Summary

D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors. An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine.

Product

D-Bus (dbus-daemon)

Tested Version

1.12.2-1ubuntu1.1 (tested on Ubuntu 18.04.4 LTS)

Details: File descriptor leak in _dbus_read_socket_with_unix_fds

The function _dbus_read_socket_with_unix_fds contains the following code at dbus-sysdeps-unix.c, line 438:

if (m.msg_flags & MSG_CTRUNC)
  {
    /* Hmm, apparently the control data was truncated. The bad
       thing is that we might have completely lost a couple of fds
       without chance to recover them. Hence let's treat this as a
       serious error. */

    errno = ENOSPC;
    _dbus_string_set_length (buffer, start);
    return -1;
  }

The intention of this code is to handle the case where too many file descriptors are sent over the unix socket, causing the control data to get truncated. That could be a deliberate attempt by an attacker to cause a denial of service. The problem with the code is that some file descriptors may still have been received, even though the message has been truncated. So we need to make sure that those file descriptors are closed. Otherwise an attacker can cause us to quickly run out of file descriptors.

Impact

This issue can lead to a local denial of service attack: an unprivileged local attacker can make the system unusable for all users. For example, on Ubuntu 18.04.4 LTS, my proof-of-concept exploit prevents all users from logging in, because the login screen needs to send a D-Bus message, but the dbus-daemon is no longer able to send or receive any messages because it cannot create any new file descriptors.

CVE

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Resources

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-ID: GHSL-2020-057 in any communication regarding this issue.