Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix vulnerability in dbus proxy
During the authentication all client data is directly forwarded
to the dbus daemon as is, until we detect the BEGIN command after
which we start filtering the binary dbus protocol.

Unfortunately the detection of the BEGIN command in the proxy
did not exactly match the detection in the dbus daemon. A BEGIN
followed by a space or tab was considered ok in the daemon but
not by the proxy. This could be exploited to send arbitrary
dbus messages to the host, which can be used to break out of
the sandbox.

This was noticed by Gabriel Campana of The Google Security Team.

This fix makes the detection of the authentication phase end
match the dbus code. In addition we duplicate the authentication
line validation from dbus, which includes ensuring all data is
ASCII, and limiting the size of a line to 16k. In fact, we add
some extra stringent checks, disallowing ASCII control chars and
requiring that auth lines start with a capital letter.
  • Loading branch information
alexlarsson committed Jan 30, 2018
1 parent 3c9d3a3 commit 52346bf
Showing 1 changed file with 89 additions and 38 deletions.
127 changes: 89 additions & 38 deletions dbus-proxy/flatpak-proxy.c
Expand Up @@ -173,10 +173,11 @@

typedef struct FlatpakProxyClient FlatpakProxyClient;

/* We start looking ignoring the first cr-lf
since there is no previous line initially */
#define AUTH_END_INIT_OFFSET 2
#define AUTH_END_STRING "\r\nBEGIN\r\n"
#define FIND_AUTH_END_CONTINUE -1
#define FIND_AUTH_END_ABORT -2

#define AUTH_LINE_SENTINEL "\r\n"
#define AUTH_BEGIN "BEGIN"

typedef enum {
EXPECTED_REPLY_NONE,
Expand Down Expand Up @@ -258,7 +259,7 @@ struct FlatpakProxyClient
FlatpakProxy *proxy;

gboolean authenticated;
int auth_end_offset;
GByteArray *auth_buffer;

ProxySide client_side;
ProxySide bus_side;
Expand Down Expand Up @@ -372,6 +373,7 @@ flatpak_proxy_client_finalize (GObject *object)
client->proxy->clients = g_list_remove (client->proxy->clients, client);
g_clear_object (&client->proxy);

g_byte_array_free (client->auth_buffer, TRUE);
g_hash_table_destroy (client->rewrite_reply);
g_hash_table_destroy (client->get_owner_reply);
g_hash_table_destroy (client->unique_id_policy);
Expand Down Expand Up @@ -407,7 +409,7 @@ flatpak_proxy_client_init (FlatpakProxyClient *client)
init_side (client, &client->client_side);
init_side (client, &client->bus_side);

client->auth_end_offset = AUTH_END_INIT_OFFSET;
client->auth_buffer = g_byte_array_new ();
client->rewrite_reply = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, g_object_unref);
client->get_owner_reply = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, g_free);
client->unique_id_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
Expand Down Expand Up @@ -2315,51 +2317,92 @@ got_buffer_from_side (ProxySide *side, Buffer *buffer)
got_buffer_from_bus (client, side, buffer);
}

#define _DBUS_ISASCII(c) ((c) != '\0' && (((c) & ~0x7f) == 0))

static gboolean
auth_line_is_valid (guint8 *line, guint8 *line_end)
{
guint8 *p;

for (p = line; p < line_end; p++)
{
if (!_DBUS_ISASCII(*p))
return FALSE;

/* Technically, the dbus spec allows all ASCII characters, but for robustness we also
fail if we see any control characters. Such low values will appear in potential attacks,
but will never happen in real sasl (where all binary data is hex encoded). */
if (*p < ' ')
return FALSE;
}

/* For robustness we require the first char of the line to be an upper case letter.
This is not technically required by the dbus spec, but all commands are upper
case, and there is no provisioning for whitespace before the command, so in practice
this is true, and this means we're not confused by e.g. initial whitespace. */
if (line[0] < 'A' || line[0] > 'Z')
return FALSE;

return TRUE;
}

static gboolean
auth_line_is_begin (guint8 *line)
{
guint8 next_char;

if (!g_str_has_prefix ((char *)line, AUTH_BEGIN))
return FALSE;

/* dbus-daemon accepts either nothing, or a whitespace followed by anything as end of auth */
next_char = line[strlen (AUTH_BEGIN)];
return (next_char == 0 ||
next_char == ' ' ||
next_char == '\t');
}

static gssize
find_auth_end (FlatpakProxyClient *client, Buffer *buffer)
{
guchar *match;
int i;
goffset offset = 0;
gsize original_size = client->auth_buffer->len;

/* Add the new data to the remaining data from last iteration */
g_byte_array_append (client->auth_buffer, buffer->data, buffer->pos);

/* First try to match any leftover at the start */
if (client->auth_end_offset > 0)
while (TRUE)
{
gsize left = strlen (AUTH_END_STRING) - client->auth_end_offset;
gsize to_match = MIN (left, buffer->pos);
/* Matched at least up to to_match */
if (memcmp (buffer->data, &AUTH_END_STRING[client->auth_end_offset], to_match) == 0)
guint8 *line_start = client->auth_buffer->data + offset;
gsize remaining_data = client->auth_buffer->len - offset;
guint8 *line_end;

line_end = memmem (line_start, remaining_data,
AUTH_LINE_SENTINEL, strlen (AUTH_LINE_SENTINEL));
if (line_end) /* Found end of line */
{
client->auth_end_offset += to_match;
offset = (line_end + strlen (AUTH_LINE_SENTINEL) - line_start);

/* Matched all */
if (client->auth_end_offset == strlen (AUTH_END_STRING))
return to_match;
if (!auth_line_is_valid (line_start, line_end))
return FIND_AUTH_END_ABORT;

/* Matched to end of buffer */
return -1;
}
*line_end = 0;
if (auth_line_is_begin (line_start))
return offset - original_size;

/* Did not actually match at start */
client->auth_end_offset = -1;
}
/* continue with next line */
}
else
{
/* No end-of-line in this buffer */
g_byte_array_remove_range (client->auth_buffer, 0, offset);

/* Look for whole match inside buffer */
match = memmem (buffer, buffer->pos,
AUTH_END_STRING, strlen (AUTH_END_STRING));
if (match != NULL)
return match - buffer->data + strlen (AUTH_END_STRING);
/* Abort if more than 16k before newline, similar to what dbus-daemon does */
if (client->auth_buffer->len >= 16*1024)
return FIND_AUTH_END_ABORT;

/* Record longest prefix match at the end */
for (i = MIN (strlen (AUTH_END_STRING) - 1, buffer->pos); i > 0; i--)
{
if (memcmp (buffer->data + buffer->pos - i, AUTH_END_STRING, i) == 0)
{
client->auth_end_offset = i;
break;
return FIND_AUTH_END_CONTINUE;
}
}

return -1;
}

static gboolean
Expand Down Expand Up @@ -2418,6 +2461,14 @@ side_in_cb (GSocket *socket, GIOCondition condition, gpointer user_data)
if (extra_data > 0)
side->extra_input_data = g_bytes_new (buffer->data + buffer->size, extra_data);
}
else if (auth_end == FIND_AUTH_END_ABORT)
{
buffer_unref (buffer);
if (client->proxy->log_messages)
g_print ("Invalid AUTH line, aborting\n");
side_closed (side);
break;
}
}

got_buffer_from_side (side, buffer);
Expand Down

0 comments on commit 52346bf

Please sign in to comment.