Bug 312974 – [PATCH] gdmlogin crashes due to use-after-free bug

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 312974 - [PATCH] gdmlogin crashes due to use-after-free bug


Summary:	[PATCH] gdmlogin crashes due to use-after-free bug


Status:	RESOLVED FIXED

Product:	gdm
Classification:	Core
Component:	general
Version:	2.8.x
Hardware:	Other All

Importance:	High critical
Target Milestone:	---
Assigned To:	GDM maintainers
QA Contact:	GDM maintainers

URL:
Whiteboard:

Duplicates:	313330 (view as bug list)
Depends on:
Blocks:

Reported:	2005-08-09 06:31 UTC by Joe Marcus Clarke
Modified:	2005-08-12 16:59 UTC

See Also:
GNOME target:	---
GNOME version:	2.11/2.12

Attachments
Fix use-after-free problem in gdmlogin (465 bytes, patch) 2005-08-09 06:32 UTC, Joe Marcus Clarke	none	Details \| Review

Description Joe Marcus Clarke 2005-08-09 06:31:53 UTC

Steps to reproduce:
1. Start gdm with malloc debugging enabled on FreeBSD
2. 
3. 


Stack trace:
 #0  0x0000000803db64be in IA__g_strdup (
     str=0x59a140 '\uffff' <repeats 200 times>...) at gstrfuncs.c:90
 #1  0x0000000801538dfd in IA__gtk_tooltips_set_tip (tooltips=0x56d580,
     widget=0x593600, tip_text=0x59a140 '\uffff' <repeats 200 times>...,
     tip_private=0x0) at gtktooltips.c:355
 #2  0x000000000040d86d in gdm_login_session_init (menu=0x582200)
     at gdmlogin.c:1448
 #3  0x00000000004104d2 in gdm_login_gui_init () at gdmlogin.c:2789
 #4  0x0000000000412ea5 in main (argc=1, argv=0x7fffffffead0) at gdmlogin.c:3746

Other information:
The problem is that each dynamic session in the sessions list are initialized
with pointers that are subsequently free'd.  The attached patch corrects the
problem by making sure the pointers are copied before they are free'd.

Comment 1 Joe Marcus Clarke 2005-08-09 06:32:38 UTC

Created attachment 50440 [details] [review]
Fix use-after-free problem in gdmlogin

Comment 2 Joe Marcus Clarke 2005-08-09 06:33:15 UTC

Note: this bug was found courtesy of "Start Dancing".

Comment 3 Christian Kirbach 2005-08-09 13:59:17 UTC

Confirming because of the patch.
Does this also apply to the latest stable/development version?

Comment 4 Joe Marcus Clarke 2005-08-09 16:07:30 UTC

Absolutely.  The patch is against 2.8.0.2, but the stack trace is from 2.8.0.1.

Comment 5 Joe Marcus Clarke 2005-08-09 17:21:57 UTC

This patch also applies to HEAD.

Comment 6 Brian Cameron 2005-08-09 18:50:14 UTC

Fixed in CVS head and 2.8.0.2 branch.

Comment 7 Brian Cameron 2005-08-12 16:59:59 UTC

*** Bug 313330 has been marked as a duplicate of this bug. ***