Bug 1338561

Summary: [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc>
Component: evolutionAssignee: Milan Crha <mcrha>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: lucilanga, mbarnes, mcrha, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/b807c0fb731b7bcebefeb61bc27730f1c7a8dc43
Whiteboard: abrt_hash:1f6209622c61c3fc9dd93ce96868e669dfb46c6b;VARIANT_ID=workstation;
Fixed In Version: evolution-3.20.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-23 11:29:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Michael Catanzaro 2016-05-22 21:35:18 UTC 
Description of problem:
I think it happened when the network turned on (or maybe off).

Version-Release number of selected component:
evolution-3.20.2-1.fc24

Additional info:
reporter:       libreport-2.7.0
backtrace_rating: 4
cmdline:        evolution
crash_function: free_send_data
executable:     /usr/bin/evolution
global_pid:     2344
kernel:         4.5.4-300.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
reproducible:   Not sure how to reproduce the problem
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 free_send_data at mail-send-recv.c:203
 #1 send_receive at mail-send-recv.c:1632
 #6 _gtk_action_emit_activate at deprecated/gtkaction.c:909
 #11 _g_closure_invoke_va at gclosure.c:867
 #13 g_signal_emit_by_name at gsignal.c:3481
 #14 _g_closure_invoke_va at gclosure.c:867
 #17 gtk_button_do_release at gtkbutton.c:1843
 #18 gtk_real_button_released at gtkbutton.c:1961
 #23 multipress_released_cb at gtkbutton.c:666
 #24 ffi_call_unix64 at ../src/x86/unix64.S:76
Comment 1 Michael Catanzaro 2016-05-22 21:35:23 UTC 
Created attachment 1160404 [details]
File: backtrace
Comment 2 Michael Catanzaro 2016-05-22 21:35:24 UTC 
Created attachment 1160405 [details]
File: cgroup
Comment 3 Michael Catanzaro 2016-05-22 21:35:25 UTC 
Created attachment 1160406 [details]
File: core_backtrace
Comment 4 Michael Catanzaro 2016-05-22 21:35:26 UTC 
Created attachment 1160407 [details]
File: dso_list
Comment 5 Michael Catanzaro 2016-05-22 21:35:27 UTC 
Created attachment 1160408 [details]
File: environ
Comment 6 Michael Catanzaro 2016-05-22 21:35:28 UTC 
Created attachment 1160409 [details]
File: exploitable
Comment 7 Michael Catanzaro 2016-05-22 21:35:29 UTC 
Created attachment 1160410 [details]
File: limits
Comment 8 Michael Catanzaro 2016-05-22 21:35:31 UTC 
Created attachment 1160411 [details]
File: maps
Comment 9 Michael Catanzaro 2016-05-22 21:35:32 UTC 
Created attachment 1160412 [details]
File: mountinfo
Comment 10 Michael Catanzaro 2016-05-22 21:35:33 UTC 
Created attachment 1160413 [details]
File: namespaces
Comment 11 Michael Catanzaro 2016-05-22 21:35:34 UTC 
Created attachment 1160414 [details]
File: open_fds
Comment 12 Michael Catanzaro 2016-05-22 21:35:35 UTC 
Created attachment 1160415 [details]
File: proc_pid_status
Comment 13 Michael Catanzaro 2016-05-22 21:35:36 UTC 
Created attachment 1160416 [details]
File: var_log_messages
Comment 14 Milan Crha 2016-05-23 11:29:38 UTC 
Thanks for a bug report. I see from the bactrace where the crash happened and from the code why it happened (there is missing a check for "data is not NULL"), but I do not see from it why it happened (aka what caused the crash). The var_log_messages shows that there was some quick connection change, the network got offline and immediately after that online. That's the most I see from the given data by the ABRT.

As the "data is not NULL" check is missing there, I will add it. It will fix this particular crash, but not the root cause (which is unknown). There is supposed to be done everything in the main thread, thus it shouldn't be about thread interleaving. It's probably more like the connection change caused a sudden operation cancel, which caused the operation not being finished in the next main loop idle round, but rather immediately, thus it could free the global 'send_data' variable before this particular main thread operation finished. It seems unlikely to me, but I can be wrong.

Created commit 362d39a in evo master (3.21.3+) [1]
Created commit 303442f in evo gnome-3-20 (3.20.3+)

[1] https://git.gnome.org/browse/evolution/commit/?id=362d39a