10:20 p.m.
http://bugzilla.moblin.org/show_bug.cgi?id=4919
Summary: GTK-UI: memory use-after-free when server cannot be
started
Classification: Moblin Projects
Product: SyncEvolution
Version: upstream
Platform: Netbook
OS/Version: Moblin Linux
Status: ASSIGNED
Severity: normal
Priority: P2
Component: * Feature Request
AssignedTo: jku(a)linux.intel.com
ReportedBy: patrick.ohly(a)intel.com
CC: syncevolution(a)lists.intel.com
If the syncevo-dbus-server cannot be started, then sync-ui runs into a
use-after-free error and may crash.
The chain of events is like this:
* syncevo_service_get_server_config_async(): create data
* get_server_config_async_error(): called, frees data
* get_server_config_async_error(): called again with same data pointer, now
invalid
Here's the valgrind report (only appears when running with
G_SLICE=always-malloc G_DEBUG=gc-friendly):
==18845== Invalid read of size 8
==18845== at 0x411F4B: get_server_config_async_error (syncevo-dbus.c:664)
==18845== by 0x66A5209: g_main_context_dispatch (gmain.c:1814)
==18845== by 0x66A88DF: g_main_context_iterate (gmain.c:2448)
==18845== by 0x66A8DAC: g_main_loop_run (gmain.c:2656)
==18845== by 0x4F61BC6: gtk_main (gtkmain.c:1205)
==18845== by 0x405E8E: main (main.c:113)
==18845== Address 0xde31a40 is 8 bytes inside a block of size 24 free'd
==18845== at 0x4C265AF: free (vg_replace_malloc.c:323)
==18845== by 0x411F7A: get_server_config_async_error (syncevo-dbus.c:668)
==18845== by 0x66A5209: g_main_context_dispatch (gmain.c:1814)
==18845== by 0x66A88DF: g_main_context_iterate (gmain.c:2448)
==18845== by 0x66A8DAC: g_main_loop_run (gmain.c:2656)
==18845== by 0x4F61BC6: gtk_main (gtkmain.c:1205)
==18845== by 0x405E8E: main (main.c:113)
{
<insert a suppression name here>
Memcheck:Addr8
fun:get_server_config_async_error
fun:g_main_context_dispatch
fun:g_main_context_iterate
....
I'm not sure what the right memory handling for data is. As a workaround I have
removed the g_slice_delete(). Better leak some memory instead of crashing...
Jussi, please check this.
--
Configure bugmail: http://bugzilla.moblin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
6:16 a.m.
New subject: [Bug 4919] GTK-UI: memory use-after-free when server cannot be started
http://bugzilla.moblin.org/show_bug.cgi?id=4919
--- Comment #1 from jku <jku(a)linux.intel.com> 2009-08-11 13:16:27 ---
Thanks for the stop gap fix. The memory handling is actually fine, but the
error handler is a GSourceFunc which needs to return FALSE or it gets called
again and again. I'm actually making the same stupidity in every
error-return-function.
Fixing...
--
Configure bugmail: http://bugzilla.moblin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
7:22 p.m.
New subject: [Bug 4919] GTK-UI: memory use-after-free when server cannot be started
http://bugzilla.moblin.org/show_bug.cgi?id=4919
pohly <patrick.ohly(a)intel.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #2 from pohly <patrick.ohly(a)intel.com> 2009-08-12 02:22:02 ---
commit 30335df90792108691c4017fb5510f7670a6c2f1
Author: Jussi Kukkonen <jku(a)linux.intel.com>
Date: Tue Aug 11 23:15:02 2009 +0300
dbus client lib: fix error functions
The async-return-functions for error situations were broken:
need to return FALSE to remove the GSource and stop the function
from getting called again.
Merged into master, will be in 0.9.
--
Configure bugmail: http://bugzilla.moblin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
7:23 p.m.
New subject: [Bug 4919] GTK-UI: memory use-after-free when server cannot be started
http://bugzilla.moblin.org/show_bug.cgi?id=4919
pohly <patrick.ohly(a)intel.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
--- Comment #3 from pohly <patrick.ohly(a)intel.com> 2009-08-12 02:23:08 ---
I verified that it no longer crashes.
--
Configure bugmail: http://bugzilla.moblin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
10:15 p.m.
New subject: [Bug 4919] GTK-UI: memory use-after-free when server cannot be started
http://bugzilla.moblin.org/show_bug.cgi?id=4919
pohly <patrick.ohly(a)intel.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |INTEGRATED
--- Comment #4 from pohly <patrick.ohly(a)intel.com> 2009-08-25 05:15:30 ---
These fixes were all in SyncEvolution 0.9, which was integrated into Moblin
Trunk and the 2.1 branch. They are not integrated into Moblin 2.0 yet.
--
Configure bugmail: http://bugzilla.moblin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
4772
days inactive
4798
days old
syncevolution-issues@syncevolution.org
4 comments
1 participants
participants (1)
-
bugzilla@moblin.org