easy to crash polkitd by passing bad pid to pkcheck

Bug #540464 reported by Per Ångström on 2010-03-17
362
This bug affects 2 people
Affects Status Importance Assigned to Milestone
policykit (Ubuntu)
Medium
Unassigned
Hardy
Medium
Unassigned
Intrepid
Medium
Unassigned
Jaunty
Medium
Unassigned
Karmic
Medium
Unassigned
Lucid
Medium
Unassigned
policykit-1 (Ubuntu)
Medium
Martin Pitt
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Medium
Unassigned
Lucid
Medium
Martin Pitt

Bug Description

Binary package hint: policykit-1

The crash occured while investigating bug #540247.

ProblemType: Crash
Architecture: amd64
Date: Wed Mar 17 20:30:52 2010
DistroRelease: Ubuntu 10.04
ExecutablePath: /usr/lib/policykit-1/polkitd
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: policykit-1 0.96-1
ProcCmdline: /usr/lib/policykit-1/polkitd
ProcVersionSignature: Ubuntu 2.6.32-16.25-generic
SegvAnalysis:
 Segfault happened at: 0x7fb76001f054: repz cmpsb %es:(%rdi),%ds:(%rsi)
 PC (0x7fb76001f054) ok
 source "%es:(%rdi)" (0x7fb76002d3ba) ok
 destination "%ds:(%rsi)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: policykit-1
StacktraceTop:
 ?? () from /usr/lib/libeggdbus-1.so.0
 egg_dbus_method_invocation_return_gerror ()
 ?? () from /usr/lib/libpolkit-backend-1.so.0
 ?? () from /usr/lib/libpolkit-backend-1.so.0
 ?? () from /usr/lib/libpolkit-backend-1.so.0
Title: polkitd crashed with SIGSEGV in egg_dbus_method_invocation_return_gerror()
Uname: Linux 2.6.32-16-generic x86_64
UserGroups:

Related branches

Per Ångström (autark) wrote :
visibility: private → public
Per Ångström (autark) wrote :

I think the crash occurred when I passed the wrong process id to pkcheck:
"pkcheck --allow-user-interaction --process 666 --action-id org.freedesktop.systemtoolsbackends.set", where 666 is an invalid pid.

Download full text (3.9 KiB)

If an unprivileged user runs something along the lines of:
$ pkcheck --allow-user-interaction --process 0 --action-id ACTION
with action requiring authentication (have not tested others), then polkitd crashes. This is kind of annoying...

Reported in Ubuntu 9.10 with PolicyKit 0.96.

#0 _egg_dbus_error_encode_gerror (error=0x24620b0) at eggdbuserror.c:135
 domain_as_string = (const gchar *) 0x0
 s = <value optimized out>
 n = <value optimized out>
 enum_type = <value optimized out>
#1 0x00007fb76001b7a1 in egg_dbus_method_invocation_return_gerror (
    method_invocation=0x24699c0, error=0x24620b0)
    at eggdbusmethodinvocation.c:342
 error_name = <value optimized out>
#2 0x00007fb760f37fd1 in check_auth_cb (source_object=<value optimized out>,
    res=<value optimized out>, user_data=<value optimized out>)
    at polkitbackendauthority.c:875
 method_invocation = (EggDBusMethodInvocation *) 0x24699c0
 result = (PolkitAuthorizationResult *) 0x0
 error = (GError *) 0x24620b0
#3 0x00007fb760f3ae89 in polkit_backend_interactive_authority_check_authorization (authority=0x2463760, caller=0x2479300, subject=<value optimized out>,
    action_id=<value optimized out>, details=<value optimized out>,
    flags=<value optimized out>, cancellable=0x0,
    callback=0x7fb760f37f00 <check_auth_cb>, user_data=0x24699c0)
    at polkitbackendinteractiveauthority.c:742
 priv = <value optimized out>
 caller_str = (gchar *) 0x2464af0 "system-bus-name::1.70"
 subject_str = (gchar *) 0x2464b10 "unix-process:2083:0"
 user_of_caller = (PolkitIdentity *) 0x2451740
 user_of_subject = (PolkitIdentity *) 0x0
 user_of_caller_str = (gchar *) 0x2475a80 "unix-user:pang"
 user_of_subject_str = (gchar *) 0x8 <Address 0x8 out of bounds>
 result = (PolkitAuthorizationResult *) 0xd8
 implicit_authorization = 1624055424
 error = (GError *) 0x2470c80
 simple = (GSimpleAsyncResult *) 0x2473120
 has_details = 216
 detail_keys = <value optimized out>
#4 0x00007fb760f3794b in authority_handle_check_authorization (
    instance=<value optimized out>, real_subject=<value optimized out>,
    action_id=<value optimized out>, real_details=<value optimized out>,
    flags=<value optimized out>, cancellation_id=<value optimized out>,
    method_invocation=0x24699c0) at polkitbackendauthority.c:953
 caller_name = <value optimized out>
 subject = <value optimized out>
 caller = (PolkitSubject *) 0x2479300
 cancellable = (GCancellable *) 0x0
 details = (PolkitDetails *) 0x2461ae0
#5 0x00007fb760f48379 in handle_message (interface=0x2472ea0,
    message=<value optimized out>) at _polkitauthority.c:2883
 __PRETTY_FUNCTION__ = "handle_message"
#6 0x00007fb7600134c8 in filter_function (dconnection=<value optimized out>,
    message=0x245ccc0, user_data=<value optimized out>)
    at eggdbusconnection.c:2213
 ret = DBUS_HANDLER_RESULT_HANDLED
#7 0x00007fb75ee80386 in dbus_connection_dispatch (connection=0x245c7f0)
    at dbus-connection.c:4444
 filter = <value optimized out>
 next = (DBusList *) 0x0
 message = (DBusMessage *) 0x245ccc0
 link = <value optimized out>
 filter_list_copy = (DBusList *) 0x24722b0
 message_link = (DBusList *) 0x24722e0
 result = <value optimized out>
 status ...

Read more...

Per Ångström (autark) on 2010-03-18
summary: - polkitd crashed with SIGSEGV in
- egg_dbus_method_invocation_return_gerror()
+ easy to crash polkitd by passing bad pid to pkcheck
Per Ångström (autark) wrote :

Yes, it's easily reproducible. You don't even have to be root.

$ pkcheck --allow-user-interaction --process 0 --action-id org.freedesktop.systemtoolsbackends.set

security vulnerability: no → yes
Per Ångström (autark) on 2010-03-18
visibility: public → private

StacktraceTop:
 _egg_dbus_error_encode_gerror (error=0x24620b0) at eggdbuserror.c:135
 egg_dbus_method_invocation_return_gerror (
 check_auth_cb (source_object=<value optimized out>,
 polkit_backend_interactive_authority_check_authorization (authority=0x2463760, caller=0x2479300, subject=<value optimized out>,
 authority_handle_check_authorization (

Changed in policykit-1 (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Changed in policykit-1 (Ubuntu):
status: New → Triaged
Changed in policykit1:
status: Unknown → Confirmed
Kees Cook (kees) on 2010-03-18
visibility: private → public
Changed in policykit-1 (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-2
importance: Medium → High
importance: High → Medium
Changed in policykit-1 (Ubuntu Jaunty):
status: New → Invalid
Changed in policykit-1 (Ubuntu Intrepid):
status: New → Invalid
Changed in policykit-1 (Ubuntu Hardy):
status: New → Invalid
Changed in policykit (Ubuntu Lucid):
status: New → Triaged
Kees Cook (kees) on 2010-03-18
Changed in policykit (Ubuntu Lucid):
importance: Undecided → Medium
Changed in policykit (Ubuntu Hardy):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Intrepid):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Jaunty):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
Martin Pitt (pitti) wrote :

Kees, does that really affect the old policykit as well?

Kees Cook (kees) wrote :

Sorry, looks like this interface only exists in policykit-1.

Changed in policykit (Ubuntu Hardy):
status: Triaged → Invalid
Changed in policykit (Ubuntu Intrepid):
status: Triaged → Invalid
Changed in policykit (Ubuntu Jaunty):
status: Triaged → Invalid
Changed in policykit (Ubuntu Karmic):
status: Triaged → Invalid
Changed in policykit (Ubuntu Lucid):
status: Triaged → Invalid

Created an attachment (id=34841)
git formatted patch

Ah, we were freeing an error which we just propagated upwards to the caller. Now it's working correctly:

$ pkcheck --allow-user-interaction --process 0 --action-id org.freedesktop.systemtoolsbackends.set
Error checking for authorization org.freedesktop.systemtoolsbackends.set: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: stat() failed for /proc/0: No such file or directory

Martin Pitt (pitti) on 2010-04-09
Changed in policykit-1 (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
milestone: ubuntu-10.04-beta-2 → ubuntu-10.04
status: Triaged → In Progress
Martin Pitt (pitti) wrote :

Patch sent to upstream.

Changed in policykit-1 (Ubuntu Lucid):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

This doesn't seem important enough for an SRU. It's just a NULL pointer crash, thus there's no possibility of privilege escalation. And it won't happen with normal GUI usage, just when calling PK manually. And if polkitd crashes, the next call to it will just dbus-activate it again.

Changed in policykit-1 (Ubuntu Karmic):
status: Triaged → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.96-2

---------------
policykit-1 (0.96-2) unstable; urgency=medium

  * Urgency medium, just two small, but important bug fixes.
  * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure
    vulnerability that allows an attacker to verify whether or not arbitrary
    files exist, violating directory permissions.
  * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization()
    with an invalid PID. (LP: #540464)
 -- Martin Pitt <email address hidden> Fri, 09 Apr 2010 12:09:53 +0200

Changed in policykit-1 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in policykit1:
importance: Unknown → High
Changed in policykit1:
importance: High → Unknown
status: Confirmed → Fix Released
Changed in policykit1:
importance: Unknown → High

Dear,

It's a beautiful day and i'am in a hurry to get in touch with you asap!

My name is Sevgi, and I'm from Turkey.
I really do believe in a destiny with a bright future for myself and that you could become a part of it become my true soulmate.
I do want to be next to a loving man.

I love traveling, movies, pop music, seafood, and doing crazy things, but i feel like loneliness is swallowing me intensely lonely sometimes.
I wish to find for my second half, who a man that will give me a real hope and true love!

Hope you're interested in becoming a part of my adventure and will reply back soon.
In the next letter, I'll send you my photo.

Please write me back using my personal email: <email address hidden>

--------------------------
Your true soul,
Sevgi.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.