oss-sec mailing list archives
Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message
From: Simon McVittie <smcv () debian org>
Date: Tue, 19 Feb 2019 16:48:58 +0000
On Mon, 18 Feb 2019 at 17:41:56 +0100, Chris Coulson wrote:
According to the dbus specification, the path "may be of any length" (with the length being represented on the wire by a uint32), but systemd seems to limit the size of incoming messages to 128MB (BUS_MESSAGE_SIZE_MAX).
D-Bus is a protocol and dbus is the reference implementation of the D-Bus protocol, so it's really the D-Bus specification. The 128M limit also comes from the D-Bus Specification, which isn't always as good as it might be about taking a rule from one part of the spec and noting its consequences in another part (patches welcome). The intention is that wherever rules rule1 and rule2 overlap, messages must obey (rule1 && rule2) - so for instance when a string or path can be any 32-bit length, a string or path is part of a message, and a message is up to 128M, the practical result is that the longest possible string or path is a bit less than 128M.
From testing on Ubuntu 18.10, it seems that the real limit is actually much less than this - dbus-daemon drops the connection when I try to send a message with an object path greater than about 32MB.
This lower limit is `dbus-daemon --system` policy/configuration to mitigate/limit denial-of-service attacks by resource exhaustion (and accidentally also mitigation for attacks like this one, although I don't think that was ever intentional) - part of dbus, the reference implementation of D-Bus, rather than part of the D-Bus spec. It can differ in other implementations like dbus-broker and gdbus-daemon, and it can also be changed by distros or sysadmins. smcv
Current thread:
- CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Chris Coulson (Feb 18)
- Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Simon McVittie (Feb 19)