After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 746195 - tracker crashing within gnome-documents search provider
tracker crashing within gnome-documents search provider
Status: RESOLVED FIXED
Product: tracker
Classification: Core
Component: General
1.3.x
Other Linux
: Normal normal
: ---
Assigned To: tracker-general
tracker-general
: 752556 755560 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2015-03-14 05:22 UTC by darkxst
Modified: 2015-10-30 16:18 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Trace (16.24 KB, text/plain)
2015-09-07 18:17 UTC, Bruce Pieterse 		  Details
fix buffer overrun in libunistring version of tracker_parser_unaccent_nfkd_string() (2.69 KB, patch)
2015-10-23 10:08 UTC, Marius Gedminas 		none Details | Review
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string() (2.64 KB, patch)
2015-10-23 10:37 UTC, Marius Gedminas 		none Details | Review
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string() [v3] (2.89 KB, patch)
2015-10-23 11:44 UTC, Marius Gedminas 		committed Details | Review

Description darkxst 2015-03-14 05:22:51 UTC 
we are getting lots of reports of this one, with tracker 1.3.5

https://bugs.launchpad.net/bugs/1432098/+attachment/4344952/+files/ThreadStacktrace.txt
Comment 1 Kunaal Jain 2015-03-14 05:27:45 UTC 
Hi, can you please check the link, shows page not found for me
Comment 2 darkxst 2015-03-14 05:55:11 UTC 
oh bug was still marked private, should work now. Though here is the backtrace

.

+ Trace 234841

Thread 3 (Thread 0x7f2501ce7700 (LWP 11654))

  • #0 syscall
    at ../sysdeps/unix/sysv/linux/x86_64/syscall.S line 38
  • #1 g_mutex_lock_slowpath
    at /build/buildd/glib2.0-2.43.91/./glib/gthread-posix.c line 1314
  • #2 tracker_direct_connection_real_query
  • #3 ___lambda4_
    at /home/martyn/Source/checkout/gnome/tracker/src/libtracker-direct/tracker-direct.vala line 108
  • #4 ____lambda4__gio_scheduler_job_func
    at tracker-direct.c line 854
  • #5 io_job_thread
    at /build/buildd/glib2.0-2.43.91/./gio/gioscheduler.c line 85
  • #6 g_task_thread_pool_thread
    at /build/buildd/glib2.0-2.43.91/./gio/gtask.c line 1215
  • #7 g_thread_pool_thread_proxy
    at /build/buildd/glib2.0-2.43.91/./glib/gthreadpool.c line 307
  • #8 g_thread_proxy
    at /build/buildd/glib2.0-2.43.91/./glib/gthread.c line 764
  • #9 start_thread
    at pthread_create.c line 309
  • #10 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111

Thread 2 (Thread 0x7f25024e8700 (LWP 11653))

  • #0 syscall
    at ../sysdeps/unix/sysv/linux/x86_64/syscall.S line 38
  • #1 g_cond_wait_until
    at /build/buildd/glib2.0-2.43.91/./glib/gthread-posix.c line 1443
  • #2 g_async_queue_pop_intern_unlocked
    at /build/buildd/glib2.0-2.43.91/./glib/gasyncqueue.c line 422
  • #3 g_async_queue_timeout_pop_unlocked
    at /build/buildd/glib2.0-2.43.91/./glib/gasyncqueue.c line 570
  • #4 g_thread_pool_wait_for_new_task
    at /build/buildd/glib2.0-2.43.91/./glib/gthreadpool.c line 262
  • #5 g_thread_pool_thread_proxy
    at /build/buildd/glib2.0-2.43.91/./glib/gthreadpool.c line 296
  • #6 g_thread_proxy
    at /build/buildd/glib2.0-2.43.91/./glib/gthread.c line 764
  • #7 start_thread
    at pthread_create.c line 309
  • #8 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111

Thread 1 (Thread 0x7f2502ce9700 (LWP 11652))

  • #0 __GI_raise
    at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
  • #1 __GI_abort
    at abort.c line 89
  • #2 __libc_message
    at ../sysdeps/posix/libc_fatal.c line 175
  • #3 malloc_printerr
  • #4 _int_free
    at malloc.c line 3840
  • #5 sqlite3VdbeMemGrow
    at sqlite3.c line 61809
  • #6 vdbeMemAddTerminator
    at sqlite3.c line 61903
  • #7 sqlite3VdbeMemNulTerminate
    at sqlite3.c line 61922
  • #8 valueToText
    at sqlite3.c line 62682
  • #9 sqlite3ValueText
    at sqlite3.c line 62717
  • #10 sqlite3_value_text
    at sqlite3.c line 67474
  • #11 likeFunc
    at sqlite3.c line 94967
  • #12 sqlite3VdbeExec
    at sqlite3.c line 70609
  • #13 sqlite3Step
    at sqlite3.c line 67812
  • #14 sqlite3_step
    at sqlite3.c line 2342
  • #15 db_cursor_iter_next
    at tracker-db-interface-sqlite.c line 2156
  • #16 tracker_db_cursor_iter_next_thread
    at tracker-db-interface-sqlite.c line 1942
  • #17 ?? 






Comment 3


Martyn Russell





          2015-03-17 19:30:57 UTC
        



Interesting. Is it reproduced calling that SPARQL query? Or is there somethign special to show this bug?

A few observations:
1. The cancellable is 0x2, that looks potentially like memory corruption without looking at the GCancellable code that is.
2. That code hasn't changed in over 4 years, I wonder if something underneath us has changed? I know that the g_io_scheduler_push_job() stuff is deprecated and needs updating ASAP - actually I've asked Jürg about that and it was problematic when we last spoke.






Comment 4


Bruce Pieterse





          2015-09-07 18:17:35 UTC
        



Created attachment 310856 [details]
Trace

There is this bug report with malloc(): memory corruption (fast) https://bugs.launchpad.net/ubuntu-gnome/+bug/1432068. Backtrace attached.






Comment 5


Ritesh Raj Sarraf





          2015-09-15 10:43:42 UTC
        



This issue is also seen on Debian.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794646






Comment 6


Marius Gedminas





          2015-10-23 06:39:45 UTC
        



I can easily reproduce this crash:

- in one terminal run /usr/bin/gnome-documents --gapplication-service
- within 10 seconds of the above, in another terminal run dbus-send --print-reply --dest=org.gnome.Documents /org/gnome/Documents/SearchProvider org.gnome.Shell.SearchProvider2.GetInitialResultSet array:string:"search"

When I do that under valgrind, I get this:

==23172== Thread 8 pool:
==23172== Invalid write of size 1
==23172==    at 0x174A56C1: tracker_parser_unaccent_nfkd_string (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-common.so.0.0.0)
==23172==    by 0x1726AA02: function_sparql_unaccent (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x1791D6EE: sqlite3VdbeExec (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172==    by 0x17926826: sqlite3_step (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172==    by 0x1726B2FF: db_cursor_iter_next (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x1726BAB6: tracker_db_cursor_iter_next_thread (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x70A68FE: run_in_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x7092985: io_job_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x70B7D87: g_task_thread_pool_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x50FC2FD: g_thread_pool_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172==    by 0x50FB964: g_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172==    by 0x5E706A9: start_thread (pthread_create.c:333)
==23172==  Address 0x14072b52 is 0 bytes after a block of size 2 alloc'd
==23172==    at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23172==    by 0x17B9D516: u8_normalize (in /usr/lib/x86_64-linux-gnu/libunistring.so.0.1.2)
==23172==    by 0x1726A9F4: function_sparql_unaccent (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x1791D6EE: sqlite3VdbeExec (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172==    by 0x17926826: sqlite3_step (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172==    by 0x1726B2FF: db_cursor_iter_next (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x1726BAB6: tracker_db_cursor_iter_next_thread (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172==    by 0x70A68FE: run_in_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x7092985: io_job_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x70B7D87: g_task_thread_pool_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172==    by 0x50FC2FD: g_thread_pool_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172==    by 0x50FB964: g_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)

When I look at what's happening under gdb, I see function_sparql_unaccent getting called with a string "10":

(gdb) info locals
zInput = 0x7fffc80b83d8 "10"
zOutput = <optimized out>
written = 0
nInput = 2

Then u8_normalize() gets called and allocates a 2-byte buffer:

(gdb) info locals
zInput = 0x7fffc80b83d8 "10"
zOutput = 0x7fffc80fac50 "10"
written = 2
nInput = <optimized out>

Then tracker_parser_unaccent_nfkd_string from tracker-parser-libunistring.c:164 gets called and helpfully writes a '\0' past the end of the buffer (tracker-parser-libunistring.c:213 in current git).






Comment 7


Marius Gedminas





          2015-10-23 10:08:33 UTC
        



Created attachment 313923 [details] [review]
fix buffer overrun in libunistring version of tracker_parser_unaccent_nfkd_string()

I've tested this patch locally, and I no longer have the crash.  Valgrind also doesn't complain any more (I'm ignoring warnings about uninitalized memory reads in libmozjs).






Comment 8


Marius Gedminas





          2015-10-23 10:13:41 UTC
        



Citations about the libunistring memory representation:
* https://www.gnu.org/software/libunistring/manual/libunistring.html#In_002dmemory-representation
* https://www.gnu.org/software/libunistring/manual/libunistring.html#Unicode-strings

Since u8_normalize() passes around pairs of (const uint8_t*, size_t), I think it's safe to assume it uses the 2nd of the formats (no trailing NUL).  Also, Valgrind reported that a 2-byte buffer was allocated for a 2-character string, so.

The buffer allocated by u8_normalize() is passed directly to tracker_parser_unaccent_nfkd_string(), so the latter must not assume there's space for a trailing NUL.

And that's why I think my patch is correct.






Comment 9


Marius Gedminas





          2015-10-23 10:37:34 UTC
        



Created attachment 313924 [details] [review]
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string()

Version 2: remove useless assertion (gsize is unsigned, it can't be < 0).






Comment 10


Marius Gedminas





          2015-10-23 11:44:57 UTC
        



Created attachment 313933 [details] [review]
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string() [v3]

Version 3: add a NUL terminator in one place only; tracker_parser_message_hex() doesn't need it.






Comment 11


Aleksander Morgado





          2015-10-23 12:01:48 UTC
        



Review of attachment 313933 [details] [review]:

The logic looks good in this one. The libunistring version of tracker_parser_unaccent_nfkd_string() doesn'tt rely on being NUL-terminated and therefore it shouldn't explicitly force it.






Comment 12


Carlos Garnacho





          2015-10-23 12:19:52 UTC
        



Comment on attachment 313933 [details] [review]
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string() [v3]

Indeed, looks good :). Please push to master/tracker-1.6/tracker-1.4.






Comment 13


Carlos Garnacho





          2015-10-23 18:52:33 UTC
        



Comment on attachment 313933 [details] [review]
fix buffer overrun in libunistring builds of tracker_parser_unaccent_nfkd_string() [v3]

Pushed to master, all the way down to tracker-1.2






Comment 14


Debarshi Ray





          2015-10-30 16:18:24 UTC
        



*** Bug 752556 has been marked as a duplicate of this bug. ***






Comment 15


Debarshi Ray





          2015-10-30 16:18:30 UTC
        



*** Bug 755560 has been marked as a duplicate of this bug. ***