Bug 94486

Summary:	Access after free during polkitagentlistener shutdown
Product:	PolicyKit	Reporter:	Stef Walter <stefw>
Component:	libpolkit	Assignee:	David Zeuthen (not reading bugmail) <zeuthen>
Status:	RESOLVED FIXED	QA Contact:	David Zeuthen (not reading bugmail) <zeuthen>
Severity:	normal
Priority:	medium	CC:	stefw, walters
Version:	unspecified
Hardware:	Other
OS:	All
Whiteboard:
i915 platform:		i915 features:
Attachments:	polkitagent: Fix access after dereference on hashtable

Description Stef Walter 2016-03-11 09:08:13 UTC

There is an access after free during polkitagentlistener shutdown.

    If an authentication is going on while the agent listener is
    going away, then we access memory that has been freed.
    
    g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)'

Comment 1 Stef Walter 2016-03-11 09:08:28 UTC

Created attachment 122217 [details] [review]
polkitagent: Fix access after dereference on hashtable

If an authentication is going on while the agent listener is
going away, then we access memory that has been freed.

g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)'

Comment 2 Stef Walter 2016-03-11 09:09:18 UTC

Happens to cockpit's agent listener.

Comment 3 Stef Walter 2016-03-11 09:09:35 UTC

https://fedorapeople.org/groups/cockpit/logs/pull-3936-18f9f980-verify-fedora-atomic/TestSession-testBasic-10.111.119.102-FAIL.log

Comment 4 Colin Walters 2016-03-12 00:05:34 UTC

Looks reasonable to me.

Comment 5 Miloslav Trmac 2016-03-12 02:35:30 UTC

Yes, a clear improvement.

Committed, thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.