Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message

Related Vulnerabilities: CVE-2019-6454  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Simon McVittie &lt;smcv () debian org&gt;

Date: Tue, 19 Feb 2019 16:48:58 +0000

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Mon, 18 Feb 2019 at 17:41:56 +0100, Chris Coulson wrote:
According to the dbus specification, the path "may be of any
length" (with the length being represented on the wire by a uint32),
but systemd seems to limit the size of incoming messages to 128MB
(BUS_MESSAGE_SIZE_MAX).

D-Bus is a protocol and dbus is the reference implementation of the
D-Bus protocol, so it's really the D-Bus specification.

The 128M limit also comes from the D-Bus Specification, which isn't
always as good as it might be about taking a rule from one part of the
spec and noting its consequences in another part (patches welcome). The
intention is that wherever rules rule1 and rule2 overlap, messages must
obey (rule1 &amp;&amp; rule2) - so for instance when a string or path can be
any 32-bit length, a string or path is part of a message, and a message
is up to 128M, the practical result is that the longest possible string
or path is a bit less than 128M.

From testing on Ubuntu 18.10, it seems that the
real limit is actually much less than this - dbus-daemon drops the
connection when I try to send a message with an object path greater than
about 32MB.

This lower limit is `dbus-daemon --system` policy/configuration to
mitigate/limit denial-of-service attacks by resource exhaustion (and
accidentally also mitigation for attacks like this one, although I don't
think that was ever intentional) - part of dbus, the reference
implementation of D-Bus, rather than part of the D-Bus spec. It can differ
in other implementations like dbus-broker and gdbus-daemon, and it can
also be changed by distros or sysadmins.

    smcv

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Chris Coulson (Feb 18)

Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Simon McVittie (Feb 19)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started