Crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
Philip Withnall
philip at tecnocode.co.uk
Wed Jun 3 08:15:15 PDT 2015
Hey,
On Wed, 2015-06-03 at 11:01 -0400, Colin Walters wrote:
> On Wed, Jun 3, 2015, at 09:40 AM, Philip Withnall wrote:
> > On Sat, 2015-05-30 at 09:36 -0400, an unknown sender wrote:
> > > On Fri, May 29, 2015, at 02:08 PM, Tavis Ormandy wrote:
> > > > Hello, I've noticed polkitd dumps core if you set an invalid object
> > > > path when calling RegisterAuthenticationAgent. It looks like this code
> > > > doesn't check if error was set before dereferencing it:
> > >
> > > Indeed, thanks for the report. Can someone review this patch?
> >
> > The approach looks sound to me.
>
> Thanks for review! I pushed an updated version to
> https://bugs.freedesktop.org/show_bug.cgi?id=90829
Re-reviewed.
> > A few things:
> > 1. Please use spaces instead of tabs.
>
> Oof. I just pushed:
> http://cgit.freedesktop.org/polkit/commit/?id=3c01914300a2120c5f6ff27ecb2c40eaa63a4bb7
Heh.
> > 2. The test case doesn’t unref the GDBusConnection.
> > 3. There’s no need for the ‘out’ label in the test case — just check if
> > (reply != NULL) instead.
>
> I tend to always write code using "out:" even if it's not necessary, because
> 1) Then the code is more consistent
> 2) If the function needs to later evolve to be less trivial, you don't have to
> rewrite all of the code flow
Fair enough.
> > 4. Would it be possible to plumb the test case into the tests/
> > directory?
>
> I'll investigate this, though because those are all unit tests, we can't
> easily do anything end-to-end like talk to polkitd over DBus.
Yeah, I realise it will be hard, but I thought I should mention it
anyway. Possibly the easiest way to do this is to bypass D-Bus entirely
and split the polkitd code out into a libtool helper library, with a
thin shim over it which does the D-Bus service glue. Then unit tests can
poke the helper library.
> > > I suppose this'll need a CVE, as local, authenticated users can
> > > can DoS polkitd.
> >
> > Looks like it.
>
> I talked to Red Hat Security Response, and they allocated
> CVE-2015-3218 for this.
>
> Can you do one more pass on the patch? There's no real
> changes other than the untab-ifying and updating the commit
> message for the CVE, but we might as well
> consistently do it in Bugzilla.
>
> I'll look at a test case as a followup.
Great, thanks.
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20150603/60fb9983/attachment.sig>
More information about the polkit-devel
mailing list