After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 740772 - Use-after-free when adding attachments to events
Use-after-free when adding attachments to events
Status: RESOLVED FIXED
Product: evolution-ews
Classification: Other
Component: Calendar
3.12.x
Other All
: Normal major
: ---
Assigned To: Evolution EWS maintainer(s)
Evolution EWS maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2014-11-26 18:47 UTC by Daniel Sands
Modified: 2014-11-27 11:58 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Daniel Sands 2014-11-26 18:47:44 UTC 
Spillover from another crash bug, I have created this one for an apparently different condition.

While using the option to convert a meeting to an appointment in the Outlook calendar, there are occasional crashes, strange meetings popping up that have unprintable characters for the title, etc.  Running with Valgrind produced the traceback below.

Just a quick glance of the code looks like ews_create_attachments_cb calls ews_cal_modify_object with some callback data, then immediately and unconditionally frees that callback before ews_cal_modify_object_cb has a chance to use it.


==10835== Invalid read of size 1
==10835==    at 0x4C2CB82: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCBAB012: g_strdup (gstrfuncs.c:355)
==10835==    by 0x24893FA4: ews_cal_modify_object_cb (e-cal-backend-ews.c:1813)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xC9029AB: g_cclosure_marshal_generic_va (gclosure.c:1541)
==10835==  Address 0x3cf20ee0 is 0 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835== 
==10835== Invalid read of size 1
==10835==    at 0x4C2CB94: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCBAB012: g_strdup (gstrfuncs.c:355)
==10835==    by 0x24893FA4: ews_cal_modify_object_cb (e-cal-backend-ews.c:1813)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xC9029AB: g_cclosure_marshal_generic_va (gclosure.c:1541)
==10835==  Address 0x3cf20ee1 is 1 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835== 
==10835== Invalid read of size 8
==10835==    at 0x4C2E320: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCBAB02C: UnknownInlinedFun (string3.h:51)
==10835==    by 0xCBAB02C: g_strdup (gstrfuncs.c:357)
==10835==    by 0x24893FA4: ews_cal_modify_object_cb (e-cal-backend-ews.c:1813)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xC9029AB: g_cclosure_marshal_generic_va (gclosure.c:1541)
==10835==  Address 0x3cf20ee0 is 0 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835== 
==10835== Invalid read of size 8
==10835==    at 0x4C2E32E: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCBAB02C: UnknownInlinedFun (string3.h:51)
==10835==    by 0xCBAB02C: g_strdup (gstrfuncs.c:357)
==10835==    by 0x24893FA4: ews_cal_modify_object_cb (e-cal-backend-ews.c:1813)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xC9029AB: g_cclosure_marshal_generic_va (gclosure.c:1541)
==10835==  Address 0x3cf20ef0 is 16 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835== 
==10835== Invalid read of size 1
==10835==    at 0x4C2E3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCBAB02C: UnknownInlinedFun (string3.h:51)
==10835==    by 0xCBAB02C: g_strdup (gstrfuncs.c:357)
==10835==    by 0x24893FA4: ews_cal_modify_object_cb (e-cal-backend-ews.c:1813)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xC9029AB: g_cclosure_marshal_generic_va (gclosure.c:1541)
==10835==  Address 0x3cf20f78 is 152 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835== 
==10835== Invalid free() / delete / delete[] / realloc()
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x24893E83: ews_cal_modify_object_cb (e-cal-backend-ews.c:1822)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==  Address 0x3cf20ee0 is 0 bytes inside a block of size 153 free'd
==10835==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10835==    by 0xCB927FE: g_free (gmem.c:190)
==10835==    by 0x2489131B: e_cal_backend_ews_async_data_free (e-cal-backend-ews.c:342)
==10835==    by 0x248976C0: ews_create_attachments_cb (e-cal-backend-ews.c:1395)
==10835==    by 0xC5ED806: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==10835==    by 0xC5ED868: complete_in_idle_cb (gsimpleasyncresult.c:775)
==10835==    by 0xCB8CAEA: g_main_dispatch (gmain.c:3111)
==10835==    by 0xCB8CAEA: g_main_context_dispatch (gmain.c:3710)
==10835==    by 0xCB8CE87: g_main_context_iterate.isra.29 (gmain.c:3781)
==10835==    by 0xCB8D1B1: g_main_loop_run (gmain.c:3975)
==10835==    by 0x52E95E1: dbus_server_run_server (e-dbus-server.c:230)
==10835==    by 0xDD9CD5F: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==10835==    by 0xDD9C7D0: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==10835==
Comment 1 Milan Crha 2014-11-27 06:57:55 UTC 
Just for a record, the mentioned other bug is bug #701138.
Comment 2 Milan Crha 2014-11-27 11:58:49 UTC 
I see what's going on here. There was added an attachment and it was saved first. Then was initiated an actual modify on the item, but with an itemid which was freed right after it was invoked, later causing user-after-free and even later double-free. I also fixed one memory leak in the related code.

Created commit c5eb624 in ews master (3.13.9+) [1]
Created commit 278fe7e in ews evolution-ews-3-12 (3.12.9+)

[1] https://git.gnome.org/browse/evolution-ews/commit/?id=c5eb624