[Bug 2024585] Re: dbus-daemon segfault if group lookup fails

Sebastien Bacher 2024585 at bugs.launchpad.net
Mon Jun 26 13:20:02 UTC 2023 

** Also affects: dbus via
   https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/2024585

Title:
  dbus-daemon segfault if group lookup fails

Status in D-Bus:
  Unknown
Status in dbus package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu release: Ubuntu 22.04.2 LTS (but also tested on Ubuntu 20.04.6 LTS)
  dbus version: 1.12.20-2ubuntu4.1

  This is related to
  https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2023598, in which
  an sssd was upgraded before its libraries. This caused dbus-daemon to
  crash, which in turn ended the user's X session along with many other
  programs. It also triggered NetworkManager to exit so it was no longer
  doing DHCP renewals; he network connection was lost a few hours later
  when the lease expired.

  The failure of dbus-daemon was triggered by it reloading its
  configuration while group lookups were not functioning, which revealed
  an error in the dbus's error handling code.

  The failure happened in two stages.

  First, it failed to load the policy, and reported this error:
  dbus-daemon[1207]: Unable to reload configuration: (null)

  Then, a few seconds later, dbus-daemon reloaded its config again, and
  this time it segfaulted.

  dbus-daemon[1207]: segfault at 0 ip 00005602b18336e4 sp 00007ffe2579de28 error 6 in dbus-daemon[5602b181b000+24000]
  Code: 00 00 00 48 83 c4 08 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 83 07 01 48 89 f8 c3
        0f 1f 44 00 00 f3 0f 1e fa <83> 2f 01 74 07 c3 66 0f 1f 44 00 00 e9 bb fb ff ff 66 66 2e 0f 1f

  The code corresponds to policy->refcount -= 1, inside
  bus_client_policy_unref(). This error can only happen if policy was
  NULL on entry.

  bus_connections_reload_policy() has this code:

  // connection.c line 1644
        bus_client_policy_unref (d->policy);
        d->policy = bus_context_create_client_policy (connections->context,
                                                      connection,
                                                      error);
        if (d->policy == NULL)
          {
            _dbus_verbose ("Failed to create security policy for connection %p\n",
                        connection);
            _DBUS_ASSERT_ERROR_IS_SET (error);
            return FALSE;
          }

  If bus_context_create_client_policy fails, the code decrements the
  policy reference count and sets d->policy to NULL. The second time
  round, the reference count is decremented again, but policy is already
  NULL from last time round, hence the crash.

  I've included a patch that I think should fix the error, but note that
  it is not well tested!

  Peter

To manage notifications about this bug go to:
https://bugs.launchpad.net/dbus/+bug/2024585/+subscriptions

More information about the foundations-bugs mailing list