CVE-2018-14424 use-after-free of disposed transient displays
I got this in my inbox today from @chrisccoulson
I discovered a use-after-free in the GDM daemon, which is possible to trigger via a specially crafted sequence of D-Bus method calls as an unprivileged user.
I've attached a simple shell script which triggers it, and an example stacktrace of the crash.
What appears to be happening is that by the time GdmDisplayStore emits the "display-removed" signal, the GdmDisplay has already been removed from the store, so calls to gdm_display_store_lookup from signal handlers using the supplied display ID fail. In on_display_removed in daemon/gdm-manager.c, this results in the display object not being correctly unexported from the bus. Subsequent calls to the stale object then trigger a use-after-free.
I've attached a patch which seems to fix the issue, but I don't know if it's the correct approach. It should apply cleanly to master.
This issue is embargoed and has not yet been disclosed publicly or with any other distros. It has been assigned CVE-2018-14424.