Bug 1538865

Summary: [abrt] [composer-autosave] Use-after-free during snapshot save to file
Product: [Fedora] Fedora Reporter: Matt McAdoo <fedorabugs>
Component: evolutionAssignee: Milan Crha <mcrha>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: alexl, caillon+fedoraproject, fedora, jappleii, jwilliams, lucilanga, mcrha, rhughes, rstrode
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/7bd649eb6a98de514fc97ecc65600616fee7aeb3
Whiteboard: abrt_hash:480c8bcc95aaeee5b47fed2d3c8609a784be33fe;VARIANT_ID=workstation;
Fixed In Version: evolution-3.28.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-29 11:24:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: cpuinfo
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Matt McAdoo 2018-01-26 00:55:19 UTC 
Description of problem:
Office 365 email account.  Sending email with 15 individual attachments, not zipped.  Crash seems to occur right after sending.  Message shows up in the Sent Items folder.

Version-Release number of selected component:
evolution-3.24.6-1.fc26

Additional info:
reporter:       libreport-2.9.1
backtrace_rating: 4
cmdline:        /usr/bin/evolution
crash_function: e_attachment_store_get_num_attachments
executable:     /usr/bin/evolution
journald_cursor: s=48d44bcb09e3459289cb018456d15da4;i=2c21e;b=cb95d257295744dab35eeaba5712f84b;m=193171cf38;t=563a31903f578;x=93221f5f218a332f
kernel:         4.14.13-200.fc26.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (7 frames)
 #0 e_attachment_store_get_num_attachments at /usr/src/debug/evolution-3.24.6/src/e-util/e-attachment-store.c:542
 #1 composer_build_message at /usr/src/debug/evolution-3.24.6/src/composer/e-msg-composer.c:1451
 #2 e_msg_composer_get_message_draft at /usr/src/debug/evolution-3.24.6/src/composer/e-msg-composer.c:5076
 #3 save_snapshot_replace_cb at /usr/src/debug/evolution-3.24.6/src/modules/composer-autosave/e-autosave-utils.c:329
 #4 g_task_return_now at gtask.c:1145
 #5 complete_in_idle_cb at gtask.c:1159
 #11 gtk_main at gtkmain.c:1322
Comment 1 Matt McAdoo 2018-01-26 00:55:24 UTC 
Created attachment 1386390 [details]
File: backtrace
Comment 2 Matt McAdoo 2018-01-26 00:55:25 UTC 
Created attachment 1386391 [details]
File: cgroup
Comment 3 Matt McAdoo 2018-01-26 00:55:26 UTC 
Created attachment 1386392 [details]
File: core_backtrace
Comment 4 Matt McAdoo 2018-01-26 00:55:27 UTC 
Created attachment 1386393 [details]
File: cpuinfo
Comment 5 Matt McAdoo 2018-01-26 00:55:28 UTC 
Created attachment 1386394 [details]
File: dso_list
Comment 6 Matt McAdoo 2018-01-26 00:55:29 UTC 
Created attachment 1386395 [details]
File: environ
Comment 7 Matt McAdoo 2018-01-26 00:55:30 UTC 
Created attachment 1386396 [details]
File: exploitable
Comment 8 Matt McAdoo 2018-01-26 00:55:31 UTC 
Created attachment 1386397 [details]
File: limits
Comment 9 Matt McAdoo 2018-01-26 00:55:32 UTC 
Created attachment 1386398 [details]
File: maps
Comment 10 Matt McAdoo 2018-01-26 00:55:33 UTC 
Created attachment 1386399 [details]
File: open_fds
Comment 11 Matt McAdoo 2018-01-26 00:55:34 UTC 
Created attachment 1386400 [details]
File: proc_pid_status
Comment 12 Matt McAdoo 2018-01-26 00:55:35 UTC 
Created attachment 1386401 [details]
File: var_log_messages
Comment 13 Milan Crha 2018-01-26 08:14:13 UTC 
Thanks for a bug report. It looks like a coincidence, when you finished the message and sent it there also triggered an autosave of it, which had been accessing already freed memory or something like that.
Comment 14 Milan Crha 2018-01-29 15:03:06 UTC 
I've been able to reproduce this by cheating in the code, to have time to close the composer while it was saving the content. It's fixed for the next release with:

Created commit 79dd568d6d in evo master (3.27.90+) [1]
Created commit 963e2b721a in evo gnome-3-26 (3.26.5+)

[1] https://git.gnome.org/browse/evolution/commit/?id=79dd568d6d
Comment 15 Milan Crha 2018-01-31 18:15:53 UTC 
It looks like I didn't fix it completely, I just noticed something odd. I'll investigate it further and then update this bug report.
Comment 16 Milan Crha 2018-02-01 10:17:38 UTC 
Hrm, while it seemed like I'm able to reproduce this just by sending the message yesterday, I'm not able to reproduce it today. I'll keep watching for this issue and update the bug if I find anything.
Comment 17 Matt McAdoo 2018-02-08 22:33:50 UTC 
*** Bug 1543644 has been marked as a duplicate of this bug. ***
Comment 18 Christian Stadelmann 2018-03-11 21:27:40 UTC 
*** Bug 1554144 has been marked as a duplicate of this bug. ***
Comment 19 Milan Crha 2018-03-13 09:58:55 UTC 
*** Bug 1554146 has been marked as a duplicate of this bug. ***
Comment 20 Milan Crha 2018-03-13 10:00:36 UTC 
I'm reopening this bug report, both due comment #15 and due to the duplicates.
Comment 21 Milan Crha 2018-03-29 08:17:23 UTC 
I'm still not able to reproduce this reliably. It looks like one of the prerequisites is to close the composer while it is auto-saving the message, thus when the auto-save is done the composer window is gone.
Comment 22 Milan Crha 2018-05-28 07:23:59 UTC 
*** Bug 1583000 has been marked as a duplicate of this bug. ***
Comment 23 Milan Crha 2018-05-29 11:24:49 UTC 
I made some enhancements in the previous change which might help with this. I hope.

Created commit 2179125d83 in evo master (3.29.3+) [1]
Created commit f5f57a0f05 in evo gnome-3-28 (3.28.3+)

[1] https://gitlab.gnome.org/GNOME/evolution/commit/2179125d83