GHSL-2021-077: Local denial of service in polkit - CVE-2021-4115

Coordinated Disclosure Timeline

• 2021-05-13: Reported as a private issue.
• 2021-08-16: Asked Jan Rybar for an update.
• 2021-09-29: Received an email from Red Hat security, asking for a copy of the poc.
• 2021-09-29: Emailed the report and poc to Red Hat security.
• 2021-11-04: Red Hat security have assessed it as a low severity issue, but decided that it should stay classified until fixed, for a non-root user can bring down a system process.
• 2021-12-14: CVE-2021-4115 assigned. Coordinated disclosure planned for 2022-02-14.
• 2022-02-13: Disclosed. 2022-02-16: PoC published

Summary

There is a file descriptor leak in polkit, which can enable an unprivileged user to cause polkit to crash, due to file descriptor exhaustion.

Product

polkit

Tested Versions

• policykit-1, 0.105-26ubuntu1 (tested on Ubuntu 20.04.2 LTS)
• policykit-1, 0.105-30 (tested on Ubuntu 21.04)
• polkit, 0.118-1 (tested on Arch Linux)
• polkit, 0.115 (tested on CentOS Stream)

Details

Issue 1: File descriptor exhaustion in polkit (GHSL-2021-077)

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like “:1.96”, to dbus-daemon, in two consecutive D-Bus method calls. The same callback function, on_retrieved_unix_uid_pid, is used to handle both replies. The replies are handled during the while-loop on line 435. But notice that the loop can stop early if an error occurs. In other words, if an error occurs then the loop might stop after only one of the two replies has been received. When this happens, the refcount of tmp_context never returns to zero. This causes an eventfd file descriptor to be leaked. The file descriptor quota is usually a relatively small number, like 1024, so it is easy for a file descriptor leak like this to exhaust the quota. When this happens, polkit crashes.

Impact

This issue may lead to local denial of service, due to polkit crashing.

CVE

• CVE-2021-4115

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-077 in any communication regarding this issue.