powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
534 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 5873ce3f50
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5873ce3f50'
${ noResults }
base/SOURCES/polkit-0.112-CVE-2015-3256....

578 lines
22 KiB
Raw Blame History

commit 983e8ec37b0ec1cc5114cb9ca49cf558dedfb31e
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Don't pass an uninitialized JS parameter
Don't pass argc==3 when using a 2-member array in
polkit_backend_js_authority_check_authorization_sync . To avoid such
problems in the future, use G_N_ELEMENTS in both similar callers.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index c232573..c7a29e0 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -1074,7 +1074,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
if (!call_js_function_with_runaway_killer (authority,
"_runAdminRules",
- 2,
+ G_N_ELEMENTS (argv),
argv,
&rval))
{
@@ -1179,7 +1179,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
if (!call_js_function_with_runaway_killer (authority,
"_runRules",
- 3,
+ G_N_ELEMENTS (argv),
argv,
&rval))
{
commit a97672540c66c03ed392fc072f0c682281f08989
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Don't add extra NULL group to subject.groups
The NULL “terminator” of ‘groups’ was being passed to JavaScript. Drop
it, and simplify by leting set_property_strv use the GPtrArray directly
instead of the extra conversions “into” a strv and a completely dead
g_strv_length().
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index c7a29e0..efb07a9 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -659,26 +659,22 @@ static void
set_property_strv (PolkitBackendJsAuthority *authority,
JSObject *obj,
const gchar *name,
- const gchar *const *value,
- gssize len)
+ GPtrArray *value)
{
jsval value_jsval;
JSObject *array_object;
jsval *jsvals;
guint n;
- if (len < 0)
- len = g_strv_length ((gchar **) value);
-
- jsvals = g_new0 (jsval, len);
- for (n = 0; n < len; n++)
+ jsvals = g_new0 (jsval, value->len);
+ for (n = 0; n < value->len; n++)
{
JSString *jsstr;
- jsstr = JS_NewStringCopyZ (authority->priv->cx, value[n]);
+ jsstr = JS_NewStringCopyZ (authority->priv->cx, g_ptr_array_index(value, n));
jsvals[n] = STRING_TO_JSVAL (jsstr);
}
- array_object = JS_NewArrayObject (authority->priv->cx, (gint32) len, jsvals);
+ array_object = JS_NewArrayObject (authority->priv->cx, value->len, jsvals);
value_jsval = OBJECT_TO_JSVAL (array_object);
JS_SetProperty (authority->priv->cx, obj, name, &value_jsval);
@@ -818,11 +814,9 @@ subject_to_jsval (PolkitBackendJsAuthority *authority,
}
}
- g_ptr_array_add (groups, NULL);
-
set_property_int32 (authority, obj, "pid", pid);
set_property_str (authority, obj, "user", user_name);
- set_property_strv (authority, obj, "groups", (const gchar* const *) groups->pdata, groups->len);
+ set_property_strv (authority, obj, "groups", groups);
set_property_str (authority, obj, "seat", seat_str);
set_property_str (authority, obj, "session", session_str);
set_property_bool (authority, obj, "local", subject_is_local);
commit cbad0d5721804a4b7c2d998b00da9e70dc623820
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Don't store unrooted jsvals on heap
Don't create a temporary array of jsvals on heap; the GC is not looking
for GC roots there.
Compare
https://developer.mozilla.org/en-US/docs/SpiderMonkey/GC_Rooting_Guide
and
https://web.archive.org/web/20140305233124/https://developer.mozilla.org/en-US/docs/SpiderMonkey_Garbage_Collection_Tips
.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index efb07a9..d02e5e3 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -663,23 +663,22 @@ set_property_strv (PolkitBackendJsAuthority *authority,
{
jsval value_jsval;
JSObject *array_object;
- jsval *jsvals;
guint n;
- jsvals = g_new0 (jsval, value->len);
+ array_object = JS_NewArrayObject (authority->priv->cx, 0, NULL);
+
for (n = 0; n < value->len; n++)
{
JSString *jsstr;
+ jsval val;
+
jsstr = JS_NewStringCopyZ (authority->priv->cx, g_ptr_array_index(value, n));
- jsvals[n] = STRING_TO_JSVAL (jsstr);
+ val = STRING_TO_JSVAL (jsstr);
+ JS_SetElement (authority->priv->cx, array_object, n, &val);
}
- array_object = JS_NewArrayObject (authority->priv->cx, value->len, jsvals);
-
value_jsval = OBJECT_TO_JSVAL (array_object);
JS_SetProperty (authority->priv->cx, obj, name, &value_jsval);
-
- g_free (jsvals);
}
commit 0f5852a4bdabe377ddcdbed09a0c1f95710e17fe
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Fix a per-authorization memory leak
We were leaking PolkitAuthorizationResult on every request, primarily on
the success path, but also on various error paths as well.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
index a09d667..14eea99 100644
--- a/src/polkitbackend/polkitbackendauthority.c
+++ b/src/polkitbackend/polkitbackendauthority.c
@@ -714,6 +714,7 @@ check_auth_cb (GObject *source_object,
g_variant_ref_sink (value);
g_dbus_method_invocation_return_value (data->invocation, g_variant_new ("(@(bba{ss}))", value));
g_variant_unref (value);
+ g_object_unref (result);
}
check_auth_data_free (data);
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
index 96725f7..7019356 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -1022,7 +1022,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
/* Otherwise just return the result */
g_simple_async_result_set_op_res_gpointer (simple,
- result,
+ g_object_ref (result),
g_object_unref);
g_simple_async_result_complete (simple);
g_object_unref (simple);
@@ -1039,6 +1039,9 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
g_free (subject_str);
g_free (user_of_caller_str);
g_free (user_of_subject_str);
+
+ if (result != NULL)
+ g_object_unref (result);
}
/* ---------------------------------------------------------------------------------------------------- */
commit ec039f9d7ede5b839f5511e26d5cd6ae9107cb2e
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Fix a memory leak when registering an authentication agent
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
index 14eea99..64560e1 100644
--- a/src/polkitbackend/polkitbackendauthority.c
+++ b/src/polkitbackend/polkitbackendauthority.c
@@ -900,6 +900,7 @@ server_handle_register_authentication_agent (Server *server,
g_dbus_method_invocation_return_value (invocation, g_variant_new ("()"));
out:
+ g_variant_unref (subject_gvariant);
if (subject != NULL)
g_object_unref (subject);
}
commit 57e2d86edc2630cac1812a3285715dad795a4bd6
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Wrap all JS usage within “requests”
Required by
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_THREADSAFE
; lack of requests causes assertion failures with a debug build of
mozjs17.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index d02e5e3..88f31bd 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -239,6 +239,7 @@ rules_file_name_cmp (const gchar *a,
return ret;
}
+/* authority->priv->cx must be within a request */
static void
load_scripts (PolkitBackendJsAuthority *authority)
{
@@ -339,6 +340,8 @@ reload_scripts (PolkitBackendJsAuthority *authority)
jsval argv[1] = {JSVAL_NULL};
jsval rval = JSVAL_NULL;
+ JS_BeginRequest (authority->priv->cx);
+
if (!JS_CallFunctionName(authority->priv->cx,
authority->priv->js_polkit,
"_deleteRules",
@@ -364,7 +367,7 @@ reload_scripts (PolkitBackendJsAuthority *authority)
/* Let applications know we have new rules... */
g_signal_emit_by_name (authority, "changed");
out:
- ;
+ JS_EndRequest (authority->priv->cx);
}
static void
@@ -447,6 +450,7 @@ static void
polkit_backend_js_authority_constructed (GObject *object)
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
+ gboolean entered_request = FALSE;
authority->priv->rt = JS_NewRuntime (8L * 1024L * 1024L);
if (authority->priv->rt == NULL)
@@ -466,6 +470,9 @@ polkit_backend_js_authority_constructed (GObject *object)
JS_SetErrorReporter(authority->priv->cx, report_error);
JS_SetContextPrivate (authority->priv->cx, authority);
+ JS_BeginRequest(authority->priv->cx);
+ entered_request = TRUE;
+
authority->priv->js_global =
#if JS_VERSION == 186
JS_NewGlobalObject (authority->priv->cx, &js_global_class, NULL);
@@ -526,10 +533,15 @@ polkit_backend_js_authority_constructed (GObject *object)
setup_file_monitors (authority);
load_scripts (authority);
+ JS_EndRequest (authority->priv->cx);
+ entered_request = FALSE;
+
G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->constructed (object);
return;
fail:
+ if (entered_request)
+ JS_EndRequest (authority->priv->cx);
g_critical ("Error initializing JavaScript environment");
g_assert_not_reached ();
}
@@ -642,6 +654,7 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
/* ---------------------------------------------------------------------------------------------------- */
+/* authority->priv->cx must be within a request */
static void
set_property_str (PolkitBackendJsAuthority *authority,
JSObject *obj,
@@ -655,6 +668,7 @@ set_property_str (PolkitBackendJsAuthority *authority,
JS_SetProperty (authority->priv->cx, obj, name, &value_jsval);
}
+/* authority->priv->cx must be within a request */
static void
set_property_strv (PolkitBackendJsAuthority *authority,
JSObject *obj,
@@ -681,7 +695,7 @@ set_property_strv (PolkitBackendJsAuthority *authority,
JS_SetProperty (authority->priv->cx, obj, name, &value_jsval);
}
-
+/* authority->priv->cx must be within a request */
static void
set_property_int32 (PolkitBackendJsAuthority *authority,
JSObject *obj,
@@ -693,6 +707,7 @@ set_property_int32 (PolkitBackendJsAuthority *authority,
JS_SetProperty (authority->priv->cx, obj, name, &value_jsval);
}
+/* authority->priv->cx must be within a request */
static void
set_property_bool (PolkitBackendJsAuthority *authority,
JSObject *obj,
@@ -706,6 +721,7 @@ set_property_bool (PolkitBackendJsAuthority *authority,
/* ---------------------------------------------------------------------------------------------------- */
+/* authority->priv->cx must be within a request */
static gboolean
subject_to_jsval (PolkitBackendJsAuthority *authority,
PolkitSubject *subject,
@@ -838,6 +854,7 @@ subject_to_jsval (PolkitBackendJsAuthority *authority,
/* ---------------------------------------------------------------------------------------------------- */
+/* authority->priv->cx must be within a request */
static gboolean
action_and_details_to_jsval (PolkitBackendJsAuthority *authority,
const gchar *action_id,
@@ -1041,6 +1058,8 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
gchar *ret_str = NULL;
gchar **ret_strs = NULL;
+ JS_BeginRequest (authority->priv->cx);
+
if (!action_and_details_to_jsval (authority, action_id, details, &argv[0], &error))
{
polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
@@ -1120,6 +1139,8 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
JS_MaybeGC (authority->priv->cx);
+ JS_EndRequest (authority->priv->cx);
+
return ret;
}
@@ -1146,6 +1167,8 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
gchar *ret_str = NULL;
gboolean good = FALSE;
+ JS_BeginRequest (authority->priv->cx);
+
if (!action_and_details_to_jsval (authority, action_id, details, &argv[0], &error))
{
polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
@@ -1222,6 +1245,8 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
JS_MaybeGC (authority->priv->cx);
+ JS_EndRequest (authority->priv->cx);
+
return ret;
}
commit 5c668722320eb363f713a0998934aa48fecd56cb
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Register heap-based JSObject pointers to GC
This is necessary so that the GC can move the objects (though I haven't
so far encountered this in testing).
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 88f31bd..39f7060 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -482,6 +482,7 @@ polkit_backend_js_authority_constructed (GObject *object)
if (authority->priv->js_global == NULL)
goto fail;
+ JS_AddObjectRoot (authority->priv->cx, &authority->priv->js_global);
if (!JS_InitStandardClasses (authority->priv->cx, authority->priv->js_global))
goto fail;
@@ -494,6 +495,7 @@ polkit_backend_js_authority_constructed (GObject *object)
JSPROP_ENUMERATE);
if (authority->priv->js_polkit == NULL)
goto fail;
+ JS_AddObjectRoot (authority->priv->cx, &authority->priv->js_polkit);
if (!JS_DefineFunctions (authority->priv->cx,
authority->priv->js_polkit,
@@ -572,6 +574,11 @@ polkit_backend_js_authority_finalize (GObject *object)
g_free (authority->priv->dir_monitors);
g_strfreev (authority->priv->rules_dirs);
+ JS_BeginRequest (authority->priv->cx);
+ JS_RemoveObjectRoot (authority->priv->cx, &authority->priv->js_polkit);
+ JS_RemoveObjectRoot (authority->priv->cx, &authority->priv->js_global);
+ JS_EndRequest (authority->priv->cx);
+
JS_DestroyContext (authority->priv->cx);
JS_DestroyRuntime (authority->priv->rt);
/* JS_ShutDown (); */
commit 2881f8b260c03df29afb0e35e6d1707240f95ad7
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Prevent builds against SpiderMonkey with exact stack rooting
“Exact stack rooting” means that every on-stack pointer to a JavaScript
value needs to be registered with the runtime. The current code doesn't
do this, so it is not safe to use against a runtime with this
configuration. Luckily this configuration is not default.
See
https://developer.mozilla.org/en-US/docs/SpiderMonkey/Internals/GC/Exact_Stack_Rooting
and other pages in the wiki for what the conversion would require.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 39f7060..22812a6 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -43,6 +43,13 @@
#include "initjs.h" /* init.js */
+#ifdef JSGC_USE_EXACT_ROOTING
+/* See https://developer.mozilla.org/en-US/docs/SpiderMonkey/Internals/GC/Exact_Stack_Rooting
+ * for more information about exact stack rooting.
+ */
+#error "This code is not safe in SpiderMonkey exact stack rooting configurations"
+#endif
+
/**
* SECTION:polkitbackendjsauthority
* @title: PolkitBackendJsAuthority
commit b544f10dd469ae3cfedc026db71ee76e9ef511a2
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Clear the JS operation callback before invoking JS in the callback
Setting the callback to NULL is required by
https://developer.mozilla.org/en-US/docs/SpiderMonkey/JSAPI_Reference/JS_SetOperationCallback
to avoid the possibility of recursion.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 22812a6..8a0a097 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -961,9 +961,11 @@ js_operation_callback (JSContext *cx)
polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority), "Terminating runaway script");
/* Throw an exception - this way the JS code can ignore the runaway script handling */
+ JS_SetOperationCallback (authority->priv->cx, NULL);
val_str = JS_NewStringCopyZ (cx, "Terminating runaway script");
val = STRING_TO_JSVAL (val_str);
JS_SetPendingException (authority->priv->cx, val);
+ JS_SetOperationCallback (authority->priv->cx, js_operation_callback);
return JS_FALSE;
}
commit d7da6a23766e9c95fa333a0a9c742f7397c0ad22
Author: Miloslav Trmač <mitr@redhat.com>
Date: Tue Jul 1 20:00:48 2014 +0200
Fix spurious timeout exceptions on GC
The JS “Operation callback” can be called by the runtime for other
reasons, not only when we trigger it by a timeout—notably as part of GC.
So, make sure to only raise an exception if there actually was a
timeout.
Adding a whole extra mutex to protect a single boolean is somewhat of an
overkill, but better than worrying about “subtle bugs and occasionally
undefined behaviour” the g_atomic_* API is warning about.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
also
https://bugs.freedesktop.org/show_bug.cgi?id=77524
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 8a0a097..097dcc5 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -80,6 +80,8 @@ struct _PolkitBackendJsAuthorityPrivate
GMainContext *rkt_context;
GMainLoop *rkt_loop;
GSource *rkt_source;
+ GMutex rkt_timeout_pending_mutex;
+ gboolean rkt_timeout_pending;
/* A list of JSObject instances */
GList *scripts;
@@ -528,6 +530,7 @@ polkit_backend_js_authority_constructed (GObject *object)
g_mutex_init (&authority->priv->rkt_init_mutex);
g_cond_init (&authority->priv->rkt_init_cond);
+ g_mutex_init (&authority->priv->rkt_timeout_pending_mutex);
authority->priv->runaway_killer_thread = g_thread_new ("runaway-killer-thread",
runaway_killer_thread_func,
@@ -563,6 +566,7 @@ polkit_backend_js_authority_finalize (GObject *object)
g_mutex_clear (&authority->priv->rkt_init_mutex);
g_cond_clear (&authority->priv->rkt_init_cond);
+ g_mutex_clear (&authority->priv->rkt_timeout_pending_mutex);
/* shut down the killer thread */
g_assert (authority->priv->rkt_loop != NULL);
@@ -957,6 +961,18 @@ js_operation_callback (JSContext *cx)
JSString *val_str;
jsval val;
+ /* This callback can be called by the runtime at any time without us causing
+ * it by JS_TriggerOperationCallback().
+ */
+ g_mutex_lock (&authority->priv->rkt_timeout_pending_mutex);
+ if (!authority->priv->rkt_timeout_pending)
+ {
+ g_mutex_unlock (&authority->priv->rkt_timeout_pending_mutex);
+ return JS_TRUE;
+ }
+ authority->priv->rkt_timeout_pending = FALSE;
+ g_mutex_unlock (&authority->priv->rkt_timeout_pending_mutex);
+
/* Log that we are terminating the script */
polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority), "Terminating runaway script");
@@ -974,6 +990,10 @@ rkt_on_timeout (gpointer user_data)
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (user_data);
+ g_mutex_lock (&authority->priv->rkt_timeout_pending_mutex);
+ authority->priv->rkt_timeout_pending = TRUE;
+ g_mutex_unlock (&authority->priv->rkt_timeout_pending_mutex);
+
/* Supposedly this is thread-safe... */
#if JS_VERSION == 186
JS_TriggerOperationCallback (authority->priv->rt);
@@ -993,6 +1013,9 @@ runaway_killer_setup (PolkitBackendJsAuthority *authority)
g_assert (authority->priv->rkt_source == NULL);
/* set-up timer for runaway scripts, will be executed in runaway_killer_thread */
+ g_mutex_lock (&authority->priv->rkt_timeout_pending_mutex);
+ authority->priv->rkt_timeout_pending = FALSE;
+ g_mutex_unlock (&authority->priv->rkt_timeout_pending_mutex);
authority->priv->rkt_source = g_timeout_source_new_seconds (15);
g_source_set_callback (authority->priv->rkt_source, rkt_on_timeout, authority, NULL);
g_source_attach (authority->priv->rkt_source, authority->priv->rkt_context);