1
0
mirror of https://git.FreeBSD.org/ports.git synced 2025-02-02 11:09:29 +00:00
freebsd-ports/x11/gdm/files/patch-CVE-2015-7496
Koop Mast 2219b9443d Fix lockscreen bypass.
MFH:		2015Q4
Security:	68847b20-8ddc-11e5-b69c-c86000169601
2015-11-18 10:21:07 +00:00

208 lines
11 KiB
Plaintext

From 05e5fc24b0f803098c1d05dae86f5eb05bd0c2a4 Mon Sep 17 00:00:00 2001
From: Rui Matos <tiagomatos@gmail.com>
Date: Sun, 15 Nov 2015 14:07:53 -0500
Subject: session: Cancel worker proxy async ops when freeing conversations
We need to cancel ongoing async ops for worker proxies when freeing
conversations or we'll crash when the completion handler runs and we
access free'd memory.
https://bugzilla.gnome.org/show_bug.cgi?id=758032
---
From 5ac224602f1d603aac5eaa72e1760d3e33a26f0a Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Fri, 13 Nov 2015 11:14:59 -0500
Subject: session: disconnect signals from worker proxy when conversation is
freed
We don't want an outstanding reference on the worker proxy to lead to
signal handlers getting dispatched after the conversation is freed.
https://bugzilla.gnome.org/show_bug.cgi?id=758032
---
--- daemon/gdm-session.c.orig 2015-11-18 10:47:55.522178000 +0100
+++ daemon/gdm-session.c 2015-11-18 10:48:00.450095000 +0100
@@ -73,6 +73,7 @@ typedef struct
GDBusMethodInvocation *pending_invocation;
GdmDBusWorkerManager *worker_manager_interface;
GdmDBusWorker *worker_proxy;
+ GCancellable *worker_cancellable;
char *session_id;
guint32 is_stopping : 1;
@@ -1031,6 +1032,8 @@ register_worker (GdmDBusWorkerManager *
g_dbus_proxy_set_default_timeout (G_DBUS_PROXY (conversation->worker_proxy), G_MAXINT);
+ conversation->worker_cancellable = g_cancellable_new ();
+
g_signal_connect (conversation->worker_proxy,
"username-changed",
G_CALLBACK (worker_on_username_changed), conversation);
@@ -1666,7 +1669,28 @@ free_conversation (GdmSessionConversatio
g_free (conversation->starting_username);
g_free (conversation->session_id);
g_clear_object (&conversation->worker_manager_interface);
- g_clear_object (&conversation->worker_proxy);
+
+ if (conversation->worker_proxy != NULL) {
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_username_changed),
+ conversation);
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_session_exited),
+ conversation);
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_reauthenticated),
+ conversation);
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_saved_language_name_read),
+ conversation);
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_saved_session_name_read),
+ conversation);
+ g_signal_handlers_disconnect_by_func (conversation->worker_proxy,
+ G_CALLBACK (worker_on_cancel_pending_query),
+ conversation);
+ g_clear_object (&conversation->worker_proxy);
+ }
g_clear_object (&conversation->session);
g_free (conversation);
}
@@ -1828,6 +1852,9 @@ close_conversation (GdmSessionConversati
g_clear_object (&conversation->worker_manager_interface);
}
+ g_cancellable_cancel (conversation->worker_cancellable);
+ g_clear_object (&conversation->worker_cancellable);
+
if (conversation->worker_proxy != NULL) {
GDBusConnection *connection = g_dbus_proxy_get_connection (G_DBUS_PROXY (conversation->worker_proxy));
g_dbus_connection_close_sync (connection, NULL, NULL);
@@ -1996,7 +2023,7 @@ send_setup (GdmSession *self,
display_hostname,
self->priv->display_is_local,
self->priv->display_is_initial,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_setup_complete_cb,
conversation);
}
@@ -2062,7 +2089,7 @@ send_setup_for_user (GdmSession *self,
display_hostname,
self->priv->display_is_local,
self->priv->display_is_initial,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_setup_complete_cb,
conversation);
}
@@ -2124,7 +2151,7 @@ send_setup_for_program (GdmSession *self
self->priv->display_is_local,
self->priv->display_is_initial,
log_file,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_setup_complete_cb,
conversation);
}
@@ -2182,7 +2209,7 @@ gdm_session_authenticate (GdmSession *se
conversation = find_conversation_by_name (self, service_name);
if (conversation != NULL) {
gdm_dbus_worker_call_authenticate (conversation->worker_proxy,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_authenticate_cb,
conversation);
}
@@ -2199,7 +2226,7 @@ gdm_session_authorize (GdmSession *self,
conversation = find_conversation_by_name (self, service_name);
if (conversation != NULL) {
gdm_dbus_worker_call_authorize (conversation->worker_proxy,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_authorize_cb,
conversation);
}
@@ -2216,7 +2243,7 @@ gdm_session_accredit (GdmSession *self,
conversation = find_conversation_by_name (self, service_name);
if (conversation != NULL) {
gdm_dbus_worker_call_establish_credentials (conversation->worker_proxy,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_establish_credentials_cb,
conversation);
}
@@ -2230,7 +2257,8 @@ send_environment_variable (const char
{
gdm_dbus_worker_call_set_environment_variable (conversation->worker_proxy,
key, value,
- NULL, NULL, NULL);
+ conversation->worker_cancellable,
+ NULL, NULL);
}
static void
@@ -2418,7 +2446,8 @@ send_display_mode (GdmSession *self,
mode = gdm_session_get_display_mode (self);
gdm_dbus_worker_call_set_session_display_mode (conversation->worker_proxy,
gdm_session_display_mode_to_string (mode),
- NULL, NULL, NULL);
+ conversation->worker_cancellable,
+ NULL, NULL);
}
static void
@@ -2434,7 +2463,8 @@ send_session_type (GdmSession *self,
gdm_dbus_worker_call_set_environment_variable (conversation->worker_proxy,
"XDG_SESSION_TYPE",
session_type,
- NULL, NULL, NULL);
+ conversation->worker_cancellable,
+ NULL, NULL);
}
void
@@ -2452,7 +2482,7 @@ gdm_session_open_session (GdmSession *se
send_session_type (self, conversation);
gdm_dbus_worker_call_open (conversation->worker_proxy,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_opened, conversation);
}
}
@@ -2638,7 +2668,7 @@ gdm_session_start_session (GdmSession *s
gdm_dbus_worker_call_start_program (conversation->worker_proxy,
program,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_start_program_cb,
conversation);
g_free (program);
@@ -2770,7 +2800,7 @@ gdm_session_start_reauthentication (GdmS
gdm_dbus_worker_call_start_reauthentication (conversation->worker_proxy,
(int) pid_of_caller,
(int) uid_of_caller,
- NULL,
+ conversation->worker_cancellable,
(GAsyncReadyCallback) on_reauthentication_started_cb,
conversation);
}
@@ -3032,7 +3062,8 @@ gdm_session_select_session (GdmSession *
gdm_dbus_worker_call_set_session_name (conversation->worker_proxy,
get_session_name (self),
- NULL, NULL, NULL);
+ conversation->worker_cancellable,
+ NULL, NULL);
}
}