Summary : Infinite recursion in message validation Protocol design error Date : 11 December 2010 Affected versions : dbus 1.4.0, dbus 1.2.24 and earlier Impact : Local denial of service CVE ID : CVE-2010-4352 ID : FreeDesktop bug #32321
The D-Bus message format provides four different container types: array, structure, dictionary entry and variant. The format specification explicitly forbids more than 32 level of nesting for arrays as well as for structures, inside a message signature. Dictionary entries can also not be nested to more than 32 levels (within a single signature) as they can only be inside arrays. There is however no limit on nesting variants, other than the total message size limit.
When a D-Bus message is received, libdbus will always check that the message is well-formatted. In doing so, it will recursively check any variant found in the message. If the message contains an excessive number of nested variants, function calls recursion will get too deep, the call stack will overflow, and the process will experience a segmentation fault.
If successful, a malicious user could use this vulnerability to crash the bus daemon. This is a local denial of service attack in the case of the system bus. Depending on which specific services rely on D-Bus, the consequences might range from causing a minor inconvenience, or to rendering the system unusable.
Furthermore, if bus daemon would not crash, it might be possible to crash any process connected to the bus using libdbus. This attack remains hypothetical at this point however.
This attack cannot be exploited to run arbitrary code. This attack cannot be exploited remotely.
A user account is needed to carry this attack.
Paradoxically, this attack is more likely to be successful if the bus daemon is a position independent executable (PIE). While PIE is used as a security precaution against several classes of code execution vulnerabilities, it usually makes the call stack space smaller, which makes this attack easier. Many GNU/Linux distributions compile the bus daemon (or all executables) as PIE nowadays.
This attack can be thwarted by reducing the maximum size of D-Bus messages. However, the limit may be so smaller than some D-Bus services require. On Debian Squeeze for i386, a message of about 110 kb is big enough to crash the bus.
D-Bus release version 1.4.1 includes a fix for this issue.
The D-Bus protocol needs to be updated to strictly limit nesting of variants. The reference implementation has been changed that way.
This vulnerability was discovered by Rémi Denis-Courmont.