dbus-broker/SOURCES/1add8a7d60e46806e0ef87994d3...

From 1add8a7d60e46806e0ef87994d3024245db0d84a Mon Sep 17 00:00:00 2001
From: David Rheinsberg <david.rheinsberg@gmail.com>
Date: Thu, 18 Mar 2021 11:10:02 +0100
Subject: [PATCH] launch/policy: fix incorrect assertion for at_console

We write at_console policies for ranges of uids. If one of those ranges
is 0, an overflow assertion will incorrectly fire. Fix this and simplify
the assertions for better readability.

Note that such empty ranges will happen if more than one user on the
system is considered `at_console` **and** those users have consecutive
UIDs. Another possibility for empty ranges is when uid 0 is considered
at_console.

In any case, the assertion will abort the application incorrectly. So
this is not a security issue, but merely an incorrect assertion.

Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
---
 src/launch/policy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/launch/policy.c b/src/launch/policy.c
index f91f11b..75eb0d3 100644
--- a/src/launch/policy.c
+++ b/src/launch/policy.c
@@ -934,7 +934,10 @@ static int policy_export_xmit(Policy *policy, CList *list1, CList *list2, sd_bus
 static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntries *entries, uint32_t uid_start, uint32_t n_uid) {
         int r;
 
-        c_assert(((uint32_t)-1) - n_uid + 1 >= uid_start);
+        /* check for overflow */
+        c_assert(uid_start + n_uid >= uid_start);
+        /* check for encoding into dbus `u` type */
+        c_assert(uid_start + n_uid <= (uint32_t)-1);
 
         if (n_uid == 0)
                 return 0;
import dbus-broker-28-7.el9 2 years ago			`From 1add8a7d60e46806e0ef87994d3024245db0d84a Mon Sep 17 00:00:00 2001`
			`From: David Rheinsberg <david.rheinsberg@gmail.com>`
			`Date: Thu, 18 Mar 2021 11:10:02 +0100`
			`Subject: [PATCH] launch/policy: fix incorrect assertion for at_console`

			`We write at_console policies for ranges of uids. If one of those ranges`
			`is 0, an overflow assertion will incorrectly fire. Fix this and simplify`
			`the assertions for better readability.`

			`Note that such empty ranges will happen if more than one user on the`
			system is considered `at_console` and those users have consecutive
			`UIDs. Another possibility for empty ranges is when uid 0 is considered`
			`at_console.`

			`In any case, the assertion will abort the application incorrectly. So`
			`this is not a security issue, but merely an incorrect assertion.`

			`Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>`
			`---`
			`src/launch/policy.c \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/src/launch/policy.c b/src/launch/policy.c`
			`index f91f11b..75eb0d3 100644`
			`--- a/src/launch/policy.c`
			`+++ b/src/launch/policy.c`
			`@@ -934,7 +934,10 @@ static int policy_export_xmit(Policy policy, CList list1, CList *list2, sd_bus`
			`static int policy_export_console(Policy policy, sd_bus_message m, PolicyEntries *entries, uint32_t uid_start, uint32_t n_uid) {`
			`int r;`

			`- c_assert(((uint32_t)-1) - n_uid + 1 >= uid_start);`
			`+ /* check for overflow */`
			`+ c_assert(uid_start + n_uid >= uid_start);`
			+ /* check for encoding into dbus `u` type */
			`+ c_assert(uid_start + n_uid <= (uint32_t)-1);`

			`if (n_uid == 0)`
			`return 0;`