GNOME Bugzilla – Bug 773854
Use after free when deleting a completed task
Last modified: 2020-11-25 16:20:59 UTC
Created attachment 338980 [details] gdb log from being attached to gnome-todo running in valgrind Steps to reproduce: 1. Add a new task 2. mark it as completed 3. un-hide (uncollapse) completed tasks 4. select any completed task 5. delete task What happens: Valgrind: ==1488== Invalid read of size 8 ==1488== at 0x639C31E: gtk_widget_destroy (gtkwidget.c:4712) ==1488== by 0x12E628: gtd_task_row__destroy_cb (gtd-task-row.c:352) ==1488== by 0x9A6D88C: g_timeout_dispatch (gmain.c:4674) ==1488== by 0x9A6CE41: g_main_dispatch (gmain.c:3203) ==1488== by 0x9A6CE41: g_main_context_dispatch (gmain.c:3856) ==1488== by 0x9A6D1BF: g_main_context_iterate.isra.24 (gmain.c:3929) ==1488== by 0x9A6D26B: g_main_context_iteration (gmain.c:3990) ==1488== by 0x92A7BBC: g_application_run (gapplication.c:2381) ==1488== by 0x117CDD: main (main.c:41) ==1488== Address 0x29aa9e40 is 352 bytes inside a block of size 560 free'd ==1488== at 0x4C2ED4A: free (vg_replace_malloc.c:530) ==1488== by 0x9A726BD: g_free (gmem.c:189) ==1488== by 0x9A8B20F: g_slice_free1 (gslice.c:1136) ==1488== by 0x9803B01: g_type_free_instance (gtype.c:1937) ==1488== by 0x12CA96: gtd_task_list_view__remove_row_for_task (gtd-task-list-view.c:966) ==1488== by 0x12CAFD: remove_task_from_list (gtd-task-list-view.c:264) ==1488== by 0x12B883: iterate_subtasks.constprop.8 (gtd-task-list-view.c:189) ==1488== by 0x12CEB7: gtd_task_list_view__remove_task_cb (gtd-task-list-view.c:635) ==1488== by 0x97E346F: g_cclosure_marshal_VOID__OBJECTv (gmarshal.c:2102) ==1488== by 0x97E0613: _g_closure_invoke_va (gclosure.c:867) ==1488== by 0x97FADD8: g_signal_emit_valist (gsignal.c:3300) ==1488== by 0x97FB43E: g_signal_emit (gsignal.c:3447) ==1488== Block was alloc'd at ==1488== at 0x4C2DB9D: malloc (vg_replace_malloc.c:299) ==1488== by 0x9A725A8: g_malloc (gmem.c:94) ==1488== by 0x9A8AB02: g_slice_alloc (gslice.c:1025) ==1488== by 0x9A8B12D: g_slice_alloc0 (gslice.c:1051) ==1488== by 0x9803839: g_type_create_instance (gtype.c:1839) ==1488== by 0x97E569A: g_object_new_internal (gobject.c:1783) ==1488== by 0x97E75AD: g_object_new_valist (gobject.c:2042) ==1488== by 0x97E7850: g_object_new (gobject.c:1626) ==1488== by 0x12B638: insert_task (gtd-task-list-view.c:834) ==1488== by 0x12DE27: gtd_task_list_view_set_show_completed (gtd-task-list-view.c:1939) ==1488== by 0x12DEE5: gtd_task_list_view__done_button_clicked (gtd-task-list-view.c:773) ==1488== by 0x97E0613: _g_closure_invoke_va (gclosure.c:867) ==1488== gdb:
+ Trace 236810
Full gdb log is attached. Affected versions: gnome-todo-3.22.0-1.fc25.x86_64 gtk3-3.22.2-1.fc25.x86_64 glib2-2.50.1-1.fc25.x86_64
Created attachment 339168 [details] [review] gtd-task-row: avoid destroying widget twice With the early return for destroy_row_timeout_id, we avoid the call to a posteriors call to gtk_widget_destroy() --- Although this fixes the issue for me, it could possible be a workaround as we should not be using GtdTaskRow widget after gtk_widget_destroy() is called... So, I'm still testing if no other regressions are found after with this patch bug likely Georges can tell for sure ;)
Review of attachment 339168 [details] [review]: Yes, we can still crash with this patch. Not with the steps on comment #0 but playing with possibilities there such as editing, priority, etc...
I am able to delete a completed task in a list. But when I delete a task list,the app exits.
I try recreate this bug, but i can't did. In this blog have a proof. http://theyodacode.blogspot.com/2017/03/bug-773854.html
(In reply to Christian Stadelmann from comment #0) Hi Christian Stadelman, well I tested the possible error that you have found in this application("gnome-todo"). Following the steps that you pointed out, I have reproduce it and apparently there are no mistakes. Could you please see my post and tell me if you have further observations: https://sites.google.com/view/aprendiendofedora25/bugs
I can still reproduce the bug following the exact same steps as in comment #0, if running from a restricted environment such as flatpak or valgrind. Without these restrictions, the bug will cause a memory corruption which will make gnome-todo break at random situations later on.
(In reply to BRESNER NURALI REVOLLAR MALDONADO from comment #5) > (In reply to Christian Stadelmann from comment #0) > Hi Christian Stadelman, well I tested the possible error that you have found > in this application("gnome-todo"). Following the steps that you pointed out, > I have reproduce it and apparently there are no mistakes. Could you please > see my post and tell me if you have further observations: > https://sites.google.com/view/aprendiendofedora25/bugs I can't reproduce it as well. Nice page! (In reply to Christian Stadelmann from comment #6) > I can still reproduce the bug following the exact same steps as in comment > #0, if running from a restricted environment such as flatpak or valgrind. > Without these restrictions, the bug will cause a memory corruption which > will make gnome-todo break at random situations later on. Are you testing against master, or a point release (3.22)?
(In reply to Georges Basile Stavracas Neto from comment #7) > Are you testing against master, or a point release (3.22)? I can still reproduce it, even on flatpak master branch as of today. Steps to reproduce: 1. Add a new task 2. mark it as completed 3. un-hide (uncollapse) completed tasks 4. from menu, click "clear completed tasks" Also, I cannot see the patch from comment #1 applied in git: https://git.gnome.org/browse/gnome-todo/log/?ofs=100
Unable to reproduce. Followed each step carefully.
With gnome-todo 3.24.1, I get a similar crasher: https://bugzilla.redhat.com/show_bug.cgi?id=1450622
bugzilla.gnome.org is being replaced by gitlab.gnome.org. We are closing all older bug reports and feature requests in GNOME Bugzilla which have not seen updates for a while. If you still use gnome-todo and if you still see this bug / want this feature in a recent and currently supported version, then please feel free to report it at https://gitlab.gnome.org/GNOME/gnome-todo/-/issues/ by following the guidelines at https://wiki.gnome.org/Community/GettingInTouch/BugReportingGuidelines Thank you for creating this report and we are sorry it could not be implemented so far (volunteer workforce and time is limited).