segfault in udisks_daemon_util_check_authorization_sync()

[martinpitt]

Our Cockpit integration tests discovered a new udisksd crash since Debian updated from 2.6.5 to the libblockdev-based 2.7.3 version (although in this case libblockdev seems to be unrelated).

First there are a couple of failed assertions, then a crash:

udisksd[702]: g_source_get_context: assertion 'source->context != NULL || !SOURCE_DESTROYED (source)' failed
udisksd[702]: g_variant_get_child_value: assertion 'index_ < g_variant_n_children (value)' failed
udisksd[702]: g_variant_get_va: assertion 'value != NULL' failed
kernel: pool[1488]: segfault at 20 ip 00007fba78ca1b88 sp 00007fba756c50c0 error 6 in libglib-2.0.so.0.5400.1[7fba78c81000+111000]

I got a symbolic back trace of the crash:

#0  g_bit_lock (address=address@entry=0x20, lock_bit=lock_bit@entry=0) at ../../../../glib/gbitlock.c:214
No locals.
#1  0x00007fba78d07f07 in g_variant_lock (value=0x0) at ../../../../glib/gvariant-core.c:221
No locals.
#2  g_variant_n_children (value=0x0) at ../../../../glib/gvariant-core.c:929
        n_children = <optimized out>
#3  0x00007fba78d03af8 in g_variant_iter_init (iter=iter@entry=0x7fba756c5150, value=<optimized out>)
    at ../../../../glib/gvariant.c:2976
No locals.
#4  0x00007fba79c8f8f4 in polkit_details_new_for_gvariant (value=<optimized out>) at polkitdetails.c:224
        hash = 0x7fba70001f00
        iter = {x = {0, 140438810677788, 140438810677792, 140438867663616, 94516122411200, 94516122416192, 1766518155, 3579507750, 
            140438652595728, 17, 140438384153984, 140438867574555, 94516122411200, 140438872939118, 0, 31}}
        hash_key = 0x3000000018 <error: Cannot access memory at address 0x3000000018>
        hash_value = 0x7fba78d72e00 <__func__.4866> "g_variant_get_child_value"
#5  0x00007fba79c97cbb in polkit_authorization_result_new_for_gvariant (value=value@entry=0x0) at polkitauthorizationresult.c:284
        is_authorized = 2032877536
        is_challenge = 32698
        dict = 0x0
        details = <optimized out>
        ret = <optimized out>
#6  0x00007fba79c8fc4e in check_authorization_cb (proxy=<optimized out>, res=<optimized out>, user_data=0x7fba700111a0)
    at polkitauthority.c:829
        result_value = 0x0
        result = <optimized out>
        data = 0x7fba700111a0
        value = 0x7fba6c002df0
        error = 0x0
#7  0x00007fba792741a3 in g_task_return_now (task=0x7fba7000d920) at ../../../../gio/gtask.c:1145
No locals.
#8  0x00007fba792741d9 in complete_in_idle_cb (task=0x7fba7000d920) at ../../../../gio/gtask.c:1159
No locals.
#9  0x00007fba78ccbdd5 in g_main_dispatch (context=0x7fba7000fec0) at ../../../../glib/gmain.c:3148
        dispatch = 0x7fba78cc8710 <g_idle_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7fba7000d920
        callback = 0x7fba792741d0 <complete_in_idle_cb>
        cb_funcs = 0x7fba78f93280 <g_source_callback_funcs>
        cb_data = 0x7fba70011270
        need_destroy = <optimized out>
        source = 0x7fba70011870
        current = 0x7fba5c001580
        i = 0
#10 g_main_context_dispatch (context=context@entry=0x7fba7000fec0) at ../../../../glib/gmain.c:3813
No locals.
#11 0x00007fba78ccc1a0 in g_main_context_iterate (context=0x7fba7000fec0, block=block@entry=1, dispatch=dispatch@entry=1, 
    self=<optimized out>) at ../../../../glib/gmain.c:3886
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 1
        fds = 0x7fba7000ba70
#12 0x00007fba78ccc4b2 in g_main_loop_run (loop=0x7fba70011060) at ../../../../glib/gmain.c:4082
        __func__ = "g_main_loop_run"
#13 0x00007fba79c91b53 in call_sync_block (data=0x7fba700110c0) at polkitauthority.c:610
No locals.
#14 polkit_authority_check_authorization_sync (authority=authority@entry=0x55f63fe70900, subject=subject@entry=0x7fba54001600, 
    action_id=action_id@entry=0x55f63f167b40 "org.freedesktop.udisks2.manage-md-raid", details=details@entry=0x7fba70007ec0, 
    flags=flags@entry=POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, cancellable=cancellable@entry=0x0, error=0x7fba756c54b8)
    at polkitauthority.c:1020
        ret = <optimized out>
        data = 0x7fba700110c0
        __func__ = "polkit_authority_check_authorization_sync"
#15 0x000055f63f1564a9 in udisks_daemon_util_check_authorization_sync_with_error (daemon=daemon@entry=0x55f63fe74720, 
    object=<optimized out>, action_id=action_id@entry=0x55f63f167b40 "org.freedesktop.udisks2.manage-md-raid", 
    options=options@entry=0x55f63feede30, message=message@entry=0x55f63f167ec8 "Authentication is required to start a RAID array", 
    invocation=invocation@entry=0x7fba6c006f40, error=0x7fba756c5550) at udisksdaemonutil.c:852
        authority = 0x55f63fe70900
        subject = 0x7fba54001600
        details = 0x7fba70007ec0
        flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION
        result = 0x0
        sub_error = 0x0
        ret = 0
        block = <optimized out>
        drive = <optimized out>
        partition = <optimized out>
        block_object = <optimized out>
        drive_object = <optimized out>
        auth_no_user_interaction = 0
        details_device = <optimized out>
        details_drive = <optimized out>
#16 0x000055f63f156a8c in udisks_daemon_util_check_authorization_sync (daemon=daemon@entry=0x55f63fe74720, object=<optimized out>, 
    action_id=action_id@entry=0x55f63f167b40 "org.freedesktop.udisks2.manage-md-raid", options=options@entry=0x55f63feede30, 
    message=message@entry=0x55f63f167ec8 "Authentication is required to start a RAID array", 
    invocation=invocation@entry=0x7fba6c006f40) at udisksdaemonutil.c:676
        error = 0x0
#17 0x000055f63f14d674 in handle_start (_mdraid=0x55f63fecb780, invocation=0x7fba6c006f40, options=0x55f63feede30)
    at udiskslinuxmdraid.c:727
        mdraid = 0x55f63fecb780
        daemon = 0x55f63fe74720
        state = 0x55f63fe6c450
        object = 0x55f63fecb350
        action_id = 0x55f63f167b40 "org.freedesktop.udisks2.manage-md-raid"
        message = 0x55f63f167ec8 "Authentication is required to start a RAID array"
        caller_uid = 1000
        caller_gid = 1000
        raid_device = <optimized out>
        member_devices = 0x7fba70007d40
        raid_device_file = 0x0
        error = 0x0
        opt_start_degraded = 1
        statbuf = {st_dev = 140438719745184, st_ino = 140438810678944, st_nlink = 140438810679184, st_mode = 8, st_uid = 0, 
          st_gid = 4, __pad0 = 0, st_rdev = 140438831512218, st_size = 94516122793856, st_blksize = 140438652612416, 
          st_blocks = 94516122934832, st_atim = {tv_sec = 94516122591808, tv_nsec = 140438810679248}, st_mtim = {tv_sec = 8, 
            tv_nsec = 3}, st_ctim = {tv_sec = 140438831512218, tv_nsec = 94516122793856}, __glibc_reserved = {140438652612416, 
            94516122587824, 140438810679232}}
        raid_device_num = <optimized out>
        block_object = 0x0
        block = 0x0
        job = 0x0
#18 0x00007fba76aa4038 in ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/libffi.so.6
No symbol table info available.
#19 0x00007fba76aa3a9a in ffi_call () from /usr/lib/x86_64-linux-gnu/libffi.so.6
No symbol table info available.
#20 0x00007fba78fa5799 in g_cclosure_marshal_generic (closure=0x55f63ff120b0, return_gvalue=0x7fba756c5a60, 
    n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at ../../../../gobject/gclosure.c:1490
        rtype = <optimized out>
        rvalue = 0x7fba756c5800
        n_args = 4
        atypes = <optimized out>
        i = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 4, arg_types = 0x7fba756c57d0, rtype = 0x7fba76aa4360 <ffi_type_sint32>, bytes = 0, 
          flags = 10}
        cc = 0x55f63ff120b0
        enum_tmpval = <optimized out>
        tmpval_used = 0
#21 0x00007fba78fa4f9d in g_closure_invoke (closure=0x55f63ff120b0, return_value=0x7fba756c5a60, n_param_values=3, 
    param_values=0x7fba7000ac10, invocation_hint=0x7fba756c5a40) at ../../../../gobject/gclosure.c:804
        marshal = 0x7fba78fa3540 <g_type_iface_meta_marshal>
        marshal_data = 0x38
        in_marshal = 0
        real_closure = 0x55f63ff12090
        __func__ = "g_closure_invoke"
#22 0x00007fba78fb7728 in signal_emit_unlocked_R (node=node@entry=0x55f63ff1aca0, detail=detail@entry=0, 
    instance=instance@entry=0x55f63fecb780, emission_return=emission_return@entry=0x7fba756c5b90, 
    instance_and_params=instance_and_params@entry=0x7fba7000ac10) at ../../../../gobject/gsignal.c:3673
        accumulator = 0x55f63ff14790
        emission = {next = 0x0, instance = 0x55f63fecb780, ihint = {signal_id = 73, detail = 0, run_type = G_SIGNAL_RUN_LAST}, 
          state = EMISSION_RUN, chain_type = 94516123118000}
        handler_list = <optimized out>
        return_accu = 0x7fba756c5a60
        accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}}}
        signal_id = 73
        max_sequential_handler_number = 133
        return_value_altered = 0
#23 0x00007fba78fbf9f0 in g_signal_emitv (instance_and_params=instance_and_params@entry=0x7fba7000ac10, signal_id=signal_id@entry=73, 
    detail=detail@entry=0, return_value=return_value@entry=0x7fba756c5b90) at ../../../../gobject/gsignal.c:3129
        instance = 0x55f63fecb780
        __func__ = "g_signal_emitv"
#24 0x00007fba795c7f09 in _udisks_mdraid_skeleton_handle_method_call (connection=<optimized out>, 
    sender=sender@entry=0x7fba6c006790 ":1.21", 
    object_path=object_path@entry=0x7fba6c007730 "/org/freedesktop/UDisks2/mdraid/2c36e34c_e06ee0bf_7f559b79_a56bbe3f", 
    interface_name=interface_name@entry=0x7fba6c006020 "org.freedesktop.UDisks2.MDRaid", 
    method_name=method_name@entry=0x7fba6c003cf0 "Start", parameters=parameters@entry=0x55f63fef0460, invocation=0x7fba6c006f40, 
    user_data=0x55f63fecb780) at udisks-generated.c:32388
        skeleton = <optimized out>
        info = 0x7fba797ee4a0 <_udisks_mdraid_method_info_start>
        iter = {x = {94516122944608, 1, 1, 0, 32, 94516122452016, 94516122452016, 3579507750, 140438810680500, 140438810680152, 
            140438810680400, 140737423248619, 140438810680464, 10619709576, 0, 1}}
        child = 0x0
        paramv = 0x7fba7000ac10
        num_params = <optimized out>
        n = <optimized out>
        signal_id = 73
        return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}}}
        __func__ = "_udisks_mdraid_skeleton_handle_method_call"
#25 0x00007fba792bdbe2 in dispatch_in_thread_func (task=<optimized out>, source_object=<optimized out>, task_data=0x7fba54001520, 
    cancellable=<optimized out>) at ../../../../gio/gdbusinterfaceskeleton.c:536
        run_in_thread = <optimized out>
        data = 0x7fba54001520
        flags = <optimized out>
        object = 0x55f63fecb350
        authorized = 1
#26 0x00007fba79274cf6 in g_task_thread_pool_thread (thread_data=0x55f63fe78100, pool_data=<optimized out>)
    at ../../../../gio/gtask.c:1328
        task = 0x55f63fe78100
#27 0x00007fba78cf3fc0 in g_thread_pool_thread_proxy (data=<optimized out>) at ../../../../glib/gthreadpool.c:307
        pool = 0x55f63fe6e350
#28 0x00007fba78cf35f5 in g_thread_proxy (data=0x7fba6c005c00) at ../../../../glib/gthread.c:784
        thread = 0x7fba6c005c00
#29 0x00007fba78a6b494 in start_thread (arg=0x7fba756c6700) at pthread_create.c:333
        __res = <optimized out>
        pd = 0x7fba756c6700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140438810683136, -9167002393713079026, 0, 140737423146015, 140438810683136, 
                94516122419344, 9204417817650367758, 9204428177947593998}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
            data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#30 0x00007fba787afabf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

In the previous debian-testing image the versions of glib (2.54.0) and polkit (0.105-18) did not change.

I don't yet have a manual reproducer, I will look into that.

[tbzatek]

@martinpitt, is this still valid in recent udisks versions?

[martinpitt]

Our CI now does not see this any more (see cockpit-project/bots#1026), so indeed that got fixed. Thanks!