After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 781777 - Use-after-free in soup_connection_connect_async():soup-connection.c:396
Use-after-free in soup_connection_connect_async():soup-connection.c:396
Status: RESOLVED FIXED
Product: libsoup
Classification: Core
Component: HTTP Transport
2.58.x
Other Linux
: Normal critical
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
Depends on:
Blocks:
 
 
Reported: 2017-04-26 16:09 UTC by Milan Crha
Modified: 2018-09-13 08:56 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Milan Crha 2017-04-26 16:09:02 UTC 
This is git master of libsoup at commit 2f103bc, built with address sanitizer, while trying to reproduce a claim from bug #781590 comment #10.

This happens when running evolution with an EWS account enabled and opening message composer and starting a search for an existing contact in the Global Address List (GAL) address book from EWS.

Backtrace is below the ASAN report, but I do not know how it'll be parsed by the backtrace parser, thus eventually expand the backtrace to see the whole story.

==12235==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000295170 at pc 0x7fde8c2e25d0 bp 0x7fde54bf04b0 sp 0x7fde54bf04a0
WRITE of size 8 at 0x60b000295170 thread T44
    #0 0x7fde8c2e25cf in soup_connection_connect_async .../libsoup/soup-connection.c:396
    #1 0x7fde8c35efe6 in get_connection .../libsoup/soup-session.c:1938
    #2 0x7fde8c35f2ee in soup_session_process_queue_item .../libsoup/soup-session.c:1965
    #3 0x7fde8c3601a3 in async_run_queue .../libsoup/soup-session.c:2065
    #4 0x7fde8c360308 in idle_run_queue .../libsoup/soup-session.c:2092
    #5 0x7fde93f39048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545
    #6 0x7fde93f2fabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203
    #7 0x7fde93f33f4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856
    #8 0x7fde93f34522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929
    #9 0x7fde93f35074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125
    #10 0x7fde747d3e4e in e_ews_soup_thread .../evolutionews/src/server/e-ews-connection.c:1734
    #11 0x7fde93fb5049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
    #12 0x7fde95ec66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #13 0x7fde929d1f7e in clone (/lib64/libc.so.6+0x107f7e)

0x60b000295170 is located 0 bytes inside of 104-byte region [0x60b000295170,0x60b0002951d8)
freed by thread T58 here:
    #0 0x7fde96ebbb00 in free (/usr/lib64/libasan.so.3+0xc6b00)
    #1 0x7fde93f4a47c in g_free .../glib-2.50.2/glib/gmem.c:189
    #2 0x7fde93f95eff in g_slice_free1 .../glib-2.50.2/glib/gslice.c:1136
    #3 0x7fde9463b94f in g_type_free_instance .../glib-2.50.2/gobject/gtype.c:1943
    #4 0x7fde945ff841 in g_object_unref .../glib-2.50.2/gobject/gobject.c:3215
    #5 0x7fde8c358d1f in soup_session_set_item_connection .../libsoup/soup-session.c:1226
    #6 0x7fde8c35acbb in soup_session_unqueue_item .../libsoup/soup-session.c:1479
    #7 0x7fde8c35fae8 in soup_session_process_queue_item .../libsoup/soup-session.c:2023
    #8 0x7fde8c36c14c in soup_session_async_cancel_message .../libsoup/soup-session-async.c:132
    #9 0x7fde8c362384 in soup_session_cancel_message .../libsoup/soup-session.c:2451
    #10 0x7fde8c36266d in soup_session_real_flush_queue .../libsoup/soup-session.c:2476
    #11 0x7fde8c362bee in soup_session_abort .../libsoup/soup-session.c:2532
    #12 0x7fde8c353906 in set_proxy_resolver .../libsoup/soup-session.c:627
    #13 0x7fde8c353a4a in soup_session_set_property .../libsoup/soup-session.c:652
    #14 0x7fde945f4bdd in object_set_property .../glib-2.50.2/gobject/gobject.c:1423
    #15 0x7fde945fbd6d in g_object_set_property .../glib-2.50.2/gobject/gobject.c:2371
    #16 0x7fde945cf62b in on_source_notify .../glib-2.50.2/gobject/gbinding.c:327
    #17 0x7fde945eb6e7 in g_cclosure_marshal_VOID__PARAM .../glib-2.50.2/gobject/gmarshal.c:1832
    #18 0x7fde945deb48 in g_closure_invoke .../glib-2.50.2/gobject/gclosure.c:804
    #19 0x7fde9462b658 in signal_emit_unlocked_R .../glib-2.50.2/gobject/gsignal.c:3635
    #20 0x7fde9462941b in g_signal_emit_valist .../glib-2.50.2/gobject/gsignal.c:3391
    #21 0x7fde9462a217 in g_signal_emit .../glib-2.50.2/gobject/gsignal.c:3447
    #22 0x7fde945f354f in g_object_dispatch_properties_changed .../glib-2.50.2/gobject/gobject.c:1064
    #23 0x7fde945ef9ab in g_object_notify_queue_thaw .../glib-2.50.2/gobject/gobject.c:296
    #24 0x7fde945fbd80 in g_object_set_property .../glib-2.50.2/gobject/gobject.c:2374
    #25 0x7fde945cf62b in on_source_notify .../glib-2.50.2/gobject/gbinding.c:327
    #26 0x7fde945d3129 in g_object_bind_property_full .../glib-2.50.2/gobject/gbinding.c:956
    #27 0x7fde945d317d in g_object_bind_property .../glib-2.50.2/gobject/gbinding.c:1007
    #28 0x7fde8d486a2b in camel_binding_bind_property .../evolution-data-server/src/camel/camel.c:296
    #29 0x7fde9142a165 in e_binding_bind_property .../evolution-data-server/src/libedataserver/e-data-server-util.c:1432

previously allocated by thread T44 here:
    #0 0x7fde96ebbe60 in malloc (/usr/lib64/libasan.so.3+0xc6e60)
    #1 0x7fde93f4a313 in g_malloc .../glib-2.50.2/glib/gmem.c:94
    #2 0x7fde93f95c0c in g_slice_alloc .../glib-2.50.2/glib/gslice.c:1025
    #3 0x7fde93f95c4c in g_slice_alloc0 .../glib-2.50.2/glib/gslice.c:1051
    #4 0x7fde9463a3ac in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1848
    #5 0x7fde945f6dc3 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1783
    #6 0x7fde945f8c6c in g_object_new_valist .../glib-2.50.2/gobject/gobject.c:2042
    #7 0x7fde945f63d3 in g_object_new .../glib-2.50.2/gobject/gobject.c:1626
    #8 0x7fde8c35db6f in get_connection_for_host .../libsoup/soup-session.c:1841
    #9 0x7fde8c35ea5e in get_connection .../libsoup/soup-session.c:1898
    #10 0x7fde8c35f2ee in soup_session_process_queue_item .../libsoup/soup-session.c:1965
    #11 0x7fde8c3601a3 in async_run_queue .../libsoup/soup-session.c:2065
    #12 0x7fde8c360308 in idle_run_queue .../libsoup/soup-session.c:2092
    #13 0x7fde93f39048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545
    #14 0x7fde93f2fabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203
    #15 0x7fde93f33f4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856
    #16 0x7fde93f34522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929
    #17 0x7fde93f35074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125
    #18 0x7fde747d3e4e in e_ews_soup_thread .../evolutionews/src/server/e-ews-connection.c:1734
    #19 0x7fde93fb5049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
    #20 0x7fde95ec66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

Thread T44 created by T43 here:
    #0 0x7fde96e26488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
    #1 0x7fde9402262b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
    #2 0x7fde93fb531f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
    #3 0x7fde93fb5179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
    #4 0x7fde747d442f in e_ews_connection_init .../evolutionews/src/server/e-ews-connection.c:1801
    #5 0x7fde9463a8ad in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1866
    #6 0x7fde945f8e3d in g_object_constructor .../glib-2.50.2/gobject/gobject.c:2068
    #7 0x7fde747d3845 in ews_connection_constructor .../evolutionews/src/server/e-ews-connection.c:1641
    #8 0x7fde945f68b8 in g_object_new_with_custom_constructor .../glib-2.50.2/gobject/gobject.c:1701
    #9 0x7fde945f6d70 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1781
    #10 0x7fde945f8c6c in g_object_new_valist .../glib-2.50.2/gobject/gobject.c:2042
    #11 0x7fde945f63d3 in g_object_new .../glib-2.50.2/gobject/gobject.c:1626
    #12 0x7fde747d6648 in e_ews_connection_new_full .../evolutionews/src/server/e-ews-connection.c:2173
    #13 0x7fde747d6d4c in e_ews_connection_new .../evolutionews/src/server/e-ews-connection.c:2217
    #14 0x7fde5f0482d2 in e_book_backend_ews_authenticate_sync .../evolutionews/src/addressbook/e-book-backend-ews.c:4256
    #15 0x7fde930991ee in e_backend_authenticate_sync .../evolution-data-server/src/libebackend/e-backend.c:254
    #16 0x7fde930998d9 in backend_source_authenticate_thread .../evolution-data-server/src/libebackend/e-backend.c:315
    #17 0x7fde93fb5049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
    #18 0x7fde95ec66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

Thread T43 created by T5 here:
    #0 0x7fde96e26488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
    #1 0x7fde9402262b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
    #2 0x7fde93fb531f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
    #3 0x7fde93fb5179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
    #4 0x7fde9309f5db in e_backend_schedule_authenticate .../evolution-data-server/src/libebackend/e-backend.c:1224
    #5 0x7fde9309a099 in backend_source_authenticate_cb .../evolution-data-server/src/libebackend/e-backend.c:403
    #6 0x7fde945ebd33 in g_cclosure_marshal_VOID__BOXED .../glib-2.50.2/gobject/gmarshal.c:1910
    #7 0x7fde945deb48 in g_closure_invoke .../glib-2.50.2/gobject/gclosure.c:804
    #8 0x7fde9462b658 in signal_emit_unlocked_R .../glib-2.50.2/gobject/gsignal.c:3635
    #9 0x7fde9462941b in g_signal_emit_valist .../glib-2.50.2/gobject/gsignal.c:3391
    #10 0x7fde9462a217 in g_signal_emit .../glib-2.50.2/gobject/gsignal.c:3447
    #11 0x7fde91384b31 in source_dbus_authenticate_cb .../evolution-data-server/src/libedataserver/e-source.c:1021
    #12 0x7fde90fc6c57 in ffi_call_unix64 (/lib64/libffi.so.6+0x5c57)
    #13 0x7fde76bf81ff  (<unknown module>)

Thread T5 created by T0 here:
    #0 0x7fde96e26488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
    #1 0x7fde9402262b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
    #2 0x7fde93fb531f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
    #3 0x7fde93fb5179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
    #4 0x7fde913e4706 in source_registry_initable_init .../evolution-data-server/src/libedataserver/e-source-registry.c:1385
    #5 0x7fde94db7473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
    #6 0x7fde913e5ab2 in e_source_registry_new_sync .../evolution-data-server/src/libedataserver/e-source-registry.c:1767
    #7 0x7fde930e8240 in subprocess_factory_initable_init .../evolution-data-server/src/libebackend/e-subprocess-factory.c:160
    #8 0x7fde9595a563 in subprocess_book_factory_initable_init .../evolution-data-server/src/addressbook/libedata-book/e-subprocess-book-factory.c:394
    #9 0x7fde94db7473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
    #10 0x7fde94db7732 in g_initable_new_valist .../glib-2.50.2/gio/ginitable.c:228
    #11 0x7fde94db75a4 in g_initable_new .../glib-2.50.2/gio/ginitable.c:146
    #12 0x7fde9595a68c in e_subprocess_book_factory_new .../evolution-data-server/src/addressbook/libedata-book/e-subprocess-book-factory.c:415
    #13 0x40238b in main .../evolution-data-server/src/addressbook/libedata-book/evolution-addressbook-factory-subprocess.c:191
    #14 0x7fde928ea400 in __libc_start_main (/lib64/libc.so.6+0x20400)

Thread T58 created by T5 here:
    #0 0x7fde96e26488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
    #1 0x7fde9402262b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
    #2 0x7fde93fb531f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
    #3 0x7fde93fb5179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
    #4 0x7fde9309f5db in e_backend_schedule_authenticate .../evolution-data-server/src/libebackend/e-backend.c:1224
    #5 0x7fde9309a099 in backend_source_authenticate_cb .../evolution-data-server/src/libebackend/e-backend.c:403
    #6 0x7fde945ebd33 in g_cclosure_marshal_VOID__BOXED .../glib-2.50.2/gobject/gmarshal.c:1910
    #7 0x7fde945deb48 in g_closure_invoke .../glib-2.50.2/gobject/gclosure.c:804
    #8 0x7fde9462b658 in signal_emit_unlocked_R .../glib-2.50.2/gobject/gsignal.c:3635
    #9 0x7fde9462941b in g_signal_emit_valist .../glib-2.50.2/gobject/gsignal.c:3391
    #10 0x7fde9462a217 in g_signal_emit .../glib-2.50.2/gobject/gsignal.c:3447
    #11 0x7fde91384b31 in source_dbus_authenticate_cb .../evolution-data-server/src/libedataserver/e-source.c:1021
    #12 0x7fde90fc6c57 in ffi_call_unix64 (/lib64/libffi.so.6+0x5c57)
    #13 0x7fde76bf81ff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free .../libsoup/soup-connection.c:396 in soup_connection_connect_async
Shadow bytes around the buggy address:
  0x0c168004a9d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c168004a9e0: 00 00 05 fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168004a9f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c168004aa00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c168004aa10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c168004aa20: fd fd fd fd fd fd fa fa fa fa fa fa fa fa[fd]fd
  0x0c168004aa30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c168004aa40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168004aa50: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168004aa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168004aa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12235==ABORTING

Backtrace:

+ Trace 237393

Thread 8 (Thread 0x7fde54bf1700 (LWP 12411))

  • #0 waitpid
    from /lib64/libpthread.so.0
  • #1 waitpid
    from /usr/lib64/libasan.so.3
  • #2 g_spawn_sync
    at gspawn.c line 410
  • #3 g_spawn_command_line_sync
    at gspawn.c line 727
  • #4 run_bug_buddy
    at gnome-segvhanlder.c line 245
  • #5 bugbuddy_segv_handle
    at gnome-segvhanlder.c line 196
  • #6 <signal handler called>
  • #7 raise
    from /lib64/libc.so.6
  • #8 abort
    from /lib64/libc.so.6
  • #9 ??
    from /usr/lib64/libasan.so.3
  • #10 ??
    from /usr/lib64/libasan.so.3
  • #11 ??
    from /usr/lib64/libasan.so.3
  • #12 __asan_report_store8
    from /usr/lib64/libasan.so.3
  • #13 soup_connection_connect_async
    at soup-connection.c line 396
  • #14 get_connection
    at soup-session.c line 1938
  • #15 soup_session_process_queue_item
    at soup-session.c line 1965
  • #16 async_run_queue
    at soup-session.c line 2065
  • #17 idle_run_queue
    at soup-session.c line 2092
  • #18 g_idle_dispatch
    at gmain.c line 5545
  • #19 g_main_dispatch
    at gmain.c line 3203
  • #20 g_main_context_dispatch
    at gmain.c line 3856
  • #21 g_main_context_iterate
    at gmain.c line 3929
  • #22 g_main_loop_run
    at gmain.c line 4125
  • #23 e_ews_soup_thread
    at .../evolutionews/src/server/e-ews-connection.c line 1734
  • #24 g_thread_proxy
    at gthread.c line 784
  • #25 start_thread
    from /lib64/libpthread.so.0
  • #26 clone
    from /lib64/libc.so.6 






Comment 1


Claudio Saavedra





          2018-09-12 14:55:37 UTC
        



After commit 8d337030b, I think this shouldn't be reproducible. Can you confirm this? I don't see the soup_session_abort() call there anymore so this shouldn't be happening ...






Comment 2


Milan Crha





          2018-09-13 08:18:48 UTC
        



I see, that change had been done 5 days after the commit mentioned at comment #0. I'll try to reproduce it here.






Comment 3


Milan Crha





          2018-09-13 08:56:42 UTC
        



Okay, I cannot reproduce with git gnome-3-28 at commit 578f7d80452976 (which denotes 2.62.3).