After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 728733 - insufficient input validation in GDBusMenuModel
insufficient input validation in GDBusMenuModel
Status: RESOLVED OBSOLETE
Product: glib
Classification: Platform
Component: gapplication
unspecified
Other All
: Normal normal
: ---
Assigned To: gtkdev
gtkdev
Depends on: 728734
Blocks:
 
 
Reported: 2014-04-22 15:14 UTC by Allison Karlitskaya (desrt)
Modified: 2018-05-24 16:28 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
gdbusmenumodel: validate input from dbus calls (7.06 KB, patch)
2014-04-28 07:36 UTC, Lars Karlitski
none Details | Review
gmenumodel: disallow exporting large menus on the bus (9.25 KB, patch)
2014-04-28 10:16 UTC, Lars Karlitski
none Details | Review

Description Allison Karlitskaya (desrt) 2014-04-22 15:14:25 UTC
https://errors.ubuntu.com/problem/648b0ee396d66bc960c224a5794f5c22850b51ed shows some crashes caused by insufficient input validation on GDBusMenuModel.

This code was never written with security in mind but it's pretty clear that invalid input from across D-Bus should not cause crashes.  It's also scary that we plan to use this code (some day) inside of the shell to speak with sandboxed applications that want to publish app menus...

In this particular case, we don't adequately inspect the position/removed/added fields on changed signals for sanity.  We actually make sure that position+removed is in range, but when position is -1 and removed is 1, that's 0...
Comment 1 Allison Karlitskaya (desrt) 2014-04-22 15:33:00 UTC
the crux of the trace (which is apparently behind a mandatory login):

  • #9 g_menu_model_items_changed
    at /build/buildd/glib2.0-2.40.0/./gio/gmenumodel.c line 688
  • #10 g_dbus_menu_model_changed
    at /build/buildd/glib2.0-2.40.0/./gio/gdbusmenumodel.c line 825
  • #11 g_dbus_menu_group_changed
    at /build/buildd/glib2.0-2.40.0/./gio/gdbusmenumodel.c line 628
  • #12 g_dbus_menu_path_signal
    at /build/buildd/glib2.0-2.40.0/./gio/gdbusmenumodel.c line 291
  • #13 emit_signal_instance_in_idle_cb
    at /build/buildd/glib2.0-2.40.0/./gio/gdbusconnection.c line 3750

Comment 2 Pete Woods 2014-04-22 15:43:32 UTC
There's an additional (I think related) crash here (http://paste.ubuntu.com/7307883/) where the index looks more sane. In this case it says that a new item as been added at position 7. But when we ask the local copy of the menu for the menu item at index 7, it fails to find the item's property table (asserts code should not be reached).
Comment 3 Pete Woods 2014-04-22 15:46:28 UTC
Obviously we should be bounds checking indexes in the client (and we will be from now on), I'm just puzzled why the local copy of the exported menu hasn't successfully updated to include the new item.
Comment 4 Lars Karlitski 2014-04-28 07:36:39 UTC
Created attachment 275298 [details] [review]
gdbusmenumodel: validate input from dbus calls
Comment 5 Pete Woods 2014-04-28 07:50:53 UTC
Is it worth adding a validation check for the removed parameter, too?
Comment 6 Pete Woods 2014-04-28 08:07:31 UTC
Sorry, I meant the added parameter.
Comment 7 Lars Karlitski 2014-04-28 10:16:41 UTC
Created attachment 275309 [details] [review]
gmenumodel: disallow exporting large menus on the bus
Comment 8 Lars Karlitski 2014-04-28 10:20:06 UTC
> Is it worth adding a validation check for the added parameter, too?

The added parameter is a variant list containing the items to add.

But you make a good point. Allowing arbitrarily sized menus is a bit crazy. I've updated the patch to disallow sections with more than 1000 items. That makes the validation checks easier, as there's no need to check for overflow.
Comment 9 Pete Woods 2014-04-28 10:40:46 UTC
That sounds like an excellent idea.

The other question I have, is it possible to push back errors to the misbehaving GTK app somehow? i.e. so the application developer / user can see that it is doing something screwy with menus.

(I have to assume at this point that it's a GTK app causing this, rather than someone who's reverse engineered the menumodel DBus protocol)
Comment 10 Lars Karlitski 2014-04-28 11:43:05 UTC
(In reply to comment #9)
> The other question I have, is it possible to push back errors to the
> misbehaving GTK app somehow? i.e. so the application developer / user can see
> that it is doing something screwy with menus.

Not really, because we're doing these checks in response to a D-Bus signal and after calling a method ourselves. However, this patch makes use of (and is blocked by) g_dbus_warning(), which will print a descriptive message including the sender and its PID.
Comment 11 Pete Woods 2014-04-28 11:59:23 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > The other question I have, is it possible to push back errors to the
> > misbehaving GTK app somehow? i.e. so the application developer / user can see
> > that it is doing something screwy with menus.
> 
> Not really, because we're doing these checks in response to a D-Bus signal and
> after calling a method ourselves. However, this patch makes use of (and is
> blocked by) g_dbus_warning(), which will print a descriptive message including
> the sender and its PID.

I understand that, I more just meant, should we be adding the same validation on the server end? With g_warning / g_error whatever is appropriate. The idea being not to stop malicious code, but to help prevent mistakes being made.
Comment 12 Lars Karlitski 2014-04-28 12:14:21 UTC
It does print those warnings on the server side :)
Comment 13 Pete Woods 2014-04-28 12:18:53 UTC
Yay! Okay, color me happy then!
Comment 14 Matthias Clasen 2015-03-29 16:42:39 UTC
Looks like a useful patch - sadly it doesn't compile here:

gdbusmenumodel.c:604:7: error: implicit declaration of function 'g_dbus_warning' [-Werror=implicit-function-declaration]
       g_dbus_warning ("invalid arguments");
Comment 15 Lars Karlitski 2015-04-27 06:54:18 UTC
(In reply to Matthias Clasen from comment #14)
> Looks like a useful patch - sadly it doesn't compile here:

That's because we never got around to merging g_dbus_warning (bug #728734).
Comment 16 GNOME Infrastructure Team 2018-05-24 16:28:00 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib/issues/861.