Potential null deref (crash) in xfsm-shutdown-fallback.c:251
Found by a user testing upcoming OpenBSD 7.1 release, with a new user and a botched /etc/groups file (eg no group matching the user gid).
Core was generated by `xfce4-session'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 xfsm_shutdown_fallback_user_is_operator () at xfsm-shutdown-fallback.c:251
251 xfsm-shutdown-fallback.c: No such file or directory.
[Current thread is 1 (process 538027)]
(gdb) bt
#0 xfsm_shutdown_fallback_user_is_operator () at xfsm-shutdown-fallback.c:251
#1 xfsm_shutdown_fallback_bsd_check_auth (shutdown_type=<optimized out>) at xfsm-shutdown-fallback.c:275
#2 0x000002bf12db942c in xfsm_shutdown_fallback_auth_shutdown () at xfsm-shutdown-fallback.c:522
#3 0x000002bf12dba31b in xfsm_shutdown_can_shutdown (shutdown=0x2c1e6e7cd60, can_shutdown=0x7f7fffff5d2c, error=<optimized out>) at xfsm-shutdown.c:459
#4 0x000002bf12db5fc4 in xfsm_manager_dbus_can_shutdown (object=0x2c1f9bf8290, invocation=0x2c1c23d52d0) at xfsm-manager.c:2360
#5 0x000002c1c1325fbd in ffi_call_unix64 () from /usr/local/lib/libffi.so.1.2
#6 0x000002c1c1325352 in ffi_call_int () from /usr/local/lib/libffi.so.1.2
#7 0x000002c174ed72e5 in g_cclosure_marshal_generic (closure=<optimized out>, return_gvalue=0x7f7fffff5fc0, n_param_values=<optimized out>, param_values=<optimized out>,
invocation_hint=<optimized out>, marshal_data=0x2bf12db5f10 <xfsm_manager_dbus_can_shutdown>) at ../glib-2.70.5/gobject/gclosure.c:1534
#8 0x000002c174ed63e5 in g_closure_invoke (closure=0x2c17248d620, return_value=0x7f7fffff5fc0, n_param_values=<optimized out>, param_values=0x2c16ba91440, invocation_hint=<optimized out>)
at ../glib-2.70.5/gobject/gclosure.c:830
#9 0x000002c174eef308 in signal_emit_unlocked_R (node=<optimized out>, detail=0, instance=<optimized out>, emission_return=0x7f7fffff61c0, instance_and_params=0x2c16ba91440)
at ../glib-2.70.5/gobject/gsignal.c:3781
#10 0x000002c174eeea39 in g_signal_emitv (instance_and_params=0x2c16ba91440, signal_id=<optimized out>, detail=3850508617, return_value=0x7f7fffff61c0)
at ../glib-2.70.5/gobject/gsignal.c:3227
#11 0x000002bf12da75be in _xfsm_dbus_manager_skeleton_handle_method_call (connection=<optimized out>, sender=<optimized out>, object_path=<optimized out>,
interface_name=0x2c1a8a2e6c0 "org.xfce.Session.Manager", method_name=0x2c1902f4e00 "CanShutdown", parameters=<optimized out>, invocation=0x2c1c23d52d0, user_data=0x2c1f9bf8290)
at xfsm-manager-dbus.c:3982
#12 0x000002c21028878f in g_dbus_interface_method_dispatch_helper (interface=<optimized out>, method_call_func=0x325c8c716db890e7, invocation=0x2c1c23d52d0)
at ../glib-2.70.5/gio/gdbusinterfaceskeleton.c:613
#13 0x000002c21026b873 in call_in_idle_cb (user_data=<optimized out>) at ../glib-2.70.5/gio/gdbusconnection.c:5010
#14 0x000002c1e4a6c91f in g_main_dispatch (context=<optimized out>) at ../glib-2.70.5/glib/gmain.c:3381
#15 g_main_context_dispatch (context=<optimized out>) at ../glib-2.70.5/glib/gmain.c:4099
#16 0x000002c1e4a6ccda in g_main_context_iterate (context=<optimized out>, block=<optimized out>, dispatch=1, self=<optimized out>) at ../glib-2.70.5/glib/gmain.c:4175
#17 0x000002c1e4a6d11a in g_main_loop_run (loop=0x2c17d8dea80) at ../glib-2.70.5/glib/gmain.c:4373
#18 0x000002c1fff16ae8 in gtk_main () from /usr/local/lib/libgtk-3.so.2201.0
#19 0x000002bf12da87be in main (argc=1, argv=0x7f7fffff6508) at main.c:358the return value for getgrgid isnt checked before accessing it in https://gitlab.xfce.org/xfce/xfce4-session/-/blob/master/xfce4-session/xfsm-shutdown-fallback.c#L250, added in bugzilla bug #14722
patch below (if someone is faster than me at doing a PR):
struct group *gr;
gr = getgrgid (groups[i]);
- if (strncmp(gr->gr_name, "operator", 8) == 0)
+ if (gr != NULL && strncmp(gr->gr_name, "operator", 8) == 0)
{
is_operator = TRUE;
break;Edited by Landry Breuil