!59 udiskslinuxmanager:use dbus interface after free

From: @cenhuilin 
Reviewed-by: @swf504 
Signed-off-by: @swf504

0002-CVE-2021-3802.patch

@@ -0,0 +1,59 @@
+From 38d90a433bda0fc0f2a409f6baa12c3958893571 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 15 Sep 2021 14:34:49 +0200
+Subject: [PATCH] mount options: Always use errors=remount-ro for ext
+ filesystems
+
+Default mount options are focused primarily on data safety, mounting
+damaged ext2/3/4 filesystem as readonly would indicate something's wrong.
+
+(cherry picked from commit 2d5d2b7570b0f44c14b34b5dc831f174205c10f2)
+---
+ data/builtin_mount_options.conf            | 9 +++++++++
+ src/tests/dbus-tests/test_80_filesystem.py | 6 ++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/data/builtin_mount_options.conf b/data/builtin_mount_options.conf
+index 989258d..d76fcf2 100644
+--- a/data/builtin_mount_options.conf
++++ b/data/builtin_mount_options.conf
+@@ -23,3 +23,12 @@ hfsplus_allow=uid=$UID,gid=$GID,creator,type,umask,session,part,decompose,nodeco
+ btrfs_allow=compress,compress-force,datacow,nodatacow,datasum,nodatasum,degraded,device,discard,nodiscard,subvol,subvolid,space_cache
+ 
+ f2fs_allow=discard,nodiscard,compress_algorithm,compress_log_size,compress_extension,alloc_mode
++
++ext2_defaults=errors=remount-ro
++ext2_allow=errors=remount-ro
++
++ext3_defaults=errors=remount-ro
++ext3_allow=errors=remount-ro
++
++ext4_defaults=errors=remount-ro
++ext4_allow=errors=remount-ro
+diff --git a/src/tests/dbus-tests/test_80_filesystem.py b/src/tests/dbus-tests/test_80_filesystem.py
+index c22855b..52feb02 100644
+--- a/src/tests/dbus-tests/test_80_filesystem.py
++++ b/src/tests/dbus-tests/test_80_filesystem.py
+@@ -320,6 +320,8 @@ class UdisksFSTestCase(udiskstestcase.UdisksTestCase):
+         _ret, out = self.run_command('mount | grep %s' % block_fs_dev)
+         self.assertIn(mnt_path, out)
+         self.assertIn('ro', out)
++        if self._fs_name.startswith('ext'):
++            self.assertIn('errors=remount-ro', out)
+ 
+         # dbus mountpoint
+         dbus_mounts = self.get_property(block_fs, '.Filesystem', 'MountPoints')
+@@ -477,6 +479,10 @@ class UdisksFSTestCase(udiskstestcase.UdisksTestCase):
+         if self._fs_name == "udf":
+             test_custom_option(self, False, None, False, "[defaults]\ndefaults=\nallow=exec,noexec,nodev,nosuid,atime,noatime,nodiratime,ro,rw,sync,dirsync,noload,uid=ignore,uid=forget\n")
+             test_custom_option(self, True, "uid=notallowed", True, "[defaults]\nallow=exec,noexec,nodev,nosuid,atime,noatime,nodiratime,ro,rw,sync,dirsync,noload,uid=ignore\n")
++        if self._fs_name.startswith("ext"):
++            test_custom_option(self, False, "errors=remount-ro", True, "", match_mount_option="errors=remount-ro")
++            test_custom_option(self, True, "errors=panic", False, "")
++            test_custom_option(self, True, "errors=continue", False, "")
+ 
+         # udev rules overrides
+         test_readonly(self, False, "", udev_rules_content = { "UDISKS_MOUNT_OPTIONS_DEFAULTS": "rw" })
+-- 
+2.23.0
+

0003-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch

@@ -0,0 +1,74 @@
+From d205057296957d6064825252a3d3377e809d6fed Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 6 Oct 2021 17:12:13 +0200
+Subject: [PATCH] udiskslinuxmountoptions: Do not free static daemon resources
+
+The GResource instance returned from udisks_daemon_resources_get_resource()
+that calls g_static_resource_get_resource() internally is marked as
+'(transfer none)' and should not be freed. In fact that causes double
+free inside the g_static_resource_fini() atexit handler leading
+to memory corruption causing random failures of further atexit
+handlers such as cryptsetup and openssl destructors.
+
+ Invalid read of size 4
+    at 0x4BB03A4: g_resource_unref (gresource.c:527)
+    by 0x4BB2150: g_static_resource_fini (gresource.c:1449)
+    by 0x4010ADB: _dl_fini (dl-fini.c:139)
+    by 0x4EF0DF4: __run_exit_handlers (exit.c:113)
+    by 0x4EF0F6F: exit (exit.c:143)
+    by 0x4ED9566: __libc_start_call_main (libc_start_call_main.h:74)
+    by 0x4ED960B: __libc_start_main@@GLIBC_2.34 (libc-start.c:409)
+    by 0x128774: (below main) (in udisks/src/.libs/udisksd)
+  Address 0x5cc5fc0 is 0 bytes inside a block of size 16 free'd
+    at 0x48430E4: free (vg_replace_malloc.c:755)
+    by 0x4DB10BC: g_free (gmem.c:199)
+    by 0x4BB2148: g_static_resource_fini (gresource.c:1448)
+    by 0x4010ADB: _dl_fini (dl-fini.c:139)
+    by 0x4EF0DF4: __run_exit_handlers (exit.c:113)
+    by 0x4EF0F6F: exit (exit.c:143)
+    by 0x4ED9566: __libc_start_call_main (libc_start_call_main.h:74)
+    by 0x4ED960B: __libc_start_main@@GLIBC_2.34 (libc-start.c:409)
+    by 0x128774: (below main) (in udisks/src/.libs/udisksd)
+  Block was alloc'd at
+    at 0x484086F: malloc (vg_replace_malloc.c:380)
+    by 0x4DB47A8: g_malloc (gmem.c:106)
+    by 0x4BB19C7: UnknownInlinedFun (gresource.c:545)
+    by 0x4BB19C7: g_resource_new_from_data (gresource.c:613)
+    by 0x4BB1A88: register_lazy_static_resources_unlocked (gresource.c:1374)
+    by 0x4BB218C: UnknownInlinedFun (gresource.c:1393)
+    by 0x4BB218C: UnknownInlinedFun (gresource.c:1387)
+    by 0x4BB218C: g_static_resource_get_resource (gresource.c:1472)
+    by 0x14F6A3: UnknownInlinedFun (udisks-daemon-resources.c:284)
+    by 0x14F6A3: udisks_linux_mount_options_get_builtin (udiskslinuxmountoptions.c:612)
+    by 0x12CC6E: udisks_daemon_constructed (udisksdaemon.c:441)
+    by 0x4D1ED96: g_object_new_internal (gobject.c:1985)
+    by 0x4D20227: g_object_new_valist (gobject.c:2288)
+    by 0x4D2075C: g_object_new (gobject.c:1788)
+    by 0x129A5F: udisks_daemon_new (udisksdaemon.c:619)
+    by 0x129AD5: on_bus_acquired (main.c:63)
+    by 0x4C35C95: connection_get_cb.lto_priv.0 (gdbusnameowning.c:504)
+    by 0x4BD3F99: g_task_return_now (gtask.c:1219)
+    by 0x4BD419A: UnknownInlinedFun (gtask.c:1289)
+    by 0x4BD419A: g_task_return (gtask.c:1245)
+    by 0x4C31D51: bus_get_async_initable_cb (gdbusconnection.c:7433)
+    by 0x4BD3F99: g_task_return_now (gtask.c:1219)
+    by 0x4BD3FDC: complete_in_idle_cb (gtask.c:1233)
+    by 0x4DA852A: g_idle_dispatch (gmain.c:5897)
+    by 0x4DAC33E: UnknownInlinedFun (gmain.c:3381)
+    by 0x4DAC33E: g_main_context_dispatch (gmain.c:4099)
+---
+ src/udiskslinuxmountoptions.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/udiskslinuxmountoptions.c b/src/udiskslinuxmountoptions.c
+index 7729d40159..819c9ba96a 100644
+--- a/src/udiskslinuxmountoptions.c
++++ b/src/udiskslinuxmountoptions.c
+@@ -614,7 +614,6 @@ udisks_linux_mount_options_get_builtin (void)
+                                                "/org/freedesktop/UDisks2/data/builtin_mount_options.conf",
+                                                G_RESOURCE_LOOKUP_FLAGS_NONE,
+                                                &error);
+-  g_resource_unref (daemon_resource);
+ 
+   if (builtin_opts_bytes == NULL)
+     {

0004-udisksctl-Guard-object-lookup.patch

@@ -0,0 +1,75 @@
+From ad83cfb26c2dd8d4532a634e105baaee76441c8f Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Mon, 3 Jun 2024 17:50:38 +0800
+Subject: [PATCH] udisksctl: Guard object lookup
+
+Added extra checks for object validity when looking up physical
+device through a drive. Reproducible e.g. by calling 'power-off'
+over a LUKS container.
+---
+ tools/udisksctl.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/tools/udisksctl.c b/tools/udisksctl.c
+index 3b0a48e..c020879 100644
+--- a/tools/udisksctl.c
++++ b/tools/udisksctl.c
+@@ -2002,6 +2002,7 @@ handle_command_smart_simulate (gint        *argc,
+     {
+       UDisksObject *block_object;
+       UDisksDrive *drive;
++
+       block_object = lookup_object_by_device (opt_smart_simulate_device);
+       if (block_object == NULL)
+         {
+@@ -2009,7 +2010,19 @@ handle_command_smart_simulate (gint        *argc,
+           goto out;
+         }
+       drive = udisks_client_get_drive_for_block (client, udisks_object_peek_block (block_object));
++      if (drive == NULL)
++        {
++          g_printerr ("Error looking up drive for device %s\n", opt_smart_simulate_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       object = (UDisksObject *) g_dbus_interface_dup_object (G_DBUS_INTERFACE (drive));
++      if (object == NULL)
++        {
++          g_printerr ("Error looking up object for device %s\n", opt_smart_simulate_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       g_object_unref (block_object);
+     }
+   else
+@@ -2243,6 +2256,7 @@ handle_command_power_off (gint        *argc,
+     {
+       UDisksObject *block_object;
+       UDisksDrive *drive;
++
+       block_object = lookup_object_by_device (opt_power_off_device);
+       if (block_object == NULL)
+         {
+@@ -2250,7 +2264,19 @@ handle_command_power_off (gint        *argc,
+           goto out;
+         }
+       drive = udisks_client_get_drive_for_block (client, udisks_object_peek_block (block_object));
++      if (drive == NULL)
++        {
++          g_printerr ("Error looking up drive for device %s\n", opt_power_off_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       object = (UDisksObject *) g_dbus_interface_dup_object (G_DBUS_INTERFACE (drive));
++      if (object == NULL)
++        {
++          g_printerr ("Error looking up object for device %s\n", opt_power_off_device);
++          g_object_unref (block_object);
++          goto out;
++        }
+       g_object_unref (block_object);
+     }
+   else
+-- 
+2.33.0
+

0005-udiskslinuxmanager-use-dbus-interface-after-free.patch

@@ -0,0 +1,115 @@
+From 3dc036fb5045fc068c6abfbe4e62d0871d7ca82a Mon Sep 17 00:00:00 2001
+From: xinpeng wang <wangxinpeng@uniontech.com>
+Date: Tue, 18 Jun 2024 17:32:03 +0800
+Subject: [PATCH] udiskslinuxmanager:use dbus interface after free
+
+In handle_get_block_devices, call get_block_objects to obtain iface_block_device
+of all current UDisksLinuxBlockObject, and then obtain the corresponding
+UDisksLinuxBlockObject's object_path through iface_block_device.iface_block_device
+is a GDBusInterfaceSkeleton, which saves the object through
+g_dbus_interface_skeleton_set_object. g_object_add_weak_pointer is used here. This
+function is not thread-safe.At this time, if other threads are releasing the object,
+the program will crash.
+This scene can be reproduced by quickly plugging and unplugging the USB disk.
+The core is as follows (the redundant stack is omitted):
+When accessing object in thread 1, the object is released by thread 2
+info threads
+   Id Target Id Frame
+* 1 Thread 0x7f80979e70 (LWP 24559) 0x0000007f8a48dda0 in
+g_dbus_object_get_object_path (object=0x0) at ../../../gio/gdbusobject.c:109
+  2 Thread 0x7f88a43010 (LWP 1159) 0x0000007f8a0a6ae8 in __GI___libc_free
+(mem=0x556a919c80) at malloc.c:3093
+
+thread 1
+(gdb) bt
+0 0x0000007f8a48dda0 in g_dbus_object_get_object_path (object=0x0) at
+../../../gio/gdbusobject.c:109
+1 0x000000556a56911c in handle_get_block_devices (object=0x7f7c007ed0, invocation=
+0x7f74016f20 [GDBusMethodInvocation], arg_options=<optimized out>)
+     at udiskslinuxmanager.c:1063
+
+(gdb) p ((GObject*)(blocks_p->data))->ref_count
+$3 = 1
+(gdb) p *((GDBusInterfaceSkeleton*)(blocks_p->data))
+$6 = {parent_instance = {g_type_instance = {g_class = 0x556a64e740
+[g_type: UDisksLinuxBlock/UDisksBlockSkeleton/GDBusInterfaceSkeleton]}, ref_count = 1,
+qdata = 0x0},  priv = 0x7f7c004ac0}
+(gdb) p *((GDBusInterfaceSkeleton*)(blocks_p->data))->priv
+$7 = {lock = {p = 0x0, i = {0, 0}}, object = 0x0,
+flags = G_DBUS_INTERFACE_SKELETON_FLAGS_HANDLE_METHOD_INVOCATIONS_IN_THREAD,
+connections = 0x0, object_path = 0x0, hooked_vtable = 0x556a62b9f0}
+
+thread 2
+(gdb) bt
+0 0x0000007f8a0a6ae8 in __GI___libc_free (mem=0x556a919c80) at malloc.c:3093
+1 0x0000007f89ff1224 in () at /lib/aarch64-linux-gnu/libudev.so.1
+2 0x0000007f89ff1348 in () at /lib/aarch64-linux-gnu/libudev.so.1
+3 0x0000007f89ff5520 in () at /lib/aarch64-linux-gnu/libudev.so.1
+4 0x0000007f89fff878 in udev_device_unref () at /lib/aarch64-linux-gnu/libudev.so.1
+5 0x0000007f8a7aeb74 in () at /lib/aarch64-linux-gnu/libgudev-1.0.so.0
+6 0x0000007f8a3193f8 in g_object_unref (_object=<optimized out>) at
+../../../gobject/gobject.c:3346
+7 0x0000007f8a3193f8 in g_object_unref (_object=0x7f680038a0) at
+../../../gobject/gobject.c:3238
+8 0x000000556a57700c in udisks_linux_device_finalize (object=0x7f5c005730
+[UDisksLinuxDevice]) at udiskslinuxdevice.c:75
+9 0x0000007f8a3193f8 in g_object_unref (_object=<optimized out>) at
+../../../gobject/gobject.c:3346
+10 0x0000007f8a3193f8 in g_object_unref (_object=0x7f5c005730) at
+../../../gobject/gobject.c:3238
+11 0x000000556a55d0fc in udisks_linux_drive_object_uevent
+     (object=object@entry=0x556a5df370 [UDisksLinuxDriveObject],
+action=action@entry=0x556a87b120
+"remove",device=device@entry=0x7f74007610 [UDisksLinuxDevice])
+     at udiskslinuxdriveobject.c:715
+12 0x000000556a54840c in handle_block_uevent_for_drive
+     (provider=provider@entry=0x556a5c8200 [UDisksLinuxProvider],
+action=action@entry=0x556a87b120 "remove",device=device@entry=0x7f74007610
+[UDisksLinuxDevice]) at udiskslinuxprovider.c:1035
+13 0x000000556a548ab8 in handle_block_uevent (device=0x7f74007610 [UDisksLinuxDevice],
+action=0x556a87b120 "remove", provider=0x556a5c8200 [UDisksLinuxProvider]) at
+udiskslinuxprovider.c:1349
+14 0x000000556a548ab8 in udisks_linux_provider_handle_uevent
+     (provider=0x556a5c8200 [UDisksLinuxProvider], action=0x556a87b120 "remove",
+device=0x7f74007610 [UDisksLinuxDevice]) at udiskslinuxprovider.c:1399
+15 0x000000556a548cac in on_idle_with_probed_uevent (user_data=0x556a7e65a0) at
+udiskslinuxprovider.c:230
+---
+ src/udiskslinuxmanager.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c
+index 1bbf980..878f04b 100644
+--- a/src/udiskslinuxmanager.c
++++ b/src/udiskslinuxmanager.c
+@@ -1148,8 +1148,11 @@ handle_get_block_devices (UDisksManager         *object,
+   blocks = get_block_objects (object, &num_blocks);
+   block_paths = g_new0 (const gchar *, num_blocks + 1);
+ 
+-  for (i = 0,blocks_p = blocks; blocks_p != NULL; blocks_p = blocks_p->next, i++)
+-      block_paths[i] = g_dbus_object_get_object_path (g_dbus_interface_get_object (G_DBUS_INTERFACE (blocks_p->data)));
++  for (blocks_p = blocks; blocks_p != NULL; blocks_p = blocks_p->next) {
++	  GDBusObject * block_object = g_dbus_interface_get_object (G_DBUS_INTERFACE (blocks_p->data));
++	  if (block_object)
++		  block_paths[i++] = g_dbus_object_get_object_path (block_object);
++  }
+ 
+   udisks_manager_complete_get_block_devices  (object,
+                                               invocation,
+@@ -1228,9 +1231,11 @@ handle_resolve_device (UDisksManager         *object,
+     }
+ 
+   ret_paths = g_new0 (const gchar *, num_found + 1);
+-  for (i = 0,ret_p = ret; ret_p != NULL; ret_p = ret_p->next, i++)
++  for (i = 0,ret_p = ret; ret_p != NULL; ret_p = ret_p->next)
+     {
+-      ret_paths[i] = g_dbus_object_get_object_path (g_dbus_interface_get_object (G_DBUS_INTERFACE (ret_p->data)));
++      GDBusObject *block_object = g_dbus_interface_get_object (G_DBUS_INTERFACE (ret_p->data));
++      if (block_object)
++        ret_paths[i++] = g_dbus_object_get_object_path (block_object);
+     }
+ 
+   udisks_manager_complete_resolve_device (object,
+-- 
+2.33.0
+

udisks2.spec

@@ -59,17 +59,17 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.9.0
-%if %{is_git} == 0
-Release: 2
-%else
-Release: 0.%{build_date}git%{git_hash}%{?dist}
-%endif
-License: GPLv2+
+Release: 7
+License: GPL-2.0+ and LGPL-2.0+
 Group:   System Environment/Libraries
 URL:     https://github.com/storaged-project/udisks
 Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2
 
 Patch1:  0001-udiskslinuxmountoptions-Prevent-a-memory-leak.patch
+Patch2:  0002-CVE-2021-3802.patch
+Patch3:  0003-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch
+Patch4:  0004-udisksctl-Guard-object-lookup.patch
+Patch5:  0005-udiskslinuxmanager-use-dbus-interface-after-free.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@@ -259,7 +259,7 @@ This package contains module for VDO management.
 %endif
 
 %prep
-%setup -q -n udisks-%{version}
+%autosetup -p1 -n udisks-%{version}
 sed -i udisks/udisks2.conf.in -e "s/encryption=luks1/encryption=%{default_luks_encryption}/"
 
 %build
@@ -441,6 +441,22 @@ udevadm trigger
 %endif
 
 %changelog
+* Tue Jun 18 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.0-7
+- udiskslinuxmanager:use dbus interface after free
+
+* Mon Jun 03 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.0-6
+- udisksctl: Guard object lookup
+
+* Wed Feb 22 2023 miaoguanqin <miaoguanqin@huawei.com> - 2.9.0-5
+- fix coredump with stop udisks2
+
+* Sat Feb 19 2022 yanglongkang <yanglongkang@h-partners> - 2.9.0-4
+- correct License
+
+* Tue Jan 5 2022 yanglongkang <yanglongkang@huawei.com> -2.9.0-3
+- rectify errors in the spec file
+  fix CVE-2021-3802
+
 * Mon Jul 27 2020 Zhiqiang Liu <lzhq28@mail.ustc.edu.cn> - 2.9.0-2
 - update from 2.8.1 to 2.9.0