-launch[74]:   ASan internal:           fe
Jun 13 00:10:47 H dbus-broker-launch[74]:   Left alloca redzone:     ca
Jun 13 00:10:47 H dbus-broker-launch[74]:   Right alloca redzone:    cb
Jun 13 00:10:47 H dbus-broker-launch[74]:   Shadow gap:              cc
Jun 13 00:10:47 H dbus-broker-launch[74]: ==74==ABORTING
Jun 13 00:11:03 H dbus-broker-launch[1205]: =================================================================
Jun 13 00:11:03 H dbus-broker-launch[1205]: ==1205==ERROR: AddressSanitizer: SEGV on unknown address 0x0000ffffb3b8 (pc 0x0000004ab091 bp 0x7ffca3383440 sp 0x7ffca33833c0 T0)
Jun 13 00:11:03 H dbus-broker-launch[1205]: ==1205==The signal is caused by a READ memory access.
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #0 0x4ab091 in c_dvar_read_u32 ../subprojects/libcdvar-1/src/c-dvar-reader.c:73
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #1 0x4ad6a1 in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:314
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #2 0x4b1351 in c_dvar_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:632
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #3 0x4aa0e3 in c_dvar_read ../subprojects/libcdvar-1/src/c-dvar.h:307
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #4 0x4afac7 in c_dvar_ff ../subprojects/libcdvar-1/src/c-dvar-reader.c:515
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #5 0x4afc29 in c_dvar_try_vskip ../subprojects/libcdvar-1/src/c-dvar-reader.c:543
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #6 0x4b16e7 in c_dvar_vskip ../subprojects/libcdvar-1/src/c-dvar-reader.c:647
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #7 0x475bf6 in c_dvar_skip ../subprojects/libcdvar-1/src/c-dvar.h:328
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #8 0x47b5cb in message_parse_body ../src/dbus/message.c:412
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #9 0x47bc02 in message_parse_metadata ../src/dbus/message.c:468
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #10 0x455160 in peer_dispatch_connection ../src/bus/peer.c:87
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #11 0x4572a4 in peer_dispatch ../src/bus/peer.c:201
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #12 0x4917e8 in dispatch_context_dispatch ../src/util/dispatch.c:343
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #13 0x4090a7 in broker_run ../src/broker/broker.c:213
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #14 0x4052e1 in run ../src/broker/main.c:259
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #15 0x40549d in main ../src/broker/main.c:289
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #16 0x7f761ee9c43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #17 0x7f761ee9c4ef in __libc_start_main_alias_2 (/lib64/libc.so.6+0x404ef)
Jun 13 00:11:03 H dbus-broker-launch[1205]:     #18 0x403704 in _start (/usr/bin/dbus-broker+0x403704)
Jun 13 00:11:03 H dbus-broker-launch[1205]: AddressSanitizer can not provide additional info.
Jun 13 00:11:03 H dbus-broker-launch[1205]: SUMMARY: AddressSanitizer: SEGV ../subprojects/libcdvar-1/src/c-dvar-reader.c:73 in c_dvar_read_u32
Jun 13 00:11:29 H dbus-broker-launch[2579]: =================================================================
Jun 13 00:11:29 H dbus-broker-launch[2579]: ==2579==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fffcd38 (pc 0x0000004aaccb bp 0x7ffc4a320330 sp 0x7ffc4a3202b0 T0)
Jun 13 00:11:29 H dbus-broker-launch[2579]: ==2579==The signal is caused by a READ memory access.
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #0 0x4aaccb in c_dvar_read_u8 ../subprojects/libcdvar-1/src/c-dvar-reader.c:51
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #1 0x4ad4c8 in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:303
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #2 0x4b1351 in c_dvar_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:632
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #3 0x4aa0e3 in c_dvar_read ../subprojects/libcdvar-1/src/c-dvar.h:307
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #4 0x4afac7 in c_dvar_ff ../subprojects/libcdvar-1/src/c-dvar-reader.c:515
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #5 0x4afc29 in c_dvar_try_vskip ../subprojects/libcdvar-1/src/c-dvar-reader.c:543
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #6 0x4b16e7 in c_dvar_vskip ../subprojects/libcdvar-1/src/c-dvar-reader.c:647
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #7 0x475bf6 in c_dvar_skip ../subprojects/libcdvar-1/src/c-dvar.h:328
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #8 0x47b5cb in message_parse_body ../src/dbus/message.c:412
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #9 0x47bc02 in message_parse_metadata ../src/dbus/message.c:468
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #10 0x455160 in peer_dispatch_connection ../src/bus/peer.c:87
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #11 0x4572a4 in peer_dispatch ../src/bus/peer.c:201
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #12 0x439dff in listener_dispatch ../src/bus/listener.c:63
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #13 0x4917e8 in dispatch_context_dispatch ../src/util/dispatch.c:343
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #14 0x4090a7 in broker_run ../src/broker/broker.c:213
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #15 0x4052e1 in run ../src/broker/main.c:259
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #16 0x40549d in main ../src/broker/main.c:289
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #17 0x7fe773b0643f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #18 0x7fe773b064ef in __libc_start_main_alias_2 (/lib64/libc.so.6+0x404ef)
Jun 13 00:11:29 H dbus-broker-launch[2579]:     #19 0x403704 in _start (/usr/bin/dbus-broker+0x403704)
Jun 13 00:11:29 H dbus-broker-launch[2579]: AddressSanitizer can not provide additional info.
Jun 13 00:11:29 H dbus-broker-launch[2579]: SUMMARY: AddressSanitizer: SEGV ../subprojects/libcdvar-1/src/c-dvar-reader.c:51 in c_dvar_read_u8
Jun 13 00:11:44 H dbus-broker-launch[3338]: ==3338==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fffddb7 (pc 0x0000004aaccb bp 0x7fff448a5040 sp 0x7fff448a4fc0 T0)
Jun 13 00:11:44 H dbus-broker-launch[3338]: ==3338==The signal is caused by a READ memory access.
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #0 0x4aaccb in c_dvar_read_u8 ../subprojects/libcdvar-1/src/c-dvar-reader.c:51
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #1 0x4adf87 in c_dvar_try_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:385
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #2 0x4b1351 in c_dvar_vread ../subprojects/libcdvar-1/src/c-dvar-reader.c:632
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #3 0x475a77 in c_dvar_read ../subprojects/libcdvar-1/src/c-dvar.h:307
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #4 0x47996f in message_parse_header ../src/dbus/message.c:254
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #5 0x47b907 in message_parse_metadata ../src/dbus/message.c:450
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #6 0x455160 in peer_dispatch_connection ../src/bus/peer.c:87
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #7 0x4572a4 in peer_dispatch ../src/bus/peer.c:201
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #8 0x4917e8 in dispatch_context_dispatch ../src/util/dispatch.c:343
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #9 0x4090a7 in broker_run ../src/broker/broker.c:213
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #10 0x4052e1 in run ../src/broker/main.c:259
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #11 0x40549d in main ../src/broker/main.c:289
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #12 0x7fa30843843f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #13 0x7fa3084384ef in __libc_start_main_alias_2 (/lib64/libc.so.6+0x404ef)
Jun 13 00:11:44 H dbus-broker-launch[3338]:     #14 0x403704 in _start (/usr/bin/dbus-broker+0x403704)
Jun 13 00:11:44 H dbus-broker-launch[3338]: AddressSanitizer can not provide additional info.
Jun 13 00:11:44 H dbus-broker-launch[3338]: SUMMARY: AddressSanitizer: SEGV ../subprojects/libcdvar-1/src/c-dvar-reader.c:51 in c_dvar_read_u8
evverx commented 2 years ago

@dvdhrm I created a private repository where I added a file triggering a segfault and invited you as a collaborator. That particular crash can be triggered with

(printf '\0AUTH EXTERNAL\r\nDATA\r\nBEGIN\r\n'; cat ./04b135f7ce7c0e2250f892f607fedf4e6ecbb2e7) | nc -N -U /run/dbus/system_bus_socket

I can add the files to a public repository instead if it's more convenient. It's just that all those issues can be triggered by unprivileged users so I thought it would be better to share them privately first.

evverx commented 2 years ago

I added three more files there. I think they cover all the issues mentioned here.

dvdhrm commented 2 years ago

Oh dear, thanks for catching that! I fixed it in: https://github.com/c-util/c-dvar/commit/7944893cd263ec58cabcd34adf2c13ae4f45bd24

I only verified one of the dumps so far, I will check the other ones later. But maybe this already solves the issue for them all.

evverx commented 2 years ago

But maybe this already solves the issue for them all

Looks like those four crashes are gone. Thanks!

https://github.com/c-util/c-dvar/commit/7944893cd263ec58cabcd34adf2c13ae4f45bd24

It would be great if it would be possible to point dbus-broker to that commit. It took me a while to figure out that it isn't included in v1 (which subprojects/libcdvar-1.wrap currently points to) :-)

evverx commented 2 years ago

@dvdhrm with that patch applied dbus-broker no longer triggers ASan/UBSan but it appears malformed DBus messages can cause dbus-broker to fail with 

Jun 15 17:44:55 H dbus-broker[29456]: Peer :1.270 is being disconnected as it sent a message with an invalid body.
Jun 15 17:44:56 H dbus-broker-launch[29456]:       message_parse_header @ ../src/dbus/message.c +360
Jun 15 17:44:56 H dbus-broker-launch[29456]:       message_parse_metadata @ ../src/dbus/message.c +452
Jun 15 17:44:56 H dbus-broker-launch[29456]:       peer_dispatch_connection @ ../src/bus/peer.c +123
Jun 15 17:44:56 H dbus-broker-launch[29456]:       peer_dispatch @ ../src/bus/peer.c +225
Jun 15 17:44:56 H dbus-broker-launch[29456]:       dispatch_context_dispatch @ ../src/util/dispatch.c +344
Jun 15 17:44:56 H dbus-broker-launch[29456]:       broker_run @ ../src/broker/broker.c +219
Jun 15 17:44:56 H dbus-broker-launch[29456]:       run @ ../src/broker/main.c +261
Jun 15 17:44:56 H dbus-broker[29456]: Dispatched 529 messages @ 24(±218)μs / message.
Jun 15 17:44:56 H dbus-broker-launch[29456]:       main @ ../src/broker/main.c +295
Jun 15 17:44:56 H dbus-broker-launch[29454]: ERROR launcher_run @ ../src/launch/launcher.c +1451: Return code 1
Jun 15 17:44:56 H dbus-broker-launch[29454]:       run @ ../src/launch/main.c +152
Jun 15 17:44:56 H dbus-broker-launch[29454]:       main @ ../src/launch/main.c +178
Jun 15 17:44:56 H dbus-broker-launch[29454]: Exiting due to fatal error: -131
Jun 15 17:44:56 H dbus-broker-launch[29454]: Caught SIGCHLD of broker.

I'm not sure if it's expected or not.

evverx commented 2 years ago

Looks like it can be reproduced without that patch as well so it seems to be a different issue. I added a file triggering it to https://github.com/evverx/dbus-message just in case.

dvdhrm commented 2 years ago

But maybe this already solves the issue for them all

Looks like those four crashes are gone. Thanks!

Thanks for verifying!

c-util/c-dvar@7944893

It would be great if it would be possible to point dbus-broker to that commit. It took me a while to figure out that it isn't included in v1 (which subprojects/libcdvar-1.wrap currently points to) :-)

Once I update v1, it will immediately hit distributions that build from git rather than tarballs, so I do that carefully. Instead, for temporary builds I update the git-checkouts in dbus-broker/subprojects/libc*-1/. Meson only fetches the v1 branch if nothing is there, so you can safely change branches or apply patches there.

Note that there is a long bank-holiday weekend right now in Germany, so I am unlikely to push out a new release. I will definitely do so next week!

Thanks for digging this all out and the effort to get the fuzzer to run! Very much appreciated!

dvdhrm commented 2 years ago

Looks like it can be reproduced without that patch as well so it seems to be a different issue. I added a file triggering it to https://github.com/evverx/dbus-message just in case.

Again, nice catch! Fixed in c-dvar fdfe98534012309c082b94014a2074a6f62dbe9b. Needs a minor adjustment in dbus-broker, though not a crucial one.

evverx commented 2 years ago

Meson only fetches the v1 branch if nothing is there, so you can safely change branches or apply patches there.

I pointed subprojects/libcdvar-1.wrap to main in the end. It's just that for some reason I thought that the commit went to v1 and it was supposed to be pulled automatically with v1.

Fixed in c-dvar fdfe98534012309c082b94014a2074a6f62dbe9b

Thanks! I can confirm that those backtraces are gone.

Note that there is a long bank-holiday weekend right now in Germany

Sorry. I didn't know that. Of course any patches/releases can be put on hold.

FWIW since match rules caused systemd and dbus-daemon to crash back in the day I also fuzzed the code parsing match rules in dbus-broker for some time and it looks solid to me. I'll try to polish that fuzz target and add it as well to unleash OSS-Fuzz on it.