From 765b306c364885dd89d47fe9fe8618ce6a467bc1 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Thu, 19 Jul 2018 16:01:23 -0400
Subject: [PATCH] display: tie skeleton handlers to object lifetime

Right now we assume a display skeleton object won't
outlive its associated display object.

In theory that should be true, but if we accidentally
leak the skeleton it could erroneously happen.

If that does happen then we'll end accessing free'd
memory, so the leak will turn into a crasher.

This commit addresses this problem by ensuring
the skeleton signal handlers are disconnected when the
associated display object goes away.

CVE-2018-14424
---
 daemon/gdm-display.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/daemon/gdm-display.c b/daemon/gdm-display.c
index 1b58781d..5e193f2f 100644
--- a/daemon/gdm-display.c
+++ b/daemon/gdm-display.c
@@ -1109,18 +1109,18 @@ register_display (GdmDisplay *self)
         self->priv->object_skeleton = g_dbus_object_skeleton_new (self->priv->id);
         self->priv->display_skeleton = GDM_DBUS_DISPLAY (gdm_dbus_display_skeleton_new ());
 
-        g_signal_connect (self->priv->display_skeleton, "handle-get-id",
-                          G_CALLBACK (handle_get_id), self);
-        g_signal_connect (self->priv->display_skeleton, "handle-get-remote-hostname",
-                          G_CALLBACK (handle_get_remote_hostname), self);
-        g_signal_connect (self->priv->display_skeleton, "handle-get-seat-id",
-                          G_CALLBACK (handle_get_seat_id), self);
-        g_signal_connect (self->priv->display_skeleton, "handle-get-x11-display-name",
-                          G_CALLBACK (handle_get_x11_display_name), self);
-        g_signal_connect (self->priv->display_skeleton, "handle-is-local",
-                          G_CALLBACK (handle_is_local), self);
-        g_signal_connect (self->priv->display_skeleton, "handle-is-initial",
-                          G_CALLBACK (handle_is_initial), self);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-get-id",
+                                 G_CALLBACK (handle_get_id), self, 0);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-get-remote-hostname",
+                                 G_CALLBACK (handle_get_remote_hostname), self, 0);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-get-seat-id",
+                                 G_CALLBACK (handle_get_seat_id), self, 0);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-get-x11-display-name",
+                                 G_CALLBACK (handle_get_x11_display_name), self, 0);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-is-local",
+                                 G_CALLBACK (handle_is_local), self, 0);
+        g_signal_connect_object (self->priv->display_skeleton, "handle-is-initial",
+                                 G_CALLBACK (handle_is_initial), self, 0);
 
         g_dbus_object_skeleton_add_interface (self->priv->object_skeleton,
                                               G_DBUS_INTERFACE_SKELETON (self->priv->display_skeleton));
-- 
2.17.1