skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
February 17, 2022

GHSL-2021-077: Local denial of service in polkit - CVE-2021-4115

Kevin Backhouse

Coordinated Disclosure Timeline

Summary

There is a file descriptor leak in polkit, which can enable an unprivileged user to cause polkit to crash, due to file descriptor exhaustion.

Product

polkit

Tested Versions

Details

Issue 1: File descriptor exhaustion in polkit (GHSL-2021-077)

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like “:1.96”, to dbus-daemon, in two consecutive D-Bus method calls. The same callback function, on_retrieved_unix_uid_pid, is used to handle both replies. The replies are handled during the while-loop on line 435. But notice that the loop can stop early if an error occurs. In other words, if an error occurs then the loop might stop after only one of the two replies has been received. When this happens, the refcount of tmp_context never returns to zero. This causes an eventfd file descriptor to be leaked. The file descriptor quota is usually a relatively small number, like 1024, so it is easy for a file descriptor leak like this to exhaust the quota. When this happens, polkit crashes.

Impact

This issue may lead to local denial of service, due to polkit crashing.

CVE

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-077 in any communication regarding this issue.