Crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
Philip Withnall
philip at tecnocode.co.uk
Wed Jun 3 06:40:32 PDT 2015
Hi Colin,
On Sat, 2015-05-30 at 09:36 -0400, an unknown sender wrote:
> On Fri, May 29, 2015, at 02:08 PM, Tavis Ormandy wrote:
> > Hello, I've noticed polkitd dumps core if you set an invalid object
> > path when calling RegisterAuthenticationAgent. It looks like this code
> > doesn't check if error was set before dereferencing it:
>
> Indeed, thanks for the report. Can someone review this patch?
The approach looks sound to me. A few things:
1. Please use spaces instead of tabs.
2. The test case doesn’t unref the GDBusConnection.
3. There’s no need for the ‘out’ label in the test case — just check if
(reply != NULL) instead.
4. Would it be possible to plumb the test case into the tests/
directory?
> I suppose this'll need a CVE, as local, authenticated users can
> can DoS polkitd.
Looks like it.
I’ve checked RegisterAuthenticationAgentWithOptions and
UnregisterAuthenticationAgent and they should not be vulnerable to the
same attack.
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20150603/22225367/attachment.sig>
More information about the polkit-devel
mailing list