Security Issue: Null Dereference with the GNOME Shell search provider called over gdbus
Trigger
gdbus call -e -d org.gnome.Calendar -o /org/gnome/Calendar/SearchProvider -m org.gnome.Shell.SearchProvider2.GetResultMetas '["aaaa","bbbb"]'
Stack Trace
$ gdb -q -c /srv/coredumps/core.gnome-calendar.28389 `which gnome-calendar`
Reading symbols from /usr/bin/gnome-calendar...(no debugging symbols found)...done.
[New LWP 28389]
[New LWP 28390]
[New LWP 28393]
[New LWP 28392]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `gnome-calendar'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000556c9e74d433 in get_circle_surface_from_color ()
[Current thread is 1 (Thread 0x7fdc424c2cc0 (LWP 28389))]
warning: File "/tmp/p/bitlbee-3.6/.gdbinit" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path /tmp/p/bitlbee-3.6/.gdbinit
line to your configuration file "/home/juno/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/juno/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
(gdb) bt
#0 0x0000556c9e74d433 in get_circle_surface_from_color ()
#1 0x0000556c9e747218 in ()
#2 0x00007fdc4826b8ee in ffi_call_unix64 () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#3 0x00007fdc4826b2bf in ffi_call () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#4 0x00007fdc4de53482 in g_cclosure_marshal_generic () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x00007fdc4de52c8d in g_closure_invoke () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007fdc4de66365 in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#7 0x00007fdc4de6e4cf in g_signal_emitv () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x0000556c9e719a8a in ()
#9 0x00007fdc4dfa5e76 in () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007fdc4df8d379 in () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#11 0x00007fdc4dd6edd8 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007fdc4dd6f1c8 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007fdc4dd6f25c in g_main_context_iteration () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007fdc4df63a2d in g_application_run () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#15 0x0000556c9e71808b in main ()
(gdb) x/i $rip
=> 0x556c9e74d433 <get_circle_surface_from_color+35>: movsd 0x18(%r12),%xmm3
(gdb) i r $r12
r12 0x0 0
(gdb)
Root cause
get_circle_surface_from_color
does not check null ptr properly, it should returns an error to d-bus client.