GNOME Bugzilla – Bug 758032
Crash when holding Escape in lock screen
Last modified: 2015-11-17 17:55:17 UTC
Credit to my cat for finding this.. * Running gnome session * Press <super>+l to lock * Press Escape and hold Expected: * The slider thing going up an down in an endless loop Happing: * After ~5 times the slider window coming and going GS crashes using GS 3.18.1 on debian sid
It looks like it's actually gdm that crashes: Program terminated with signal SIGSEGV, Segmentation fault.
+ Trace 235721
i guess what's happening is the worker proxy isn't getting disposed when the conversation associated with it is freed (because of an outstanding reference) and so the signal handler is dispatched with an invalid conversation.
Created attachment 315418 [details] [review] session: disconnect signals from worker proxy when conversation is freed We don't want an outstanding reference on the worker proxy to lead to signal handlers getting dispatched after the conversation is freed.
Created attachment 315632 [details] [review] session: Cancel worker proxy async ops when freeing conversations We need to cancel ongoing async ops for worker proxies when freeing conversations or we'll crash when the completion handler runs and we access free'd memory.
Review of attachment 315418 [details] [review]: This looks good (with the comment below addressed), but isn't enough. See the patch I just attached for a complete fix ::: daemon/gdm-session.c @@ +1680,3 @@ g_clear_object (&conversation->worker_manager_interface); + + g_signal_handlers_disconnect_by_func (conversation->worker_proxy, We need to check that conversation->worker_proxy isn't NULL here. I got some NULL warnings when testing this
I was going to say we need to start handling G_IO_ERROR_CANCELLED from our callbacks if we start passing a cancellable, but we already do!
This is already open in public bugzilla so no point going for an embargo. Pushing: Attachment 315418 [details] pushed as 5ac2246 - session: disconnect signals from worker proxy when conversation is freed Attachment 315632 [details] pushed as 05e5fc2 - session: Cancel worker proxy async ops when freeing conversations We should try to get a CVE assigned though.
Kurt, Tomas, can one of you assign a CVE for this?
This is a public issue so CVE will be assigned by Mitre, request sent: http://www.openwall.com/lists/oss-security/2015/11/17/8
(In reply to Ray Strode [halfline] from comment #7) > This is already open in public bugzilla so no point going for > an embargo. Pushing: > > Attachment 315418 [details] pushed as 5ac2246 - session: disconnect signals > from worker proxy when conversation is freed > Attachment 315632 [details] pushed as 05e5fc2 - session: Cancel worker proxy > async ops when freeing conversations > > We should try to get a CVE assigned though. Hi Ray, could we have a new GDM tarball including this soonish, please?
it looks like Martin Prpič assigned CVE-2015-7496 for this issue.
Ah thanks, I was on PTO for the last week and missed that email, I replied to my posting on oss-sec to ack the existing CVE.
(In reply to Javier Jardón (IRC: jjardon) from comment #10) > (In reply to Ray Strode [halfline] from comment #7) > > This is already open in public bugzilla so no point going for > > an embargo. Pushing: > > > > Attachment 315418 [details] pushed as 5ac2246 - session: disconnect signals > > from worker proxy when conversation is freed > > Attachment 315632 [details] pushed as 05e5fc2 - session: Cancel worker proxy > > async ops when freeing conversations > > > > We should try to get a CVE assigned though. > > Hi Ray, could we have a new GDM tarball including this soonish, please? 3.18.2 tarball is released now. 3.19.2 unstable tarball can't easily go out until monday since it relies on releases in gnome-session / mutter and gnome-shell for other reasons.
(In reply to Ray Strode [halfline] from comment #13) > (In reply to Javier Jardón (IRC: jjardon) from comment #10) > > (In reply to Ray Strode [halfline] from comment #7) > > > This is already open in public bugzilla so no point going for > > > an embargo. Pushing: > > > > > > Attachment 315418 [details] pushed as 5ac2246 - session: disconnect signals > > > from worker proxy when conversation is freed > > > Attachment 315632 [details] pushed as 05e5fc2 - session: Cancel worker proxy > > > async ops when freeing conversations > > > > > > We should try to get a CVE assigned though. > > > > Hi Ray, could we have a new GDM tarball including this soonish, please? > > 3.18.2 tarball is released now. 3.19.2 unstable tarball can't easily go out > until monday since it relies on releases in gnome-session / mutter and > gnome-shell for other reasons. I was thinking more in a 3.18.3 tarball
not sure i follow. The fix is in the 3.18.2 tarball i released 5 seconds before posting the message saying it's released.