GNOME Bugzilla – Bug 781847
Use-after-free under send_message_with_reply_cleanup():gdbusconnection.c:1792
Last modified: 2018-05-24 19:30:34 UTC
I just got this report when running under address sanitizer with glib 2.50.2: ==29601==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000a1a6c0 at pc 0x7f7f6f369fe4 bp 0x7f7f526ec460 sp 0x7f7f526ec450 READ of size 8 at 0x611000a1a6c0 thread T4 (gdbus) #0 0x7f7f6f369fe3 in g_object_unref .../glib-2.50.2/gobject/gobject.c:3115 #1 0x7f7f6fc4c510 in send_message_with_reply_cleanup .../glib-2.50.2/gio/gdbusconnection.c:1792 #2 0x7f7f6fc4c5ca in send_message_data_deliver_reply_unlocked .../glib-2.50.2/gio/gdbusconnection.c:1809 #3 0x7f7f6fc4e477 in on_worker_message_received .../glib-2.50.2/gio/gdbusconnection.c:2287 #4 0x7f7f6fc8bd68 in _g_dbus_worker_emit_message_received .../glib-2.50.2/gio/gdbusprivate.c:457 #5 0x7f7f6fc8bfc3 in _g_dbus_worker_queue_or_deliver_received_message .../glib-2.50.2/gio/gdbusprivate.c:485 #6 0x7f7f6fc8db9a in _g_dbus_worker_do_read_cb .../glib-2.50.2/gio/gdbusprivate.c:770 #7 0x7f7f6fbb384b in g_task_return_now .../glib-2.50.2/gio/gtask.c:1121 #8 0x7f7f6fbb392f in complete_in_idle_cb .../glib-2.50.2/gio/gtask.c:1135 #9 0x7f7f6eca4048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545 #10 0x7f7f6ec9aabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203 #11 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856 #12 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929 #13 0x7f7f6eca0074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125 #14 0x7f7f6fc8b3a8 in gdbus_shared_thread_func .../glib-2.50.2/gio/gdbusprivate.c:247 #15 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784 #16 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9) #17 0x7f7f6d0daf7e in clone (/lib64/libc.so.6+0x107f7e) 0x611000a1a6c0 is located 0 bytes inside of 208-byte region [0x611000a1a6c0,0x611000a1a790) freed by thread T0 here: #0 0x7f7f71b25b00 in free (/usr/lib64/libasan.so.3+0xc6b00) #1 0x7f7f6ecb547c in g_free .../glib-2.50.2/glib/gmem.c:189 #2 0x7f7f6ed00eff in g_slice_free1 .../glib-2.50.2/glib/gslice.c:1136 #3 0x7f7f6f3a694f in g_type_free_instance .../glib-2.50.2/gobject/gtype.c:1943 #4 0x7f7f6f36a841 in g_object_unref .../glib-2.50.2/gobject/gobject.c:3215 #5 0x7f7f6ec95230 in g_source_callback_unref .../glib-2.50.2/glib/gmain.c:1547 #6 0x7f7f6ec936d2 in g_source_destroy_internal .../glib-2.50.2/glib/gmain.c:1236 #7 0x7f7f6ec9aeb9 in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3227 #8 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856 #9 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929 #10 0x7f7f6eca0074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125 #11 0x4043d0 in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:217 #12 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T1659 here: #0 0x7f7f71b25e60 in malloc (/usr/lib64/libasan.so.3+0xc6e60) #1 0x7f7f6ecb5313 in g_malloc .../glib-2.50.2/glib/gmem.c:94 #2 0x7f7f6ed00c0c in g_slice_alloc .../glib-2.50.2/glib/gslice.c:1025 #3 0x7f7f6ed00c4c in g_slice_alloc0 .../glib-2.50.2/glib/gslice.c:1051 #4 0x7f7f6f3a53ac in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1848 #5 0x7f7f6f361dc3 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1783 #6 0x7f7f6f362888 in g_object_newv .../glib-2.50.2/gobject/gobject.c:1930 #7 0x7f7f6f361391 in g_object_new .../glib-2.50.2/gobject/gobject.c:1623 #8 0x7f7f6fbb27f0 in g_task_new .../glib-2.50.2/gio/gtask.c:693 #9 0x7f7f6fc4c8ff in g_dbus_connection_send_message_with_reply_unlocked .../glib-2.50.2/gio/gdbusconnection.c:1908 #10 0x7f7f6fc4d060 in g_dbus_connection_send_message_with_reply .../glib-2.50.2/gio/gdbusconnection.c:2008 #11 0x7f7f6fc5eb28 in g_dbus_connection_call_internal .../glib-2.50.2/gio/gdbusconnection.c:5781 #12 0x7f7f6fc5f98c in g_dbus_connection_call_with_unix_fd_list .../glib-2.50.2/gio/gdbusconnection.c:6209 #13 0x7f7f6fc88edf in g_dbus_proxy_call_internal .../glib-2.50.2/gio/gdbusproxy.c:2724 #14 0x7f7f6fc89d87 in g_dbus_proxy_call .../glib-2.50.2/gio/gdbusproxy.c:2964 #15 0x7f7f6d419ce1 in e_dbus_source_proxy_set_property .../evolution-data-server/_build/src/private/e-dbus-source.c:1630 #16 0x7f7f6f35fbdd in object_set_property .../glib-2.50.2/gobject/gobject.c:1423 #17 0x7f7f6f36513c in g_object_set_valist .../glib-2.50.2/gobject/gobject.c:2167 #18 0x7f7f6f366625 in g_object_set .../glib-2.50.2/gobject/gobject.c:2277 #19 0x7f7f6d418988 in e_dbus_source_set_connection_status .../evolution-data-server/_build/src/private/e-dbus-source.c:936 #20 0x7f7f6d8e550c in e_source_set_connection_status .../evolution-data-server/src/libedataserver/e-source.c:3520 #21 0x7f7f39c3924d in ecb_caldav_connect_sync .../evolution-data-server/src/calendar/backends/caldav/e-cal-backend-caldav.c:211 #22 0x7f7f706253fe in e_cal_meta_backend_connect_sync .../evolution-data-server/src/calendar/libedata-cal/e-cal-meta-backend.c:3968 #23 0x7f7f7061cb81 in ecmb_authenticate_sync .../evolution-data-server/src/calendar/libedata-cal/e-cal-meta-backend.c:2847 #24 0x7f7f6de041ee in e_backend_authenticate_sync .../evolution-data-server/src/libebackend/e-backend.c:254 #25 0x7f7f6de048d9 in backend_source_authenticate_thread .../evolution-data-server/src/libebackend/e-backend.c:315 #26 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784 #27 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9) Thread T4 (gdbus) created by T1 (dconf worker) here: #0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488) #1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170 #2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874 #3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827 #4 0x7f7f6fc8b59d in _g_dbus_shared_thread_ref .../glib-2.50.2/gio/gdbusprivate.c:275 #5 0x7f7f6fc9348d in _g_dbus_worker_new .../glib-2.50.2/gio/gdbusprivate.c:1651 #6 0x7f7f6fc4fb1b in initable_init .../glib-2.50.2/gio/gdbusconnection.c:2577 #7 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112 #8 0x7f7f6fc64147 in g_bus_get_sync .../glib-2.50.2/gio/gdbusconnection.c:7257 #9 0x7f7f54007d08 in dconf_gdbus_get_bus_in_worker .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:185 #10 0x7f7f54008448 in dconf_gdbus_method_call .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:243 #11 0x7f7f6eca4048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545 #12 0x7f7f6ec9aabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203 #13 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856 #14 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929 #15 0x7f7f6ec9f65a in g_main_context_iteration .../glib-2.50.2/glib/gmain.c:3990 #16 0x7f7f54007767 in dconf_gdbus_worker_thread .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:82 #17 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784 #18 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9) Thread T1 (dconf worker) created by T0 here: #0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488) #1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170 #2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874 #3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827 #4 0x7f7f540077c0 in dconf_gdbus_get_worker_context .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:98 #5 0x7f7f54008b1b in dconf_engine_dbus_call_async_func .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:284 #6 0x7f7f53fff11f in dconf_engine_watch_fast .../dconf-0.26.0/engine/dconf-engine.c:868 #7 0x7f7f53ffb4f2 in dconf_settings_backend_subscribe .../dconf-0.26.0/gsettings/dconfsettingsbackend.c:135 #8 0x7f7f6fd4d6c6 in g_settings_backend_subscribe .../glib-2.50.2/gio/gsettingsbackend.c:890 #9 0x7f7f6fd5ce4c in g_settings_constructed .../glib-2.50.2/gio/gsettings.c:682 #10 0x7f7f6f362100 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1823 #11 0x7f7f6f363c6c in g_object_new_valist .../glib-2.50.2/gobject/gobject.c:2042 #12 0x7f7f6f3613d3 in g_object_new .../glib-2.50.2/gobject/gobject.c:1626 #13 0x7f7f6fd5d8d6 in g_settings_new .../glib-2.50.2/gio/gsettings.c:965 #14 0x7f7f6d93a879 in e_source_registry_init .../evolution-data-server/src/libedataserver/e-source-registry.c:1729 #15 0x7f7f6f3a58ad in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1866 #16 0x7f7f6f361dc3 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1783 #17 0x7f7f6f362888 in g_object_newv .../glib-2.50.2/gobject/gobject.c:1930 #18 0x7f7f6f361391 in g_object_new .../glib-2.50.2/gobject/gobject.c:1623 #19 0x7f7f6d93489c in source_registry_dup_uninitialized_singleton .../evolution-data-server/src/libedataserver/e-source-registry.c:301 #20 0x7f7f6d93aa7b in e_source_registry_new_sync .../evolution-data-server/src/libedataserver/e-source-registry.c:1765 #21 0x7f7f6de53268 in subprocess_factory_initable_init .../evolution-data-server/src/libebackend/e-subprocess-factory.c:160 #22 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112 #23 0x7f7f6fb22732 in g_initable_new_valist .../glib-2.50.2/gio/ginitable.c:228 #24 0x7f7f6fb225a4 in g_initable_new .../glib-2.50.2/gio/ginitable.c:146 #25 0x7f7f706401e0 in e_subprocess_cal_factory_new .../evolution-data-server/src/calendar/libedata-cal/e-subprocess-cal-factory.c:174 #26 0x40431b in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:191 #27 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400) Thread T1659 created by T2 here: #0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488) #1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170 #2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874 #3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827 #4 0x7f7f6de0a5db in e_backend_schedule_authenticate .../evolution-data-server/src/libebackend/e-backend.c:1224 #5 0x7f7f6de05099 in backend_source_authenticate_cb .../evolution-data-server/src/libebackend/e-backend.c:403 #6 0x7f7f6f356d33 in g_cclosure_marshal_VOID__BOXED .../glib-2.50.2/gobject/gmarshal.c:1910 #7 0x7f7f6f349b48 in g_closure_invoke .../glib-2.50.2/gobject/gclosure.c:804 #8 0x7f7f6f396658 in signal_emit_unlocked_R .../glib-2.50.2/gobject/gsignal.c:3635 #9 0x7f7f6f39441b in g_signal_emit_valist .../glib-2.50.2/gobject/gsignal.c:3391 #10 0x7f7f6f395217 in g_signal_emit .../glib-2.50.2/gobject/gsignal.c:3447 #11 0x7f7f6d8d9b31 in source_dbus_authenticate_cb .../evolution-data-server/src/libedataserver/e-source.c:1021 #12 0x7f7f6b086c57 in ffi_call_unix64 (/lib64/libffi.so.6+0x5c57) #13 0x7f7f537951ff (<unknown module>) Thread T2 created by T0 here: #0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488) #1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170 #2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874 #3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827 #4 0x7f7f6d939706 in source_registry_initable_init .../evolution-data-server/src/libedataserver/e-source-registry.c:1385 #5 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112 #6 0x7f7f6d93aab2 in e_source_registry_new_sync .../evolution-data-server/src/libedataserver/e-source-registry.c:1767 #7 0x7f7f6de53268 in subprocess_factory_initable_init .../evolution-data-server/src/libebackend/e-subprocess-factory.c:160 #8 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112 #9 0x7f7f6fb22732 in g_initable_new_valist .../glib-2.50.2/gio/ginitable.c:228 #10 0x7f7f6fb225a4 in g_initable_new .../glib-2.50.2/gio/ginitable.c:146 #11 0x7f7f706401e0 in e_subprocess_cal_factory_new .../evolution-data-server/src/calendar/libedata-cal/e-subprocess-cal-factory.c:174 #12 0x40431b in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:191 #13 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: heap-use-after-free .../glib-2.50.2/gobject/gobject.c:3115 in g_object_unref Shadow bytes around the buggy address: 0x0c228013b480: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c228013b490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c228013b4a0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c228013b4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c228013b4c0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa =>0x0c228013b4d0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c228013b4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c228013b4f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c228013b500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c228013b510: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c228013b520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29601==ABORTING
+ Trace 237399
Thread 5 (Thread 0x7f7f526ed700 (LWP 29612))
I’ve just taken a bit of a look at this, and I’m not sure where things can be going wrong. The problem is that one of the GTasks in map_method_serial_to_task in gdbusconnection.c is being double-unreffed. However, all the code paths I can find which unref the GTasks more than they are reffed check whether the task is in map_method_serial_to_task, and return early (without changing the refcount) if it’s not. I haven’t checked that all the paths are locked appropriately — it’s possible this is a race on access to map_method_serial_to_task. The g_task_attach_source() calls in gdbusconnection.c also look a bit suspicious, and I’d like to work through them more closely. I pushed commit 88ad0da adding some annotation comments to the code. (No functional changes.)
I do not receive this one consistently, it was a matter of (bad) luck, from my point of view. What I do receive consistently, also under valgrind, is bug #748263, but it seems that nobody cares for years, which is understandable when it's hard to reproduce.
(In reply to Milan Crha from comment #2) > I do not receive this one consistently, it was a matter of (bad) luck, from > my point of view. What I do receive consistently, also under valgrind, is > bug #748263, but it seems that nobody cares for years, which is > understandable when it's hard to reproduce. OK. I’ll see if I can find time to take a look at the other bugs too. Is there any observable D-Bus behaviour when this happens? For example, do you know if an error reply is being sent, or a timeout is occurring, or a peer is unexpectedly leaving the bus?
I'm not aware of any D-Bus changes, neither I know how to track them. I noticed some misbehaviour and crashes caused, possibly, by memory corruption or ref/unref imbalance, while these issues stroke first. Valgrind says "invalid read", which is not that problematic as "invalid write" (speaking about the other bug report, not this one).
(In reply to Milan Crha from comment #4) > I'm not aware of any D-Bus changes, neither I know how to track them. I guess I was wondering if you happened to have `dbus-monitor --session` running at the same time. Don’t worry if not.
(In reply to Philip Withnall from comment #5) > I guess I was wondering if you happened to have `dbus-monitor --session` > running at the same time. Don’t worry if not. Ah, I see. I didn't.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib/issues/1264.