!58 udiskslinuxmanager:use dbus interface after free

From: @cenhuilin 
Reviewed-by: @swf504 
Signed-off-by: @swf504

0001-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch

@@ -0,0 +1,74 @@
+From d205057296957d6064825252a3d3377e809d6fed Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 6 Oct 2021 17:12:13 +0200
+Subject: [PATCH] udiskslinuxmountoptions: Do not free static daemon resources
+
+The GResource instance returned from udisks_daemon_resources_get_resource()
+that calls g_static_resource_get_resource() internally is marked as
+'(transfer none)' and should not be freed. In fact that causes double
+free inside the g_static_resource_fini() atexit handler leading
+to memory corruption causing random failures of further atexit
+handlers such as cryptsetup and openssl destructors.
+
+ Invalid read of size 4
+    at 0x4BB03A4: g_resource_unref (gresource.c:527)
+    by 0x4BB2150: g_static_resource_fini (gresource.c:1449)
+    by 0x4010ADB: _dl_fini (dl-fini.c:139)
+    by 0x4EF0DF4: __run_exit_handlers (exit.c:113)
+    by 0x4EF0F6F: exit (exit.c:143)
+    by 0x4ED9566: __libc_start_call_main (libc_start_call_main.h:74)
+    by 0x4ED960B: __libc_start_main@@GLIBC_2.34 (libc-start.c:409)
+    by 0x128774: (below main) (in udisks/src/.libs/udisksd)
+  Address 0x5cc5fc0 is 0 bytes inside a block of size 16 free'd
+    at 0x48430E4: free (vg_replace_malloc.c:755)
+    by 0x4DB10BC: g_free (gmem.c:199)
+    by 0x4BB2148: g_static_resource_fini (gresource.c:1448)
+    by 0x4010ADB: _dl_fini (dl-fini.c:139)
+    by 0x4EF0DF4: __run_exit_handlers (exit.c:113)
+    by 0x4EF0F6F: exit (exit.c:143)
+    by 0x4ED9566: __libc_start_call_main (libc_start_call_main.h:74)
+    by 0x4ED960B: __libc_start_main@@GLIBC_2.34 (libc-start.c:409)
+    by 0x128774: (below main) (in udisks/src/.libs/udisksd)
+  Block was alloc'd at
+    at 0x484086F: malloc (vg_replace_malloc.c:380)
+    by 0x4DB47A8: g_malloc (gmem.c:106)
+    by 0x4BB19C7: UnknownInlinedFun (gresource.c:545)
+    by 0x4BB19C7: g_resource_new_from_data (gresource.c:613)
+    by 0x4BB1A88: register_lazy_static_resources_unlocked (gresource.c:1374)
+    by 0x4BB218C: UnknownInlinedFun (gresource.c:1393)
+    by 0x4BB218C: UnknownInlinedFun (gresource.c:1387)
+    by 0x4BB218C: g_static_resource_get_resource (gresource.c:1472)
+    by 0x14F6A3: UnknownInlinedFun (udisks-daemon-resources.c:284)
+    by 0x14F6A3: udisks_linux_mount_options_get_builtin (udiskslinuxmountoptions.c:612)
+    by 0x12CC6E: udisks_daemon_constructed (udisksdaemon.c:441)
+    by 0x4D1ED96: g_object_new_internal (gobject.c:1985)
+    by 0x4D20227: g_object_new_valist (gobject.c:2288)
+    by 0x4D2075C: g_object_new (gobject.c:1788)
+    by 0x129A5F: udisks_daemon_new (udisksdaemon.c:619)
+    by 0x129AD5: on_bus_acquired (main.c:63)
+    by 0x4C35C95: connection_get_cb.lto_priv.0 (gdbusnameowning.c:504)
+    by 0x4BD3F99: g_task_return_now (gtask.c:1219)
+    by 0x4BD419A: UnknownInlinedFun (gtask.c:1289)
+    by 0x4BD419A: g_task_return (gtask.c:1245)
+    by 0x4C31D51: bus_get_async_initable_cb (gdbusconnection.c:7433)
+    by 0x4BD3F99: g_task_return_now (gtask.c:1219)
+    by 0x4BD3FDC: complete_in_idle_cb (gtask.c:1233)
+    by 0x4DA852A: g_idle_dispatch (gmain.c:5897)
+    by 0x4DAC33E: UnknownInlinedFun (gmain.c:3381)
+    by 0x4DAC33E: g_main_context_dispatch (gmain.c:4099)
+---
+ src/udiskslinuxmountoptions.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/udiskslinuxmountoptions.c b/src/udiskslinuxmountoptions.c
+index 7729d40159..819c9ba96a 100644
+--- a/src/udiskslinuxmountoptions.c
++++ b/src/udiskslinuxmountoptions.c
+@@ -614,7 +614,6 @@ udisks_linux_mount_options_get_builtin (void)
+                                                "/org/freedesktop/UDisks2/data/builtin_mount_options.conf",
+                                                G_RESOURCE_LOOKUP_FLAGS_NONE,
+                                                &error);
+-  g_resource_unref (daemon_resource);
+ 
+   if (builtin_opts_bytes == NULL)
+     {

0002-udisksctl-Guard-object-lookup.patch

@@ -0,0 +1,75 @@
+From ad83cfb26c2dd8d4532a634e105baaee76441c8f Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Mon, 3 Jun 2024 17:02:15 +0800
+Subject: [PATCH] udisksctl: Guard object lookup
+
+Added extra checks for object validity when looking up physical
+device through a drive. Reproducible e.g. by calling 'power-off'
+over a LUKS container.
+---
+ tools/udisksctl.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/tools/udisksctl.c b/tools/udisksctl.c
+index 7a5de65..349dca3 100644
+--- a/tools/udisksctl.c
++++ b/tools/udisksctl.c
+@@ -2003,6 +2003,7 @@ handle_command_smart_simulate (gint        *argc,
+     {
+       UDisksObject *block_object;
+       UDisksDrive *drive;
++
+       block_object = lookup_object_by_device (opt_smart_simulate_device);
+       if (block_object == NULL)
+         {
+@@ -2010,7 +2011,19 @@ handle_command_smart_simulate (gint        *argc,
+           goto out;
+         }
+       drive = udisks_client_get_drive_for_block (client, udisks_object_peek_block (block_object));
++      if (drive == NULL)
++        {
++          g_printerr ("Error looking up drive for device %s\n", opt_smart_simulate_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       object = (UDisksObject *) g_dbus_interface_dup_object (G_DBUS_INTERFACE (drive));
++      if (object == NULL)
++        {
++          g_printerr ("Error looking up object for device %s\n", opt_smart_simulate_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       g_object_unref (block_object);
+     }
+   else
+@@ -2244,6 +2257,7 @@ handle_command_power_off (gint        *argc,
+     {
+       UDisksObject *block_object;
+       UDisksDrive *drive;
++
+       block_object = lookup_object_by_device (opt_power_off_device);
+       if (block_object == NULL)
+         {
+@@ -2251,7 +2265,19 @@ handle_command_power_off (gint        *argc,
+           goto out;
+         }
+       drive = udisks_client_get_drive_for_block (client, udisks_object_peek_block (block_object));
++      if (drive == NULL)
++        {
++          g_printerr ("Error looking up drive for device %s\n", opt_power_off_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       object = (UDisksObject *) g_dbus_interface_dup_object (G_DBUS_INTERFACE (drive));
++      if (object == NULL)
++        {
++          g_printerr ("Error looking up object for device %s\n", opt_power_off_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       g_object_unref (block_object);
+     }
+   else
+-- 
+2.33.0
+

0003-udiskslinuxmanager-use-dbus-interface-after-free.patch

@@ -0,0 +1,115 @@
+From 3dc036fb5045fc068c6abfbe4e62d0871d7ca82a Mon Sep 17 00:00:00 2001
+From: xinpeng wang <wangxinpeng@uniontech.com>
+Date: Tue, 18 Jun 2024 16:58:17 +0800
+Subject: [PATCH] udiskslinuxmanager:use dbus interface after free
+
+In handle_get_block_devices, call get_block_objects to obtain iface_block_device
+of all current UDisksLinuxBlockObject, and then obtain the corresponding
+UDisksLinuxBlockObject's object_path through iface_block_device.iface_block_device
+is a GDBusInterfaceSkeleton, which saves the object through
+g_dbus_interface_skeleton_set_object. g_object_add_weak_pointer is used here. This
+function is not thread-safe.At this time, if other threads are releasing the object,
+the program will crash.
+This scene can be reproduced by quickly plugging and unplugging the USB disk.
+The core is as follows (the redundant stack is omitted):
+When accessing object in thread 1, the object is released by thread 2
+info threads
+   Id Target Id Frame
+* 1 Thread 0x7f80979e70 (LWP 24559) 0x0000007f8a48dda0 in
+g_dbus_object_get_object_path (object=0x0) at ../../../gio/gdbusobject.c:109
+  2 Thread 0x7f88a43010 (LWP 1159) 0x0000007f8a0a6ae8 in __GI___libc_free
+(mem=0x556a919c80) at malloc.c:3093
+
+thread 1
+(gdb) bt
+0 0x0000007f8a48dda0 in g_dbus_object_get_object_path (object=0x0) at
+../../../gio/gdbusobject.c:109
+1 0x000000556a56911c in handle_get_block_devices (object=0x7f7c007ed0, invocation=
+0x7f74016f20 [GDBusMethodInvocation], arg_options=<optimized out>)
+     at udiskslinuxmanager.c:1063
+
+(gdb) p ((GObject*)(blocks_p->data))->ref_count
+$3 = 1
+(gdb) p *((GDBusInterfaceSkeleton*)(blocks_p->data))
+$6 = {parent_instance = {g_type_instance = {g_class = 0x556a64e740
+[g_type: UDisksLinuxBlock/UDisksBlockSkeleton/GDBusInterfaceSkeleton]}, ref_count = 1,
+qdata = 0x0},  priv = 0x7f7c004ac0}
+(gdb) p *((GDBusInterfaceSkeleton*)(blocks_p->data))->priv
+$7 = {lock = {p = 0x0, i = {0, 0}}, object = 0x0,
+flags = G_DBUS_INTERFACE_SKELETON_FLAGS_HANDLE_METHOD_INVOCATIONS_IN_THREAD,
+connections = 0x0, object_path = 0x0, hooked_vtable = 0x556a62b9f0}
+
+thread 2
+(gdb) bt
+0 0x0000007f8a0a6ae8 in __GI___libc_free (mem=0x556a919c80) at malloc.c:3093
+1 0x0000007f89ff1224 in () at /lib/aarch64-linux-gnu/libudev.so.1
+2 0x0000007f89ff1348 in () at /lib/aarch64-linux-gnu/libudev.so.1
+3 0x0000007f89ff5520 in () at /lib/aarch64-linux-gnu/libudev.so.1
+4 0x0000007f89fff878 in udev_device_unref () at /lib/aarch64-linux-gnu/libudev.so.1
+5 0x0000007f8a7aeb74 in () at /lib/aarch64-linux-gnu/libgudev-1.0.so.0
+6 0x0000007f8a3193f8 in g_object_unref (_object=<optimized out>) at
+../../../gobject/gobject.c:3346
+7 0x0000007f8a3193f8 in g_object_unref (_object=0x7f680038a0) at
+../../../gobject/gobject.c:3238
+8 0x000000556a57700c in udisks_linux_device_finalize (object=0x7f5c005730
+[UDisksLinuxDevice]) at udiskslinuxdevice.c:75
+9 0x0000007f8a3193f8 in g_object_unref (_object=<optimized out>) at
+../../../gobject/gobject.c:3346
+10 0x0000007f8a3193f8 in g_object_unref (_object=0x7f5c005730) at
+../../../gobject/gobject.c:3238
+11 0x000000556a55d0fc in udisks_linux_drive_object_uevent
+     (object=object@entry=0x556a5df370 [UDisksLinuxDriveObject],
+action=action@entry=0x556a87b120
+"remove",device=device@entry=0x7f74007610 [UDisksLinuxDevice])
+     at udiskslinuxdriveobject.c:715
+12 0x000000556a54840c in handle_block_uevent_for_drive
+     (provider=provider@entry=0x556a5c8200 [UDisksLinuxProvider],
+action=action@entry=0x556a87b120 "remove",device=device@entry=0x7f74007610
+[UDisksLinuxDevice]) at udiskslinuxprovider.c:1035
+13 0x000000556a548ab8 in handle_block_uevent (device=0x7f74007610 [UDisksLinuxDevice],
+action=0x556a87b120 "remove", provider=0x556a5c8200 [UDisksLinuxProvider]) at
+udiskslinuxprovider.c:1349
+14 0x000000556a548ab8 in udisks_linux_provider_handle_uevent
+     (provider=0x556a5c8200 [UDisksLinuxProvider], action=0x556a87b120 "remove",
+device=0x7f74007610 [UDisksLinuxDevice]) at udiskslinuxprovider.c:1399
+15 0x000000556a548cac in on_idle_with_probed_uevent (user_data=0x556a7e65a0) at
+udiskslinuxprovider.c:230
+---
+ src/udiskslinuxmanager.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c
+index 7a614f4..950dee2 100644
+--- a/src/udiskslinuxmanager.c
++++ b/src/udiskslinuxmanager.c
+@@ -1165,8 +1165,11 @@ handle_get_block_devices (UDisksManager         *object,
+   blocks = get_block_objects (object, &num_blocks);
+   block_paths = g_new0 (const gchar *, num_blocks + 1);
+ 
+-  for (i = 0,blocks_p = blocks; blocks_p != NULL; blocks_p = blocks_p->next, i++)
+-      block_paths[i] = g_dbus_object_get_object_path (g_dbus_interface_get_object (G_DBUS_INTERFACE (blocks_p->data)));
++  for (blocks_p = blocks; blocks_p != NULL; blocks_p = blocks_p->next) {
++	  GDBusObject * block_object = g_dbus_interface_get_object (G_DBUS_INTERFACE (blocks_p->data));
++	  if (block_object)
++		  block_paths[i++] = g_dbus_object_get_object_path (block_object);
++  }
+ 
+   udisks_manager_complete_get_block_devices  (object,
+                                               invocation,
+@@ -1245,9 +1248,11 @@ handle_resolve_device (UDisksManager         *object,
+     }
+ 
+   ret_paths = g_new0 (const gchar *, num_found + 1);
+-  for (i = 0,ret_p = ret; ret_p != NULL; ret_p = ret_p->next, i++)
++  for (i = 0,ret_p = ret; ret_p != NULL; ret_p = ret_p->next)
+     {
+-      ret_paths[i] = g_dbus_object_get_object_path (g_dbus_interface_get_object (G_DBUS_INTERFACE (ret_p->data)));
++      GDBusObject *block_object = g_dbus_interface_get_object (G_DBUS_INTERFACE (ret_p->data));
++      if (block_object)
++        ret_paths[i++] = g_dbus_object_get_object_path (block_object);
+     }
+ 
+   udisks_manager_complete_resolve_device (object,
+-- 
+2.33.0
+

udisks2.spec

@@ -58,12 +58,14 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.9.4
-Release: 1
-License: GPLv2+
+Release: 6
+License: GPL-2.0+ and LGPL-2.0+
 Group:   System Environment/Libraries
 URL:     https://github.com/storaged-project/udisks
 Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2
-
+Patch1:  0001-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch
+Patch2:  0002-udisksctl-Guard-object-lookup.patch
+Patch3:  0003-udiskslinuxmanager-use-dbus-interface-after-free.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@@ -253,7 +255,7 @@ This package contains module for VDO management.
 %endif
 
 %prep
-%setup -q -n udisks-%{version}
+%autosetup -n udisks-%{version} -p1
 sed -i udisks/udisks2.conf.in -e "s/encryption=luks1/encryption=%{default_luks_encryption}/"
 
 %build
@@ -436,6 +438,21 @@ udevadm trigger
 %endif
 
 %changelog
+* Tue Jun 18 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.4-6
+- udiskslinuxmanager:use dbus interface after free
+
+* Mon Jun 03 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.4-5
+- udisksctl: Guard object lookup
+
+* Tue Feb 21 2023 miaoguanqin <miaoguanqin@huawei.com> - 2.9.4-4
+- fix coredump while stop udisks2
+
+* Sat Oct 29 2022 wangzhiqiang <wangzhiqiang95@huawei.com> - 2.9.4-3
+- update release
+
+* Sat Feb 19 2022 yanglongkang <yanglongkang@h-partners.com> - 2.9.4-2
+- correct License
+
 * Mon Nov 22 2021 Li Jinlin <lijinlin3@huawei.com> - 2.9.4-1
 - update udisks2 version to 2.9.4