Use after free in handle_close, filechooser.c:460
Using xdg-desktop-portal-gnome 43.1, I found this in coredumpctl:
#0 0x0000564949b07d49 in handle_close (object=<optimized out>, invocation=0x56494b529f20, handle=<optimized out>)
at ../src/filechooser.c:460
opt_builder = {u = {s = {partial_magic = 0, type = 0x0, y = {0 <repeats 14 times>}}, x = {0 <repeats 16 times>}}}
#1 0x00007f123ad376d6 in ffi_call_unix64 () at ../src/x86/unix64.S:105
#2 0x00007f123ad34492 in ffi_call_int
(cif=<optimized out>, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>) at ../src/x86/ffi64.c:672
classes = {X86_64_INTEGER_CLASS, X86_64_NO_CLASS, X86_64_NO_CLASS, X86_64_NO_CLASS}
stack = 0x7fff754cc140 " \031fKIV"
argp = 0x7fff754cc200 "\006"
arg_types = <optimized out>
gprcount = 3
ssecount = <optimized out>
ngpr = 1
nsse = 0
i = <optimized out>
avn = <optimized out>
flags = <optimized out>
reg_args = 0x7fff754cc140
#3 0x00007f123be671b3 in g_cclosure_marshal_generic
(closure=<optimized out>, return_gvalue=<optimized out>, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>) at ../gobject/gclosure.c:1536
rtype = <optimized out>
rvalue = 0x7fff754cc350
n_args = <optimized out>
atypes = <optimized out>
args = <optimized out>
i = <optimized out>
cif = {abi = FFI_UNIX64, nargs = 3, arg_types = 0x7fff754cc330, rtype = 0x7f123ad38330 <ffi_type_sint32>, bytes = 0, flags = 6}
cc = <optimized out>
enum_tmpval = <optimized out>
tmpval_used = 0
#4 0x00007f123be60fc0 in g_closure_invoke
(closure=0x56494b812a90, return_value=0x7fff754cc570, n_param_values=2, param_values=0x56494b9b7380, invocation_hint=0x7fff754cc550) at ../gobject/gclosure.c:832
marshal = 0x7f123be66d30 <g_cclosure_marshal_generic>
marshal_data = 0x0
in_marshal = 0
real_closure = 0x56494b812a70
__func__ = "g_closure_invoke"
#5 0x00007f123be8ed86 in signal_emit_unlocked_R.isra.0
(node=<optimized out>, detail=0, instance=0x56494b50e330, emission_return=0x7fff754cc600, instance_and_params=0x56494b9b7380) at ../gobject/gsignal.c:3796
tmp = <optimized out>
handler = 0x56494b58ecc0
accumulator = 0x56494b4a76c0
emission = {next = 0x0, instance = 0x56494b50e330, ihint = {signal_id = 99, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x4}
--Type <RET> for more, q to quit, c to continue without paging--c
hlist = <optimized out>
handler_list = 0x56494b58ecc0
return_accu = 0x7fff754cc570
accu = {g_type = 0x14, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
signal_id = 99
max_sequential_handler_number = 3897
return_value_altered = <optimized out>
#6 0x0000564949af69ab in _xdp_impl_request_skeleton_handle_method_call (connection=<optimized out>, sender=<optimized out>, object_path=<optimized out>, interface_name=0x56494b7919a0 "org.freedesktop.impl.portal.Request", method_name=0x7f1214034fe0 "Close", parameters=<optimized out>, invocation=0x56494b529f20, user_data=0x56494b50e330) at src/xdg-desktop-portal-dbus.c:15178
skeleton = <optimized out>
info = 0x564949b39140 <_xdp_impl_request_method_info_close>
iter = {x = {139715621972784, 0, 0, 0, 139716294100698, 46, 94872796193584, 3579507750, 94872796595104, 1, 139715621972784, 139716291167160, 0, 139716291167237, 982, 0}}
child = 0x0
paramv = 0x56494b9b7380
num_params = <optimized out>
n = <optimized out>
signal_id = 99
return_value = {g_type = 0x14, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
__func__ = "_xdp_impl_request_skeleton_handle_method_call"
#7 0x00007f123bfd446d in g_dbus_interface_method_dispatch_helper (interface=<optimized out>, method_call_func=0x564949af67e0 <_xdp_impl_request_skeleton_handle_method_call>, invocation=0x56494b529f20) at ../gio/gdbusinterfaceskeleton.c:615
has_handlers = <optimized out>
has_default_class_handler = <optimized out>
emit_authorized_signal = <optimized out>
run_in_thread = <optimized out>
flags = <optimized out>
object = 0x0
__func__ = "g_dbus_interface_method_dispatch_helper"
#8 0x00007f123bfb9c39 in call_in_idle_cb (user_data=user_data@entry=0x56494b529f20) at ../gio/gdbusconnection.c:4997
invocation = 0x56494b529f20
vtable = <optimized out>
registration_id = <optimized out>
subtree_registration_id = <optimized out>
ei = 0x56494b8596a0
es = 0x0
__func__ = "call_in_idle_cb"
#9 0x00007f123c0e1cb2 in g_idle_dispatch (source=0x7f121403cb10, callback=0x7f123bfb9ae0 <call_in_idle_cb>, user_data=0x56494b529f20) at ../glib/gmain.c:6124
idle_source = 0x7f121403cb10
again = <optimized out>
#10 0x00007f123c0e2cbf in g_main_dispatch (context=0x56494b474720) at ../glib/gmain.c:3444
dispatch = 0x7f123c0e1c90 <g_idle_dispatch>
prev_source = 0x0
begin_time_nsec = 8162154864698
was_in_call = 0
user_data = 0x56494b529f20
callback = 0x7f123bfb9ae0 <call_in_idle_cb>
cb_funcs = 0x7f123c1ca3e0 <g_source_callback_funcs>
cb_data = 0x56494b77e470
need_destroy = <optimized out>
source = 0x7f121403cb10
current = 0x56494b47cba0
i = 0
#11 g_main_context_dispatch (context=0x56494b474720) at ../glib/gmain.c:4162
#12 0x00007f123c138598 in g_main_context_iterate.constprop.0 (context=0x56494b474720, block=1, dispatch=1, self=<optimized out>) at ../glib/gmain.c:4238
max_priority = 2147483647
timeout = 16
some_ready = 1
nfds = 2
allocated_nfds = <optimized out>
fds = <optimized out>
begin_time_nsec = 8162141743812
#13 0x00007f123c0e228f in g_main_loop_run (loop=0x56494b4570a0) at ../glib/gmain.c:4438
__func__ = "g_main_loop_run"
#14 0x0000564949aee47f in main (argc=<optimized out>, argv=<optimized out>) at ../src/xdg-desktop-portal-gnome.c:286
owner_id = 1
error = 0x0
session_bus = <optimized out>
context = 0x56494b4d35d0
Problem seems clear enough: we use handle
immediately after it was freed by the call to file_dialog_handle_close()
. I wonder if this could be abused for a sandbox escape.