Ubuntu
policykit-1 package

easy to crash polkitd by passing bad pid to pkcheck

Bug #540464 reported by Per Ångström
362
This bug affects 2 people
Affects Status Importance Assigned to Milestone
policykit (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Intrepid
Invalid
Medium
Unassigned
Jaunty
Invalid
Medium
Unassigned
Karmic
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
policykit-1 (Ubuntu)
Fix Released
Medium
Martin Pitt
Ubuntu ubuntu-10.04
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Won't Fix
Medium
Unassigned
Lucid
Fix Released
Medium
Martin Pitt
Ubuntu ubuntu-10.04

Bug Description

Binary package hint: policykit-1

The crash occured while investigating bug #540247.

ProblemType: Crash
Architecture: amd64
Date: Wed Mar 17 20:30:52 2010
DistroRelease: Ubuntu 10.04
ExecutablePath: /usr/lib/policykit-1/polkitd
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: policykit-1 0.96-1
ProcCmdline: /usr/lib/policykit-1/polkitd
ProcVersionSignature: Ubuntu 2.6.32-16.25-generic
SegvAnalysis:
 Segfault happened at: 0x7fb76001f054: repz cmpsb %es:(%rdi),%ds:(%rsi)
 PC (0x7fb76001f054) ok
 source "%es:(%rdi)" (0x7fb76002d3ba) ok
 destination "%ds:(%rsi)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: policykit-1
StacktraceTop:
 ?? () from /usr/lib/libeggdbus-1.so.0
 egg_dbus_method_invocation_return_gerror ()
 ?? () from /usr/lib/libpolkit-backend-1.so.0
 ?? () from /usr/lib/libpolkit-backend-1.so.0
 ?? () from /usr/lib/libpolkit-backend-1.so.0
Title: polkitd crashed with SIGSEGV in egg_dbus_method_invocation_return_gerror()
Uname: Linux 2.6.32-16-generic x86_64
UserGroups:

Related branches

lp:ubuntu/lucid/policykit-1
Revision history for this message
Per Ångström (autark) wrote :
visibility: private → public
Revision history for this message
Per Ångström (autark) wrote :

I think the crash occurred when I passed the wrong process id to pkcheck:
"pkcheck --allow-user-interaction --process 666 --action-id org.freedesktop.systemtoolsbackends.set", where 666 is an invalid pid.

Revision history for this message
In , Milan Bouchet-Valat (nalimilan) wrote :
Download full text (3.9 KiB)

If an unprivileged user runs something along the lines of:
$ pkcheck --allow-user-interaction --process 0 --action-id ACTION
with action requiring authentication (have not tested others), then polkitd crashes. This is kind of annoying...

Reported in Ubuntu 9.10 with PolicyKit 0.96.

#0 _egg_dbus_error_encode_gerror (error=0x24620b0) at eggdbuserror.c:135
 domain_as_string = (const gchar *) 0x0
 s = <value optimized out>
 n = <value optimized out>
 enum_type = <value optimized out>
#1 0x00007fb76001b7a1 in egg_dbus_method_invocation_return_gerror (
    method_invocation=0x24699c0, error=0x24620b0)
    at eggdbusmethodinvocation.c:342
 error_name = <value optimized out>
#2 0x00007fb760f37fd1 in check_auth_cb (source_object=<value optimized out>,
    res=<value optimized out>, user_data=<value optimized out>)
    at polkitbackendauthority.c:875
 method_invocation = (EggDBusMethodInvocation *) 0x24699c0
 result = (PolkitAuthorizationResult *) 0x0
 error = (GError *) 0x24620b0
#3 0x00007fb760f3ae89 in polkit_backend_interactive_authority_check_authorization (authority=0x2463760, caller=0x2479300, subject=<value optimized out>,
    action_id=<value optimized out>, details=<value optimized out>,
    flags=<value optimized out>, cancellable=0x0,
    callback=0x7fb760f37f00 <check_auth_cb>, user_data=0x24699c0)
    at polkitbackendinteractiveauthority.c:742
 priv = <value optimized out>
 caller_str = (gchar *) 0x2464af0 "system-bus-name::1.70"
 subject_str = (gchar *) 0x2464b10 "unix-process:2083:0"
 user_of_caller = (PolkitIdentity *) 0x2451740
 user_of_subject = (PolkitIdentity *) 0x0
 user_of_caller_str = (gchar *) 0x2475a80 "unix-user:pang"
 user_of_subject_str = (gchar *) 0x8 <Address 0x8 out of bounds>
 result = (PolkitAuthorizationResult *) 0xd8
 implicit_authorization = 1624055424
 error = (GError *) 0x2470c80
 simple = (GSimpleAsyncResult *) 0x2473120
 has_details = 216
 detail_keys = <value optimized out>
#4 0x00007fb760f3794b in authority_handle_check_authorization (
    instance=<value optimized out>, real_subject=<value optimized out>,
    action_id=<value optimized out>, real_details=<value optimized out>,
    flags=<value optimized out>, cancellation_id=<value optimized out>,
    method_invocation=0x24699c0) at polkitbackendauthority.c:953
 caller_name = <value optimized out>
 subject = <value optimized out>
 caller = (PolkitSubject *) 0x2479300
 cancellable = (GCancellable *) 0x0
 details = (PolkitDetails *) 0x2461ae0
#5 0x00007fb760f48379 in handle_message (interface=0x2472ea0,
    message=<value optimized out>) at _polkitauthority.c:2883
 __PRETTY_FUNCTION__ = "handle_message"
#6 0x00007fb7600134c8 in filter_function (dconnection=<value optimized out>,
    message=0x245ccc0, user_data=<value optimized out>)
    at eggdbusconnection.c:2213
 ret = DBUS_HANDLER_RESULT_HANDLED
#7 0x00007fb75ee80386 in dbus_connection_dispatch (connection=0x245c7f0)
    at dbus-connection.c:4444
 filter = <value optimized out>
 next = (DBusList *) 0x0
 message = (DBusMessage *) 0x245ccc0
 link = <value optimized out>
 filter_list_copy = (DBusList *) 0x24722b0
 message_link = (DBusList *) 0x24722e0
 result = <value optimized out>
 status ...

Read more...

Per Ångström (autark)
summary: - polkitd crashed with SIGSEGV in
- egg_dbus_method_invocation_return_gerror()
+ easy to crash polkitd by passing bad pid to pkcheck
Revision history for this message
Per Ångström (autark) wrote :

Yes, it's easily reproducible. You don't even have to be root.

$ pkcheck --allow-user-interaction --process 0 --action-id org.freedesktop.systemtoolsbackends.set

security vulnerability: no → yes
Per Ångström (autark)
visibility: public → private
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 _egg_dbus_error_encode_gerror (error=0x24620b0) at eggdbuserror.c:135
 egg_dbus_method_invocation_return_gerror (
 check_auth_cb (source_object=<value optimized out>,
 polkit_backend_interactive_authority_check_authorization (authority=0x2463760, caller=0x2479300, subject=<value optimized out>,
 authority_handle_check_authorization (

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in policykit-1 (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Milan Bouchet-Valat (nalimilan)
Changed in policykit-1 (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in policykit1:
status: Unknown → Confirmed
Kees Cook (kees)
visibility: private → public
Changed in policykit-1 (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-2
importance: Medium → High
importance: High → Medium
Changed in policykit-1 (Ubuntu Jaunty):
status: New → Invalid
Changed in policykit-1 (Ubuntu Intrepid):
status: New → Invalid
Changed in policykit-1 (Ubuntu Hardy):
status: New → Invalid
Changed in policykit (Ubuntu Lucid):
status: New → Triaged
Kees Cook (kees)
Changed in policykit (Ubuntu Lucid):
importance: Undecided → Medium
Changed in policykit (Ubuntu Hardy):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Intrepid):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Jaunty):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Martin Pitt (pitti) wrote :

Kees, does that really affect the old policykit as well?

Revision history for this message
Kees Cook (kees) wrote :

Sorry, looks like this interface only exists in policykit-1.

Changed in policykit (Ubuntu Hardy):
status: Triaged → Invalid
Changed in policykit (Ubuntu Intrepid):
status: Triaged → Invalid
Changed in policykit (Ubuntu Jaunty):
status: Triaged → Invalid
Changed in policykit (Ubuntu Karmic):
status: Triaged → Invalid
Changed in policykit (Ubuntu Lucid):
status: Triaged → Invalid
Revision history for this message
In , Martin Pitt (pitti) wrote :

Created an attachment (id=34841)
git formatted patch

Ah, we were freeing an error which we just propagated upwards to the caller. Now it's working correctly:

$ pkcheck --allow-user-interaction --process 0 --action-id org.freedesktop.systemtoolsbackends.set
Error checking for authorization org.freedesktop.systemtoolsbackends.set: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: stat() failed for /proc/0: No such file or directory

Martin Pitt (pitti)
Changed in policykit-1 (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
milestone: ubuntu-10.04-beta-2 → ubuntu-10.04
status: Triaged → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Patch sent to upstream.

Changed in policykit-1 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

This doesn't seem important enough for an SRU. It's just a NULL pointer crash, thus there's no possibility of privilege escalation. And it won't happen with normal GUI usage, just when calling PK manually. And if polkitd crashes, the next call to it will just dbus-activate it again.

Changed in policykit-1 (Ubuntu Karmic):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.96-2

---------------
policykit-1 (0.96-2) unstable; urgency=medium

  * Urgency medium, just two small, but important bug fixes.
  * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure
    vulnerability that allows an attacker to verify whether or not arbitrary
    files exist, violating directory permissions.
  * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization()
    with an invalid PID. (LP: #540464)
 -- Martin Pitt <email address hidden> Fri, 09 Apr 2010 12:09:53 +0200

Changed in policykit-1 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in policykit1:
importance: Unknown → High
Bug Watch Updater (bug-watch-updater)
Changed in policykit1:
importance: High → Unknown
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in policykit1:
importance: Unknown → High
Revision history for this message
Tim Woolford (u67) wrote : I'm alone. I believe in personal happiness with you.

Dear,

It's a beautiful day and i'am in a hurry to get in touch with you asap!

My name is Sevgi, and I'm from Turkey.
I really do believe in a destiny with a bright future for myself and that you could become a part of it become my true soulmate.
I do want to be next to a loving man.

I love traveling, movies, pop music, seafood, and doing crazy things, but i feel like loneliness is swallowing me intensely lonely sometimes.
I wish to find for my second half, who a man that will give me a real hope and true love!

Hope you're interested in becoming a part of my adventure and will reply back soon.
In the next letter, I'll send you my photo.

Please write me back using my personal email: <email address hidden>

--------------------------
Your true soul,
Sevgi.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.