From 3c2f847227bd4d6e53a9c7d4518f82e072808e86 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 14 Dec 2021 19:36:34 +0900 Subject: [PATCH 1/3] polkit: make bus_verify_polkit_async_registry_free() return Hashmap* with NULL --- src/shared/bus-polkit.c | 7 +++++-- src/shared/bus-polkit.h | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c index 14122e0876a..bbe04bea37f 100644 --- a/src/shared/bus-polkit.c +++ b/src/shared/bus-polkit.c @@ -408,8 +408,11 @@ int bus_verify_polkit_async( return -EACCES; } -void bus_verify_polkit_async_registry_free(Hashmap *registry) { +Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry) { #if ENABLE_POLKIT - hashmap_free_with_destructor(registry, async_polkit_query_free); + return hashmap_free_with_destructor(registry, async_polkit_query_free); +#else + assert(hashmap_isempty(registry)); + return hashmap_free(registry); #endif } diff --git a/src/shared/bus-polkit.h b/src/shared/bus-polkit.h index 91a88a28079..e2a3b7eef66 100644 --- a/src/shared/bus-polkit.h +++ b/src/shared/bus-polkit.h @@ -8,4 +8,4 @@ int bus_test_polkit(sd_bus_message *call, int capability, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e); int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error); -void bus_verify_polkit_async_registry_free(Hashmap *registry); +Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry); From 76fc1577023b524302ea44e5bfffbd0074a2271d Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 14 Dec 2021 19:37:27 +0900 Subject: [PATCH 2/3] home: clear Manager::bus, ::event, ::homes_by_xxx and so on `home_free()` may try to call some dbus or event related functions. To prevent that, set those variables NULL. --- src/home/homed-manager.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/home/homed-manager.c b/src/home/homed-manager.c index d49fcedb57b..2595e960163 100644 --- a/src/home/homed-manager.c +++ b/src/home/homed-manager.c @@ -253,8 +253,8 @@ Manager* manager_free(Manager *m) { HASHMAP_FOREACH(h, m->homes_by_worker_pid) (void) home_wait_for_worker(h); - sd_bus_flush_close_unref(m->bus); - bus_verify_polkit_async_registry_free(m->polkit_registry); + m->bus = sd_bus_flush_close_unref(m->bus); + m->polkit_registry = bus_verify_polkit_async_registry_free(m->polkit_registry); m->device_monitor = sd_device_monitor_unref(m->device_monitor); @@ -265,12 +265,12 @@ Manager* manager_free(Manager *m) { m->deferred_auto_login_event_source = sd_event_source_unref(m->deferred_auto_login_event_source); m->rebalance_event_source = sd_event_source_unref(m->rebalance_event_source); - sd_event_unref(m->event); + m->event = sd_event_unref(m->event); - hashmap_free(m->homes_by_uid); - hashmap_free(m->homes_by_name); - hashmap_free(m->homes_by_worker_pid); - hashmap_free(m->homes_by_sysfs); + m->homes_by_uid = hashmap_free(m->homes_by_uid); + m->homes_by_name = hashmap_free(m->homes_by_name); + m->homes_by_worker_pid = hashmap_free(m->homes_by_worker_pid); + m->homes_by_sysfs = hashmap_free(m->homes_by_sysfs); if (m->private_key) EVP_PKEY_free(m->private_key); From 2ff457720bd3bc59985e807b748f6305bdf27826 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 14 Dec 2021 15:38:12 +0900 Subject: [PATCH 3/3] home: fix heap-use-after-free `bus_home_emit_remove()` may be called from manager_free() -> home_free(). In that case, manager->bus is already unref()ed. Fixes #21767. --- src/home/homed-home-bus.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c index 9e9f537d6c8..61d46907809 100644 --- a/src/home/homed-home-bus.c +++ b/src/home/homed-home-bus.c @@ -940,6 +940,12 @@ int bus_home_emit_remove(Home *h) { if (!h->announced) return 0; + if (!h->manager) + return 0; + + if (!h->manager->bus) + return 0; + r = bus_home_path(h, &path); if (r < 0) return r;