Bug 903241
Summary: | Double-free on message copy/move | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jiri Koten <jkoten> | ||||
Component: | evolution-mapi | Assignee: | Matthew Barnes <mbarnes> | ||||
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.4 | CC: | cschalle, mcrha, pvine, tlavigne, tpelka | ||||
Target Milestone: | rc | Keywords: | Patch | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | evolution-mapi-0.28.3-12.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-21 10:21:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 905536 | ||||||
Attachments: |
|
Description
Jiri Koten
2013-01-23 14:46:02 UTC
From the log: talloc: access after free error - first free may be at exchange-mapi-connection.c:2508 Bad talloc magic value - access after free And backtrace: Thread 1 (Thread 0x7ffa8bfff700 (LWP 23725)): #0 0x0000003e6f6328a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0000003e6f634085 in abort () at abort.c:92 #2 0x00007ffa9321dc3c in talloc_abort (reason=0x7ffa93223348 "Bad talloc magic value - access after free") at ../talloc.c:317 #3 0x00007ffa9321db20 in talloc_abort_access_after_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:336 #4 talloc_chunk_from_ptr (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:357 #5 _talloc_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:1348 #6 0x00007ffa938b85c5 in mapi_id_array_release (id=<value optimized out>) at libmapi/mapi_id_array.c:84 #7 0x00007ffa93bdb005 in mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mid_list=<value optimized out>, do_copy=0) at exchange-mapi-connection.c:2509 #8 0x00007ffa93bdb0a8 in exchange_mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mids=0x171c130 = {...}) at exchange-mapi-connection.c:2544 #9 0x00007ffa93df45d3 in mapi_sync (folder=0x16b7600, expunge=<value optimized out>, ex=0x7ffa8bffeb40) at camel-mapi-folder.c:910 #10 0x000000357dc300e1 in camel_folder_sync (folder=0x16b7600, expunge=0, ex=0x7ffa8bffeb40) at camel-folder.c:321 #11 0x00007ffab0855e7d in refresh_folders_exec (m=0x7ffa84001400) at mail-send-recv.c:829 #12 0x00007ffab085431f in mail_msg_proxy (msg=0x7ffa84001400) at mail-mt.c:522 #13 0x0000003e7066359b in g_thread_pool_thread_proxy (data=<value optimized out>) at gthreadpool.c:265 #14 0x0000003e70662004 in g_thread_create_proxy (data=0x179c5c0) at gthread.c:635 #15 0x0000003e6fa07851 in start_thread (arg=0x7ffa8bfff700) at pthread_create.c:301 #16 0x0000003e6f6e890d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Fix is under go, the problem here is that the talloc mem_ctx, which was used to allocate array of ids was freed just before the id array itself, which caused the use-after-free. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. It caused double-free, actually. If you want a bit more background here, then the message delete in other than Deleted Items causes message move from the folder to Deleted Items, and at the end of this the double-free happened. Internal data doesn't know that the message was already moved on the server, and tries the next start again. Created attachment 686082 [details] evolution-mapi-0.28.3-copymove-doublefree.patch for evolution-mapi; Here's the two-liner, which fixes it. The upstream code is unaffected, same as RHEL7 code. Here [1] is currently building a test package with the patch included. [1] http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5311828 The patch is included in evolution-mapi-0.28.3-12.el6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0515.html |