Bug 1585302

Summary:	NMNetworkMenuItem: Invalid free() / delete / delete[] / realloc()
Product:	[Fedora] Fedora	Reporter:	Lukas Slebodnik <lslebodn>
Component:	network-manager-applet	Assignee:	Lubomir Rintel <lkundrak>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	blueowl, dcbw, lkundrak, thaller
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	network-manager-applet-1.8.12-4.fc29	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-06-04 15:21:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2018-06-01 19:05:36 UTC

Description of problem:
nma-applet crashed for me few times. So I tried to run it with valgrind and there is use after free bug.

Version-Release number of selected component (if applicable):

sh$ rpm -q glib2 network-manager-applet gtk3
glib2-2.56.1-3.fc29.x86_64
network-manager-applet-1.8.12-2.fc29.x86_64
gtk3-3.22.30-1.fc29.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. click to nm-applet in panel (NOTE: I use xfce)
2. hit key "ESC"
3. // there are errors reported by valgrind.

Actual results:
==3527== 15 errors in context 1 of 2:
==3527== Invalid free() / delete / delete[] / realloc()
==3527==    at 0x4C2EDAC: free (vg_replace_malloc.c:530)
==3527==    by 0x6EA24D1: g_free (gmem.c:194)
==3527==    by 0x6EBAC71: g_slice_free_chain_with_offset (gslice.c:1232)
==3527==    by 0x118C2A: finalize (ap-menu-item.c:330)
==3527==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==3527==    by 0x52DBA4C: gtk_menu_shell_forall (gtkmenushell.c:1154)
==3527==    by 0x51F3F99: gtk_container_destroy (gtkcontainer.c:1700)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C21299: signal_emit_unlocked_R (gsignal.c:3751)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416D9F: gtk_widget_dispose (gtkwidget.c:12098)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==3527==    by 0x5416CC7: gtk_widget_dispose (gtkwidget.c:12087)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x11B25C: destroy_old_menu (applet.c:1644)
==3527==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==3527==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==3527==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==3527==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==3527==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==3527==    by 0x6900684: g_application_run (gapplication.c:2470)
==3527==    by 0x1187DA: main (main.c:81)
==3527==  Address 0x22ff4f60 is 0 bytes inside a block of size 16 free'd
==3527==    at 0x4C2EDAC: free (vg_replace_malloc.c:530)
==3527==    by 0x6EA24D1: g_free (gmem.c:194)
==3527==    by 0x6EBAC71: g_slice_free_chain_with_offset (gslice.c:1232)
==3527==    by 0x118C21: finalize (ap-menu-item.c:329)
==3527==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==3527==    by 0x52DBA4C: gtk_menu_shell_forall (gtkmenushell.c:1154)
==3527==    by 0x51F3F99: gtk_container_destroy (gtkcontainer.c:1700)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C21299: signal_emit_unlocked_R (gsignal.c:3751)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416D9F: gtk_widget_dispose (gtkwidget.c:12098)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==3527==    by 0x5416CC7: gtk_widget_dispose (gtkwidget.c:12087)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x11B25C: destroy_old_menu (applet.c:1644)
==3527==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==3527==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==3527==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==3527==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==3527==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==3527==    by 0x6900684: g_application_run (gapplication.c:2470)
==3527==    by 0x1187DA: main (main.c:81)
==3527==  Block was alloc'd at
==3527==    at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==3527==    by 0x6EA23C5: g_malloc (gmem.c:99)
==3527==    by 0x6EB9FF6: g_slice_alloc (gslice.c:1025)
==3527==    by 0x6EBB0C9: g_slist_prepend (gslist.c:259)
==3527==    by 0x11929F: nm_network_menu_item_add_dupe (ap-menu-item.c:213)
==3527==    by 0x126F45: get_menu_item_for_ap (applet-device-wifi.c:718)
==3527==    by 0x127110: wifi_add_menu_item (applet-device-wifi.c:887)
==3527==    by 0x11F016: add_device_items (applet.c:1376)
==3527==    by 0x11F277: nma_menu_add_devices (applet.c:1401)
==3527==    by 0x11F277: nma_menu_show_cb (applet.c:1627)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416975: gtk_widget_show (gtkwidget.c:4800)
==3527==    by 0x52D15EE: gtk_menu_popup_internal (gtkmenu.c:1976)
==3527==    by 0x52D1B62: gtk_menu_popup (gtkmenu.c:2140)
==3527==    by 0x11C322: status_icon_activate_cb (applet.c:3158)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5152DE0: emit_activate_signal (gtkstatusicon.c:1331)
==3527==    by 0x5152DE0: gtk_status_icon_button_press (gtkstatusicon.c:1659)
==3527==    by 0x52BFCEA: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:83)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C296E2: g_signal_emit_valist (gsignal.c:3401)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x540DAA3: gtk_widget_event_internal (gtkwidget.c:7744)
==3527==    by 0x52BCC15: propagate_event_up (gtkmain.c:2582)
==3527==    by 0x52BCC15: propagate_event (gtkmain.c:2685)
==3527==    by 0x52BEDD2: gtk_main_do_event (gtkmain.c:1915)
==3527==    by 0x59D6638: _gdk_event_emit (gdkevents.c:73)
==3527==    by 0x5A07E75: gdk_event_source_dispatch (gdkeventsource.c:367)
==3527== 
==3527== 
==3527== 15 errors in context 2 of 2:
==3527== Invalid read of size 8
==3527==    at 0x6EBAC32: g_slice_free_chain_with_offset (gslice.c:1226)
==3527==    by 0x118C2A: finalize (ap-menu-item.c:330)
==3527==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==3527==    by 0x52DBA4C: gtk_menu_shell_forall (gtkmenushell.c:1154)
==3527==    by 0x51F3F99: gtk_container_destroy (gtkcontainer.c:1700)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C21299: signal_emit_unlocked_R (gsignal.c:3751)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416D9F: gtk_widget_dispose (gtkwidget.c:12098)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==3527==    by 0x5416CC7: gtk_widget_dispose (gtkwidget.c:12087)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x11B25C: destroy_old_menu (applet.c:1644)
==3527==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==3527==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==3527==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==3527==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==3527==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==3527==    by 0x6900684: g_application_run (gapplication.c:2470)
==3527==    by 0x1187DA: main (main.c:81)
==3527==  Address 0x22ff4f68 is 8 bytes inside a block of size 16 free'd
==3527==    at 0x4C2EDAC: free (vg_replace_malloc.c:530)
==3527==    by 0x6EA24D1: g_free (gmem.c:194)
==3527==    by 0x6EBAC71: g_slice_free_chain_with_offset (gslice.c:1232)
==3527==    by 0x118C21: finalize (ap-menu-item.c:329)
==3527==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==3527==    by 0x52DBA4C: gtk_menu_shell_forall (gtkmenushell.c:1154)
==3527==    by 0x51F3F99: gtk_container_destroy (gtkcontainer.c:1700)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C21299: signal_emit_unlocked_R (gsignal.c:3751)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416D9F: gtk_widget_dispose (gtkwidget.c:12098)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==3527==    by 0x5416CC7: gtk_widget_dispose (gtkwidget.c:12087)
==3527==    by 0x6C12F37: g_object_unref (gobject.c:3303)
==3527==    by 0x11B25C: destroy_old_menu (applet.c:1644)
==3527==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==3527==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==3527==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==3527==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==3527==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==3527==    by 0x6900684: g_application_run (gapplication.c:2470)
==3527==    by 0x1187DA: main (main.c:81)
==3527==  Block was alloc'd at
==3527==    at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==3527==    by 0x6EA23C5: g_malloc (gmem.c:99)
==3527==    by 0x6EB9FF6: g_slice_alloc (gslice.c:1025)
==3527==    by 0x6EBB0C9: g_slist_prepend (gslist.c:259)
==3527==    by 0x11929F: nm_network_menu_item_add_dupe (ap-menu-item.c:213)
==3527==    by 0x126F45: get_menu_item_for_ap (applet-device-wifi.c:718)
==3527==    by 0x127110: wifi_add_menu_item (applet-device-wifi.c:887)
==3527==    by 0x11F016: add_device_items (applet.c:1376)
==3527==    by 0x11F277: nma_menu_add_devices (applet.c:1401)
==3527==    by 0x11F277: nma_menu_show_cb (applet.c:1627)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5416975: gtk_widget_show (gtkwidget.c:4800)
==3527==    by 0x52D15EE: gtk_menu_popup_internal (gtkmenu.c:1976)
==3527==    by 0x52D1B62: gtk_menu_popup (gtkmenu.c:2140)
==3527==    by 0x11C322: status_icon_activate_cb (applet.c:3158)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x5152DE0: emit_activate_signal (gtkstatusicon.c:1331)
==3527==    by 0x5152DE0: gtk_status_icon_button_press (gtkstatusicon.c:1659)
==3527==    by 0x52BFCEA: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:83)
==3527==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==3527==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==3527==    by 0x6C296E2: g_signal_emit_valist (gsignal.c:3401)
==3527==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==3527==    by 0x540DAA3: gtk_widget_event_internal (gtkwidget.c:7744)
==3527==    by 0x52BCC15: propagate_event_up (gtkmain.c:2582)
==3527==    by 0x52BCC15: propagate_event (gtkmain.c:2685)
==3527==    by 0x52BEDD2: gtk_main_do_event (gtkmain.c:1915)
==3527==    by 0x59D6638: _gdk_event_emit (gdkevents.c:73)
==3527==    by 0x5A07E75: gdk_event_source_dispatch (gdkeventsource.c:367)

Expected results:
No errors

Additional info:

nm-applet probably crashed for different reason. So I will run applet with valgrind for longer time and I'll add comment later.

Comment 1 Lukas Slebodnik 2018-06-01 19:09:05 UTC

Another use after free

==5097== Invalid read of size 8
==5097==    at 0x6EBAC32: g_slice_free_chain_with_offset (gslice.c:1226)
==5097==    by 0x118C2A: finalize (ap-menu-item.c:330)
==5097==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==5097==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==5097==    by 0x11F8B8: applet_update_menu (applet.c:2032)
==5097==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==5097==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==5097==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==5097==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==5097==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==5097==    by 0x6900684: g_application_run (gapplication.c:2470)
==5097==    by 0x1187DA: main (main.c:81)
==5097==  Address 0x2386f5c8 is 8 bytes inside a block of size 16 free'd
==5097==    at 0x4C2EDAC: free (vg_replace_malloc.c:530)
==5097==    by 0x6EA24D1: g_free (gmem.c:194)
==5097==    by 0x6EBAC71: g_slice_free_chain_with_offset (gslice.c:1232)
==5097==    by 0x118C21: finalize (ap-menu-item.c:329)
==5097==    by 0x6C12FB8: g_object_unref (gobject.c:3340)
==5097==    by 0x51F24CC: gtk_container_remove (gtkcontainer.c:1909)
==5097==    by 0x11F8B8: applet_update_menu (applet.c:2032)
==5097==    by 0x6E991CA: g_idle_dispatch (gmain.c:5535)
==5097==    by 0x6E9C8AC: g_main_dispatch (gmain.c:3177)
==5097==    by 0x6E9C8AC: g_main_context_dispatch (gmain.c:3830)
==5097==    by 0x6E9CC77: g_main_context_iterate.isra.21 (gmain.c:3903)
==5097==    by 0x6E9CD0F: g_main_context_iteration (gmain.c:3964)
==5097==    by 0x6900684: g_application_run (gapplication.c:2470)
==5097==    by 0x1187DA: main (main.c:81)
==5097==  Block was alloc'd at
==5097==    at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==5097==    by 0x6EA23C5: g_malloc (gmem.c:99)
==5097==    by 0x6EB9FF6: g_slice_alloc (gslice.c:1025)
==5097==    by 0x6EBB0C9: g_slist_prepend (gslist.c:259)
==5097==    by 0x11929F: nm_network_menu_item_add_dupe (ap-menu-item.c:213)
==5097==    by 0x1194BB: nm_network_menu_item_new (ap-menu-item.c:259)
==5097==    by 0x126CDC: create_new_ap_item (applet-device-wifi.c:625)
==5097==    by 0x126CDC: get_menu_item_for_ap (applet-device-wifi.c:722)
==5097==    by 0x127110: wifi_add_menu_item (applet-device-wifi.c:887)
==5097==    by 0x11F016: add_device_items (applet.c:1376)
==5097==    by 0x11F277: nma_menu_add_devices (applet.c:1401)
==5097==    by 0x11F277: nma_menu_show_cb (applet.c:1627)
==5097==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==5097==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==5097==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==5097==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==5097==    by 0x5416975: gtk_widget_show (gtkwidget.c:4800)
==5097==    by 0x52D15EE: gtk_menu_popup_internal (gtkmenu.c:1976)
==5097==    by 0x52D1B62: gtk_menu_popup (gtkmenu.c:2140)
==5097==    by 0x11C322: status_icon_activate_cb (applet.c:3158)
==5097==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==5097==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==5097==    by 0x6C2A069: g_signal_emit_valist (gsignal.c:3391)
==5097==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==5097==    by 0x5152DE0: emit_activate_signal (gtkstatusicon.c:1331)
==5097==    by 0x5152DE0: gtk_status_icon_button_press (gtkstatusicon.c:1659)
==5097==    by 0x52BFCEA: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:83)
==5097==    by 0x6C0DADC: g_closure_invoke (gclosure.c:804)
==5097==    by 0x6C20F42: signal_emit_unlocked_R (gsignal.c:3635)
==5097==    by 0x6C296E2: g_signal_emit_valist (gsignal.c:3401)
==5097==    by 0x6C2A662: g_signal_emit (gsignal.c:3447)
==5097==    by 0x540DAA3: gtk_widget_event_internal (gtkwidget.c:7744)
==5097==    by 0x52BCC15: propagate_event_up (gtkmain.c:2582)
==5097==    by 0x52BCC15: propagate_event (gtkmain.c:2685)
==5097==    by 0x52BEDD2: gtk_main_do_event (gtkmain.c:1915)
==5097==    by 0x59D6638: _gdk_event_emit (gdkevents.c:73)

Comment 2 Thomas Haller 2018-06-01 21:35:03 UTC

fixed upstream:

https://gitlab.gnome.org/GNOME/network-manager-applet/commit/40a6dd2f22c32ec668287d019ef6667c297d17ec