[Bug 2024585] [NEW] dbus-daemon segfault if group lookup fails

Peter Benie 2024585 at bugs.launchpad.net
Wed Jun 21 14:27:17 UTC 2023 

Public bug reported:

Ubuntu release: Ubuntu 22.04.2 LTS (but also tested on Ubuntu 20.04.6 LTS)
dbus version: 1.12.20-2ubuntu4.1

This is related to
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2023598, in which an
sssd was upgraded before its libraries. This caused dbus-daemon to
crash, which in turn ended the user's X session along with many other
programs. It also triggered NetworkManager to exit so it was no longer
doing DHCP renewals; he network connection was lost a few hours later
when the lease expired.

The failure of dbus-daemon was triggered by it reloading its
configuration while group lookups were not functioning, which revealed
an error in the dbus's error handling code.

The failure happened in two stages.

First, it failed to load the policy, and reported this error:
dbus-daemon[1207]: Unable to reload configuration: (null)

Then, a few seconds later, dbus-daemon reloaded its config again, and
this time it segfaulted.

dbus-daemon[1207]: segfault at 0 ip 00005602b18336e4 sp 00007ffe2579de28 error 6 in dbus-daemon[5602b181b000+24000]
Code: 00 00 00 48 83 c4 08 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 83 07 01 48 89 f8 c3
      0f 1f 44 00 00 f3 0f 1e fa <83> 2f 01 74 07 c3 66 0f 1f 44 00 00 e9 bb fb ff ff 66 66 2e 0f 1f

The code corresponds to policy->refcount -= 1, inside
bus_client_policy_unref(). This error can only happen if policy was NULL
on entry.

bus_connections_reload_policy() has this code:

// connection.c line 1644
      bus_client_policy_unref (d->policy);
      d->policy = bus_context_create_client_policy (connections->context,
                                                    connection,
                                                    error);
      if (d->policy == NULL)
        {
          _dbus_verbose ("Failed to create security policy for connection %p\n",
                      connection);
          _DBUS_ASSERT_ERROR_IS_SET (error);
          return FALSE;
        }

If bus_context_create_client_policy fails, the code decrements the
policy reference count and sets d->policy to NULL. The second time
round, the reference count is decremented again, but policy is already
NULL from last time round, hence the crash.

I've included a patch that I think should fix the error, but note that
it is not well tested!

Peter

** Affects: dbus (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "dbus-reload-segv.patch"
   https://bugs.launchpad.net/bugs/2024585/+attachment/5681228/+files/dbus-reload-segv.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/2024585

Title:
  dbus-daemon segfault if group lookup fails

Status in dbus package in Ubuntu:
  New

Bug description:
  Ubuntu release: Ubuntu 22.04.2 LTS (but also tested on Ubuntu 20.04.6 LTS)
  dbus version: 1.12.20-2ubuntu4.1

  This is related to
  https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2023598, in which
  an sssd was upgraded before its libraries. This caused dbus-daemon to
  crash, which in turn ended the user's X session along with many other
  programs. It also triggered NetworkManager to exit so it was no longer
  doing DHCP renewals; he network connection was lost a few hours later
  when the lease expired.

  The failure of dbus-daemon was triggered by it reloading its
  configuration while group lookups were not functioning, which revealed
  an error in the dbus's error handling code.

  The failure happened in two stages.

  First, it failed to load the policy, and reported this error:
  dbus-daemon[1207]: Unable to reload configuration: (null)

  Then, a few seconds later, dbus-daemon reloaded its config again, and
  this time it segfaulted.

  dbus-daemon[1207]: segfault at 0 ip 00005602b18336e4 sp 00007ffe2579de28 error 6 in dbus-daemon[5602b181b000+24000]
  Code: 00 00 00 48 83 c4 08 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 83 07 01 48 89 f8 c3
        0f 1f 44 00 00 f3 0f 1e fa <83> 2f 01 74 07 c3 66 0f 1f 44 00 00 e9 bb fb ff ff 66 66 2e 0f 1f

  The code corresponds to policy->refcount -= 1, inside
  bus_client_policy_unref(). This error can only happen if policy was
  NULL on entry.

  bus_connections_reload_policy() has this code:

  // connection.c line 1644
        bus_client_policy_unref (d->policy);
        d->policy = bus_context_create_client_policy (connections->context,
                                                      connection,
                                                      error);
        if (d->policy == NULL)
          {
            _dbus_verbose ("Failed to create security policy for connection %p\n",
                        connection);
            _DBUS_ASSERT_ERROR_IS_SET (error);
            return FALSE;
          }

  If bus_context_create_client_policy fails, the code decrements the
  policy reference count and sets d->policy to NULL. The second time
  round, the reference count is decremented again, but policy is already
  NULL from last time round, hence the crash.

  I've included a patch that I think should fix the error, but note that
  it is not well tested!

  Peter

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/2024585/+subscriptions

More information about the foundations-bugs mailing list