-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avahi-daemon can be crashed via DBus #375
Labels
Comments
|
Confirm that it is still happening on recent Fedora (gdb) bt
#0 0x00007f256848ec0c in __pthread_kill_implementation () from /lib64/libc.so.6
#1 0x00007f256843e986 in raise () from /lib64/libc.so.6
#2 0x00007f25684287f4 in abort () from /lib64/libc.so.6
#3 0x00007f25687c8c92 in _dbus_abort () at ../../dbus/dbus-sysdeps.c:101
#4 0x00007f25687ef910 in _dbus_warn_check_failed (
format=0x7f25687fccf0 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at ../../dbus/dbus-internals.c:289
#5 0x00007f25687de7cf in dbus_message_iter_append_basic (iter=iter@entry=0x7ffe13ba4cb0, type=type@entry=115, value=0x7ffe13ba4ea8)
at ../../dbus/dbus-message.c:2771
#6 0x00007f25687dfbb5 in dbus_message_append_args_valist (message=message@entry=0x55b65a9572b0, first_arg_type=<optimized out>,
var_args=var_args@entry=0x7ffe13ba4da0) at ../../dbus/dbus-message.c:1883
#7 0x00007f25687dfe0d in dbus_message_append_args (message=message@entry=0x55b65a9572b0, first_arg_type=first_arg_type@entry=115)
at ../../dbus/dbus-message.c:1841
#8 0x000055b659c9be30 in avahi_dbus_respond_string (text=0x0, m=0x55b65a9572b0, c=0x55b65a956c50)
at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/dbus-util.c:79
#9 dbus_get_alternative_service_name (error=0x7ffe13ba4f20, m=0x55b65a9572b0, c=0x55b65a956c50)
at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/dbus-protocol.c:392
#10 dbus_select_common_methods (c=c@entry=0x55b65a956c50, m=m@entry=0x55b65a958fa0, iface=iface@entry=0x55b659ca53ab "org.freedesktop.Avahi.Server",
error=error@entry=0x7ffe13ba4f20, userdata=<optimized out>) at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/dbus-protocol.c:1043
#11 0x000055b659c9e3af in dbus_select_common_methods (userdata=0x7ffe13ba4f20, error=0x7ffe13ba4f20,
iface=0x55b659ca53ab "org.freedesktop.Avahi.Server", m=0x55b65a958fa0, c=0x55b65a956c50)
at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/dbus-protocol.c:1003
#12 msg_server_impl (c=0x55b65a956c50, m=m@entry=0x55b65a958fa0, userdata=userdata@entry=0x0)
at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/dbus-protocol.c:1183
#13 0x00007f25687d3d11 in _dbus_object_tree_dispatch_and_unlock (found_object=<synthetic pointer>, message=<optimized out>, tree=0x55b65a956ff0)
at ../../dbus/dbus-object-tree.c:1021
#14 dbus_connection_dispatch (connection=0x55b65a956c50) at ../../dbus/dbus-connection.c:4742
#15 dbus_connection_dispatch (connection=0x55b65a956c50) at ../../dbus/dbus-connection.c:4574
#16 0x000055b659ca2ae3 in dispatch_timeout_callback (t=<optimized out>, userdata=0x55b65a960070) at ../avahi-common/dbus-watch-glue.c:105
#17 0x00007f256888dc78 in avahi_simple_poll_dispatch () from /lib64/libavahi-common.so.3
#18 0x000055b659c93d6c in run_server (c=0x55b659cb00e0 <config.lto_priv>) at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/main.c:1268
#19 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/avahi-0.8-18.fc36.x86_64/avahi-daemon/main.c:1686
|
pemensik
added a commit
to pemensik/avahi
that referenced
this issue
Nov 17, 2022
It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes avahi#375
evverx
added a commit
to evverx/avahi
that referenced
this issue
Dec 2, 2022
to prevent issues like avahi#375
evverx
added a commit
to evverx/avahi
that referenced
this issue
Dec 2, 2022
to prevent issues like avahi#375
evverx
added a commit
to evverx/avahi
that referenced
this issue
Dec 2, 2022
to prevent issues like avahi#375
evverx
added a commit
to evverx/avahi
that referenced
this issue
Dec 2, 2022
to prevent issues like avahi#375
evverx
pushed a commit
to evverx/avahi
that referenced
this issue
Dec 2, 2022
It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes avahi#375
|
This issue got assigned CVE-2023-1981 |
bmeagherix
pushed a commit
to truenas/avahi
that referenced
this issue
Aug 25, 2023
It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes avahi#375
bmeagherix
pushed a commit
to truenas/avahi
that referenced
this issue
Aug 25, 2023
It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes avahi#375
bmeagherix
pushed a commit
to truenas/avahi
that referenced
this issue
Aug 25, 2023
It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes avahi#375
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It was discovered by
dfuzzerand kind of reported in https://github.com/matusmarhefka/dfuzzer/issues/20. I think it's a local DOS technically and as far as I can tell it can be triggered by unprivileged users on Fedora 35 at least.The text was updated successfully, but these errors were encountered: