Commit Graph

20957 Commits

Author SHA1 Message Date
Simon McVittie
ee502dbbe8 GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.

The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.

This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.

In particular, GNOME/glib#1831 indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:

        client           server
    connect
                         accept
    send '\0' <- race -> set SO_PASSCRED = 1
                         receive '\0'

If the server wins the race:

        client           server
    connect
                         accept
                         set SO_PASSCRED = 1
    send '\0'
                         receive '\0'

then everything is fine. However, if the client wins the race:

        client           server
    connect
                         accept
    send '\0'
                         set SO_PASSCRED = 1
                         receive '\0'

then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.

In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.

In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-28 19:56:00 +00:00
Simon McVittie
1485a97d80 credentials: Invalid Linux struct ucred means "no information"
On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one
might expect it to fail with an appropriate error like ENOTSUP or
EPROTONOSUPPORT. However, it appears that in fact it succeeds, but
yields a credentials structure with pid 0, uid -1 and gid -1. These
are not real process, user and group IDs that can be allocated to a
real process (pid 0 needs to be reserved to give kill(0) its documented
special semantics, and similarly uid and gid -1 need to be reserved for
setresuid() and setresgid()) so it is not meaningful to signal them to
high-level API users.

An API user with Linux-specific knowledge can still inspect these fields
via g_credentials_get_native() if desired.

Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message
on a receiving Unix socket, but the sending socket had not enabled
SO_PASSCRED at the time that the message was sent, it is possible
for it to succeed but yield a credentials structure with pid 0, uid
/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even
if we were to read those pseudo-files, we cannot distinguish between
the overflow IDs and a real process that legitimately has the same IDs
(typically they are set to 'nobody' and 'nogroup', which can be used
by a real process), so we detect this situation by noticing that
pid == 0, and to save syscalls we do not read the overflow IDs from
/proc at all.

This results in a small API change: g_credentials_is_same_user() now
returns FALSE if we compare two credentials structures that are both
invalid. This seems like reasonable, conservative behaviour: if we cannot
prove that they are the same user, we should assume they are not.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:55:47 +00:00
Simon McVittie
ef1035d9d8 gcredentialsprivate: Document the various private macros
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:54:08 +00:00
Philip Withnall
c73bd53eb8 Merge branch 'fbsd_build' into 'master'
Update documentation with FreeBSD build instructions

See merge request GNOME/glib!1120
2019-10-28 17:26:26 +00:00
Philip Withnall
1bebba0430 Merge branch 'ossfuzz-10286-variant-parser-recursion' into 'master'
gvariant: Limit recursion in g_variant_parse()

See merge request GNOME/glib!1173
2019-10-25 17:44:24 +00:00
Philip Withnall
f343ec5f82 Merge branch 'gtimezone' into 'master'
syscall flood on every time*() function call

See merge request GNOME/glib!1105
2019-10-25 17:27:49 +00:00
rim
551e83662d gtimezone: Cache UTC and local TZ indefinitely
Previously, these GTimeZone objects were being cached in the `time_zones` cache, but dropped from it when their final ref was dropped (which was frequently). That meant additional reads of `/etc/localtime` next time they were created, which was noticeable on profiles. Keep a permanent ref to the UTC and local timezones.
2019-10-25 17:27:49 +00:00
Sebastian Dröge
5e17a98d19 Merge branch 'source-thread-safety-docs' into 'master'
gmain: Clarify thread safety of some common GSource functions

See merge request GNOME/glib!1181
2019-10-25 14:16:34 +00:00
Sebastian Dröge
ab98d4e285 Merge branch 'wip/hadess/fix-api-docs-typo' into 'master'
gio: Fix typo in URL

See merge request GNOME/glib!1182
2019-10-25 13:35:37 +00:00
Bastien Nocera
0d3b1d55e9 gio: Fix typo in URL
Left-over quote in URL.
2019-10-25 15:09:08 +02:00
Philip Withnall
ca4dace62b gmain: Clarify thread safety of some common GSource functions
See https://stackoverflow.com/q/58555626/2931197.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-25 12:13:31 +01:00
Sebastian Dröge
2e9b2761d6 Merge branch 'main-context-pusher' into 'master'
gmain: Add GMainContextPusher convenience API

See merge request GNOME/glib!983
2019-10-24 11:58:34 +00:00
Sebastian Dröge
05be19b9f7 Merge branch 'wip/smcv/array-memcpy-ub' into 'master'
array: Avoid use of memcpy(dest, NULL, 0)

See merge request GNOME/glib!1180
2019-10-24 11:49:09 +00:00
Philip Withnall
d62c1dad22 Merge branch 'wip/array-doc-comments' into 'master'
Improve GPtrArray doc-comments

See merge request GNOME/glib!1179
2019-10-24 11:44:38 +00:00
Simon McVittie
3837b83f5a array: Avoid use of memcpy(dest, NULL, 0)
glibc declares memcpy() with the first two arguments (the pointers)
annotated as non-null via an attribute, which results in the undefined
behaviour sanitizer considering it to be UB to pass a null pointer
in the second argument, even if we are copying 0 bytes (and hence not
actually dereferencing the pointer).

This shows up in array-test when run with the undefined behaviour
sanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-24 12:08:20 +01:00
Simon McVittie
acbbe7b8c4 array: Add tests based on the g_ptr_array_sort[_with_data] doc-comments
Note that I deliberately haven't used g_autoptr here, because while we
encourage GLib users to use g_autoptr in their own code, GLib itself
still supports being compiled in environments like MSVC that can't
support g_autoptr.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-24 12:02:33 +01:00
Simon McVittie
ee13eb518d array: Fix handling of user_data in doc-comment
The user_data for g_ptr_array_sort_with_data is passed directly, not
with an extra layer of pointer like the data pointers.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 52c130f8
2019-10-24 11:57:29 +01:00
Simon McVittie
ef6fe191ac array: Remove unnecessary casts from doc-comments
Let's not encourage library users to sprinkle casts through their code
when they don't need to.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 52c130f8
2019-10-24 11:57:13 +01:00
Jordi Mas
8a7b375216 Update Catalan translation 2019-10-23 21:58:05 +02:00
Philip Withnall
21f8f89820 gmain: Add GMainContextPusher convenience API
This is like `GMutexLocker`, in that if you are able to use
`g_autoptr()`, it makes popping a `GMainContext` off the thread-default
main context stack easier when exiting a function.

A few uses of `G_GNUC_{BEGIN,END}_IGNORE_DEPRECATIONS` are needed to
avoid warnings when building apps against GLib with
`GLIB_VERSION_MAX_ALLOWED < GLIB_VERSION_2_64`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-23 11:35:58 +01:00
Philip Withnall
65ce1c3fcd glib: Ignore deprecations when declaring autocleanups
We may need to declare autocleanups for new types, which will be marked
as ‘deprecated’ if the code which includes GLib doesn’t declare a high
enough `GLIB_VERSION_MAX_ALLOWED`. Despite that, we still need to
declare the autocleanups.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-23 11:25:48 +01:00
Sebastian Dröge
d515a1e85a Merge branch '1813-option-context-annotations' into 'master'
goption: Add missing (array) annotation to add_main_entries()

Closes #1813

See merge request GNOME/glib!942
2019-10-22 10:05:06 +00:00
Sebastian Dröge
611ea6e805 Merge branch '1836-dbus-connection-docs' into 'master'
gdbusconnection: Clarify nullability in a documentation comment

Closes #1836

See merge request GNOME/glib!1003
2019-10-22 07:48:13 +00:00
Sebastian Dröge
9c7a8c76d0 Merge branch 'testfilemonitor-leaks' into 'master'
Fix some minor leaks in testfilemonitor

See merge request GNOME/glib!1167
2019-10-22 06:58:55 +00:00
Philip Withnall
b7e84fb903 testfilemonitor: Fix a trivial leak in the test
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1910
2019-10-18 17:02:57 +01:00
Philip Withnall
322347e103 Merge branch 'assert-finalize-test' into 'master'
tests: Add a test for g_assert_finalize_object()

See merge request GNOME/glib!1014
2019-10-18 15:46:33 +00:00
Sebastian Dröge
b0f43cc451 Merge branch '1903-mimeapps-test-race' into 'master'
Fix thread unsafety in GFileMonitorSource and mimeapps test

Closes #1903

See merge request GNOME/glib!1164
2019-10-18 15:32:04 +00:00
Philip Withnall
31f9249528 tests: Add a test for g_assert_finalize_object()
A simple test just to double-check it works. See #488.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #488
2019-10-18 15:55:27 +01:00
Sebastian Dröge
f904587fcc Merge branch 'locale-docs' into 'master'
gcharset: Expand the documentation for g_get_locale_variants()

See merge request GNOME/glib!1163
2019-10-18 14:38:36 +00:00
Sebastian Dröge
51c3cf759e Merge branch 'timezone-test-toolbox' into 'master'
Fix gdatetime tests on toolbox

See merge request GNOME/glib!1168
2019-10-18 14:34:07 +00:00
Sebastian Dröge
bab6acff9b Merge branch 'atomic-strict-aliasing-fixes' into 'master'
Strict-aliasing fixes to new atomic built-ins

See merge request GNOME/glib!1155
2019-10-18 14:00:26 +00:00
Philip Withnall
25c2266a33 gvariant: Limit recursion in g_variant_parse()
The token parsing done by g_variant_parse() uses recursive function
calls, so at some point it will hit the stack limit. As with previous
changes to `GVariantType` parsing (commit 7c4e6e9fbe), limit the level
of nesting of containers parsed by g_variant_parse() to something
reasonable. We guarantee 64 levels of nesting, which should be enough
for anyone, and is the same as what we guarantee for types.

oss-fuzz#10286

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-18 13:53:18 +01:00
Philip Withnall
5dedc259b1 gtimezone: Clarify in docs that TZ can contain an absolute path
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-16 14:32:33 +01:00
Philip Withnall
c4d46d632f tests: Relax the time zone identifier tests
On closer reading of `man 3 timezone`, it’s actually permissible for
`TZ` to contain an absolute path which points to a tzfile file outside
the system time zone database. This is indeed what happens when building
GLib under Fedora’s toolbox, so relax that check in the tests.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-16 14:32:20 +01:00
Philip Withnall
3dec72b946 Merge branch 'wip/lantw/use-uname-as-a-fallback-to-get-os-info' into 'master'
Use uname as a fallback to get OS info

See merge request GNOME/glib!1165
2019-10-14 13:10:39 +00:00
Ting-Wei Lan
d219b3553c gutils: Use uname to report OS info when there is no os-release file
There are a lot of Unix-like systems which have not implemented the
os-release spec. On such system, we can use POSIX uname function as a
fallback to get basic information of the system.
2019-10-14 13:42:08 +01:00
Ting-Wei Lan
00abf67e2c gutils: Only use the default OS name on Linux
/etc/os-release is a spec designed for Linux. While other OSes can
implement it, it doesn't make sense to use Linux as the default value
on systems which don't use Linux.
2019-10-14 20:25:51 +08:00
Ting-Wei Lan
89ad9286d4 gutils: Do not translate OS names
The code is intended to provide an interface similar to /etc/os-release,
but /etc/os-release isn't designed to be translated.
2019-10-14 20:25:51 +08:00
Philip Withnall
493909b5e9 Merge branch 'osinfo' into 'master'
Add Windows support to g_get_os_info()

See merge request GNOME/glib!1160
2019-10-14 12:12:06 +00:00
Philip Withnall
592a13b483 glocalfilemonitor: Keep a weak ref to the monitor in GFileMonitorSource
Previously we were keeping a pointer to the `GFileMonitor` in a
`GFileMonitorSource` instance, but since we weren’t keeping a strong
reference, that `GFileMonitor` instance could be finalised from another
thread at any point while the source was referring to it. Not good.

Use a weak reference, and upgrade it to a strong reference whenever the
`GFileMonitorSource` is referring to the file monitor.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1903
2019-10-11 22:31:24 +01:00
Philip Withnall
5b07fc98e0 gdesktopappinfo: Cancel file monitor when resetting a DesktopFileDir
It’s not enough to unref the monitor, since the GLib worker thread might
still hold a reference to it.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1903
2019-10-11 22:31:24 +01:00
Philip Withnall
bffe058550 gdesktopappinfo: Allocate DesktopFileDir structs dynamically
`DesktopFileDir` pointers are passed around between threads: they are
initially created on the main thread, but a pointer to them is passed to
the GLib worker thread in the file monitor callback
(`desktop_file_dir_changed()`).

Accordingly, the `DesktopFileDir` objects either have to be
 (1) immutable;
 (2) reference counted; or
 (3) synchronised between the two threads
to avoid one of them being used by one thread after being freed on
another. Option (1) changed with commit 99bc33b6 and is no longer an
option. Option (3) would mean blocking the main thread on the worker
thread, which would be hard to achieve and is against the point of
having a worker thread. So that leaves option (2), which is implemented
here.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1903
2019-10-11 22:31:24 +01:00
Philip Withnall
cea8424e80 gcharset: Expand the documentation for g_get_locale_variants()
Include some more examples, and a reference to the format of locales.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-11 11:47:42 +01:00
Руслан Ижбулатов
fc2f566a98 Add Windows support to g_get_os_info()
Most of the info returned is static, the only thing that changes
is the OS version.

This code relies on g_win32_check_windows_version() providing
accurate information (hopefully, MS won't nix RtlGetVersion() on
which we use for that) and supplements it with information from the
registry for Windows >= 8.1.
2019-10-11 06:07:26 +00:00
Philip Withnall
c7dd1ae040 Merge branch '1896-use-after-free-when-calling-g_dbus_connection_flush_sync-in-a-dedicated-thread' into 'master'
Resolve "Use after free when calling g_dbus_connection_flush_sync() in a dedicated thread"

Closes #1896

See merge request GNOME/glib!1158
2019-10-10 14:55:20 +00:00
Milan Crha
822f8bae9e Fix use-after-free when calling g_dbus_connection_flush_sync()
When the _g_dbus_worker_flush_sync() schedules the 'data' and releases
the worker->write_lock, it is possible for the GDBus worker thread thread
to finish the D-Bus call and acquire the worker->write_lock before
the _g_dbus_worker_flush_sync() re-acquires it in the if (data != NULL) body.
When that happens, the ostream_flush_cb() increases the worker->write_num_messages_flushed
and then releases the worker->write_lock. The write lock is reacquired by
the _g_dbus_worker_flush_sync(), which sees that the while condition is satisfied,
thus it doesn't enter the loop body and immediately clears the data members and
frees the data structure itself. The ostream_flush_cb() is still ongoing, possibly
inside flush_data_list_complete(), where it accesses the FlushData, which can be
in any stage of being freed.

Instead, add an explicit boolean flag indicating when the flush is truly finished.

Closes #1896
2019-10-10 14:55:20 +00:00
Philip Withnall
c97565748a Merge branch 'wip/tingping/localhost-is-local' into 'master'
Always resolve localhost to loopback address

See merge request GNOME/glib!616
2019-10-10 14:53:42 +00:00
Philip Withnall
a50a08fd5e Merge branch 'datetime-docs' into 'master'
gdatetime: Document RFC 3339 extensions when parsing ISO 8601

See merge request GNOME/glib!1082
2019-10-10 14:06:13 +00:00
Philip Withnall
ea98aab57b gdatetime: Document RFC 3339 extensions when parsing ISO 8601
This is a follow-up to !1017.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-10 14:06:13 +00:00
Philip Withnall
168bdb11ca Merge branch 'hash-me-faster' into 'master'
hash: Remove an assertion from the hot path

See merge request GNOME/glib!1161
2019-10-10 14:01:21 +00:00