Bug 903241

Summary: Double-free on message copy/move
Product: Red Hat Enterprise Linux 6 Reporter: Jiri Koten <jkoten>
Component: evolution-mapiAssignee: Matthew Barnes <mbarnes>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: cschalle, mcrha, pvine, tlavigne, tpelka
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: evolution-mapi-0.28.3-12.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 10:21:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 905536    
Attachments:
Description Flags
evolution-mapi-0.28.3-copymove-doublefree.patch none

Description Jiri Koten 2013-01-23 14:46:02 UTC 
Description of problem:
After a msg is deleted, evolution fails to refresh the Inbox and crashes.
It keeps crashing when I start it again.

Tested with MS Exchange 2010.   

Version-Release number of selected component (if applicable):
evolution-2.28.3-30.el6
evolution-mapi-0.28.3-11.el6
openchange-1.0-4.el6
samba4-libs-4.0.0-53.el6.rc4

How reproducible:
100%

Steps to Reproduce:
1. Delete a msg
2. Click Send/Receive
3. Open the Evolution again
  
Actual results:
crash

Expected results:
no crash

Additional info:
Comment 2 Milan Crha 2013-01-23 16:52:21 UTC 
From the log:
talloc: access after free error - first free may be at exchange-mapi-connection.c:2508
Bad talloc magic value - access after free

And backtrace:
Thread 1 (Thread 0x7ffa8bfff700 (LWP 23725)):
#0  0x0000003e6f6328a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003e6f634085 in abort () at abort.c:92
#2  0x00007ffa9321dc3c in talloc_abort (reason=0x7ffa93223348 "Bad talloc magic value - access after free") at ../talloc.c:317
#3  0x00007ffa9321db20 in talloc_abort_access_after_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:336
#4  talloc_chunk_from_ptr (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:357
#5  _talloc_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:1348
#6  0x00007ffa938b85c5 in mapi_id_array_release (id=<value optimized out>) at libmapi/mapi_id_array.c:84
#7  0x00007ffa93bdb005 in mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mid_list=<value optimized out>, do_copy=0)
    at exchange-mapi-connection.c:2509
#8  0x00007ffa93bdb0a8 in exchange_mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mids=0x171c130 = {...})
    at exchange-mapi-connection.c:2544
#9  0x00007ffa93df45d3 in mapi_sync (folder=0x16b7600, expunge=<value optimized out>, ex=0x7ffa8bffeb40) at camel-mapi-folder.c:910
#10 0x000000357dc300e1 in camel_folder_sync (folder=0x16b7600, expunge=0, ex=0x7ffa8bffeb40) at camel-folder.c:321
#11 0x00007ffab0855e7d in refresh_folders_exec (m=0x7ffa84001400) at mail-send-recv.c:829
#12 0x00007ffab085431f in mail_msg_proxy (msg=0x7ffa84001400) at mail-mt.c:522
#13 0x0000003e7066359b in g_thread_pool_thread_proxy (data=<value optimized out>) at gthreadpool.c:265
#14 0x0000003e70662004 in g_thread_create_proxy (data=0x179c5c0) at gthread.c:635
#15 0x0000003e6fa07851 in start_thread (arg=0x7ffa8bfff700) at pthread_create.c:301
#16 0x0000003e6f6e890d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Fix is under go, the problem here is that the talloc mem_ctx, which was used to allocate array of ids was freed just before the id array itself, which caused the use-after-free.
Comment 3 RHEL Program Management 2013-01-23 17:00:20 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 4 Milan Crha 2013-01-23 17:05:33 UTC 
It caused double-free, actually. If you want a bit more background here, then the message delete in other than Deleted Items causes message move from the folder to Deleted Items, and at the end of this the double-free happened. Internal data doesn't know that the message was already moved on the server, and tries the next start again.
Comment 5 Milan Crha 2013-01-23 17:07:10 UTC 
Created attachment 686082 [details]
evolution-mapi-0.28.3-copymove-doublefree.patch

for evolution-mapi;

Here's the two-liner, which fixes it. The upstream code is unaffected, same as RHEL7 code. Here [1] is currently building a test package with the patch included.

[1] http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5311828
Comment 6 Milan Crha 2013-01-23 18:15:06 UTC 
The patch is included in evolution-mapi-0.28.3-12.el6.
Comment 10 errata-xmlrpc 2013-02-21 10:21:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0515.html