GNOME Bugzilla – Bug 710679
invalid read in name_owner_vanished
Last modified: 2014-04-10 16:29:26 UTC
Using gvfs 1.18.2, that happens when an ipod touch is connected: ==10432== Invalid read of size 1 ==10432== at 0x432847A: g_str_hash (ghash.c:1732) ==10432== by 0x4327119: g_hash_table_remove_internal (ghash.c:365) ==10432== by 0x805DAEA: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:491) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260) ==10432== Address 0x6ebdca0 is 0 bytes inside a block of size 7 free'd ==10432== at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==10432== by 0x433E5CF: g_free (gmem.c:197) ==10432== by 0x41FBEA7: client_unref (gdbusnamewatching.c:104) ==10432== by 0x805DAD8: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:488) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260) ==10432== ==10432== Invalid read of size 1 ==10432== at 0x4328494: g_str_hash (ghash.c:1732) ==10432== by 0x4327119: g_hash_table_remove_internal (ghash.c:365) ==10432== by 0x805DAEA: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:491) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260) ==10432== Address 0x6ebdca1 is 1 bytes inside a block of size 7 free'd ==10432== at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==10432== by 0x433E5CF: g_free (gmem.c:197) ==10432== by 0x41FBEA7: client_unref (gdbusnamewatching.c:104) ==10432== by 0x805DAD8: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:488) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260) ==10432== ==10432== Invalid read of size 4 ==10432== at 0x43284B8: g_int_equal (ghash.c:1801) ==10432== by 0x43271B0: g_hash_table_remove_internal (ghash.c:386) ==10432== by 0x805DAEA: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:491) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260) ==10432== Address 0x6ebdca0 is 0 bytes inside a block of size 7 free'd ==10432== at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==10432== by 0x433E5CF: g_free (gmem.c:197) ==10432== by 0x41FBEA7: client_unref (gdbusnamewatching.c:104) ==10432== by 0x805DAD8: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:488) ==10432== by 0x41FBCE6: actually_do_call (gdbusnamewatching.c:164) ==10432== by 0x41FBE5B: do_call (gdbusnamewatching.c:216) ==10432== by 0x41FC412: on_name_owner_changed (gdbusnamewatching.c:307) ==10432== by 0x41EBF25: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743) ==10432== by 0x433559F: g_idle_dispatch (gmain.c:5250) ==10432== by 0x433883D: g_main_context_dispatch (gmain.c:3065) ==10432== by 0x4338BE7: g_main_context_iterate.isra.22 (gmain.c:3712) ==10432== by 0x433904A: g_main_loop_run (gmain.c:3906) ==10432== by 0x442A904: (below main) (libc-start.c:260)
Created attachment 273663 [details] [review] proxy volume monitor: Fix invalid read When g_bus_unwatch_name () is called, it frees the associated Client and so the name variable becomes invalid. So, ensure that nothing uses the name variable after this call.
Review of attachment 273663 [details] [review]: Looks good!
Pushed to master as cc9e1249b08e1db213baaddb77914f5394bffb69. Thanks!