Bug 1158669 - use-after-free crash in Node::remove*Callback
Summary: use-after-free crash in Node::remove*Callback
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: OpenSceneGraph
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ralf Corsepius
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-29 20:17 UTC by Fabrice Bellet
Modified: 2014-11-03 07:39 UTC (History)
1 user (show)

Fixed In Version: OpenSceneGraph-3.2.1-3.fc21
Clone Of:
Environment:
Last Closed: 2014-11-03 05:24:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Fabrice Bellet 2014-10-29 20:17:56 UTC 
Hi!

please apply this upstream patch to osg. It fixes a crash very early when starting FlightGear 3.2.0:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000bf8464 in handle_geode_callbacks (geode=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:94
94	            if (callback) (*callback)(&geode,this);
Missing separate debuginfos, use: debuginfo-install OpenThreads-3.2.1-2.1.fc21.x86_64 alsa-lib-1.0.28-2.fc21.x86_64 elfutils-libelf-0.160-1.fc21.x86_64 elfutils-libs-0.160-1.fc21.x86_64 flac-libs-1.3.0-5.fc21.x86_64 freetype-freeworld-2.5.3-2.fc21.x86_64 gsm-1.0.13-12.fc21.x86_64 jack-audio-connection-kit-1.9.9.5-8.fc21.x86_64 json-c-0.12-5.fc21.x86_64 libXau-1.0.8-4.fc21.x86_64 libXcursor-1.1.14-4.fc21.x86_64 libXdamage-1.1.4-6.fc21.x86_64 libXfixes-5.0.1-4.fc21.x86_64 libXrender-0.9.8-4.fc21.x86_64 libXtst-1.2.2-4.fc21.x86_64 libXxf86vm-1.1.3-4.fc21.x86_64 libasyncns-0.8-8.fc21.x86_64 libattr-2.4.47-9.fc21.x86_64 libcap-2.24-7.fc21.x86_64 libdrm-2.4.58-1.fc21.x86_64 libedit-3.1-8.20140213cvs.fc21.x86_64 libffi-3.1-6.fc21.x86_64 libgcrypt-1.6.1-7.fc21.x86_64 libgpg-error-1.13-3.fc21.x86_64 libogg-1.3.0-8.fc21.x86_64 libselinux-2.3-5.fc21.x86_64 libsndfile-1.0.25-12.fc21.x86_64 libtheora-1.1.1-12.fc21.x86_64 libtxc_dxtn-1.0.0-4.fc21.x86_64 libuuid-2.25.2-1.fc21.x86_64 libvidcap-0.2.1-12.fc21.x86_64 libvorbis-1.3.4-3.fc21.x86_64 libxcb-1.11-2.fc21.x86_64 libxshmfence-1.1-3.fc21.x86_64 llvm-libs-3.5-0.fc21.x86_64 ncurses-libs-5.9-16.20140323.fc21.x86_64 opus-1.1-5.fc21.x86_64 pcre-8.35-6.fc21.1.x86_64 portaudio-19-20.fc21.x86_64 pulseaudio-libs-5.0-10.fc21.x86_64 speex-1.2-0.21.rc1.fc21.x86_64 tcp_wrappers-libs-7.6-79.fc21.x86_64 xz-libs-5.1.2-14alpha.fc21.x86_64
(gdb) bt
#0  0x0000000000bf8464 in handle_geode_callbacks (geode=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:94
#1  osgUtil::UpdateVisitor::apply (this=0x1254f50, node=...) at /usr/include/osgUtil/UpdateVisitor:51
#2  0x00007ffff6837a40 in simgear::EffectGeode::accept (this=0x7fff8ce30890, nv=...)
    at /usr/src/debug/simgear-3.2.0/simgear/scene/material/EffectGeode.hxx:32
#3  0x00007ffff49875a3 in osg::Sequence::accept (this=0x7fff8cf23240, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/include/osg/Sequence:34
#4  0x00007ffff491fa23 in osg::Group::traverse (this=0x7fffa158eeb0, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/Group.cpp:62
#5  0x00007ffff5606860 in osg::Group::accept (this=0x7fffa158eeb0, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/include/osg/Group:38
#6  0x00007ffff491fa23 in osg::Group::traverse (this=0x7fffbc9f9a00, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/Group.cpp:62
#7  0x0000000000bfa31d in traverse (node=..., this=0x1254f50) at /usr/include/osg/NodeVisitor:193
#8  handle_callbacks_and_traverse (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:86
#9  apply (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:57
#10 SGUpdateVisitor::apply (this=0x1254f50, transform=...) at /usr/include/simgear/scene/util/SGUpdateVisitor.hxx:162
#11 0x00007ffff68a0ad3 in SGOffsetTransform::accept (this=0x7fffbc9f9a00, nv=...)
    at /usr/src/debug/simgear-3.2.0/simgear/scene/model/SGOffsetTransform.hxx:33
#12 0x00007ffff495154a in osg::LOD::traverse (this=0x7fff8ce50750, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/LOD.cpp:77
#13 0x00007ffff4951bf3 in osg::LOD::accept (this=0x7fff8ce50750, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/include/osg/LOD:44
#14 0x00007ffff491fa23 in osg::Group::traverse (this=0x7fffa1266100, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/Group.cpp:62
#15 0x00007ffff5606860 in osg::Group::accept (this=0x7fffa1266100, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/include/osg/Group:38
#16 0x00007ffff496e59e in osg::PagedLOD::traverse (this=0x7fffbc8da630, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/PagedLOD.cpp:183
#17 0x0000000000bfa929 in traverse (node=..., this=0x1254f50) at /usr/include/osg/NodeVisitor:193
#18 handle_callbacks_and_traverse (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:86
#19 apply (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:60
#20 SGUpdateVisitor::apply (this=0x1254f50, pagedLOD=...) at /usr/include/simgear/scene/util/SGUpdateVisitor.hxx:152
#21 0x00007ffff496f363 in osg::PagedLOD::accept (this=0x7fffbc8da630, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/include/osg/PagedLOD:32
#22 0x00007ffff491fa23 in osg::Group::traverse (this=0x7fffbcb34490, nv=...)
    at /usr/src/debug/OpenSceneGraph-3.2.1/OpenSceneGraph-3.2.1/src/osg/Group.cpp:62
#23 0x0000000000bfa31d in traverse (node=..., this=0x1254f50) at /usr/include/osg/NodeVisitor:193
#24 handle_callbacks_and_traverse (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:86
#25 apply (node=..., this=0x1254f50) at /usr/include/osgUtil/UpdateVisitor:57
#26 SGUpdateVisitor::apply (this=0x1254f50, transform=...) at /usr/include/simgear/scene/util/SGUpdateVisitor.hxx:162
#27 0x00007ffff6909743 in osg::MatrixTransform::accept (this=0x7fffbcb34490, nv=...) at /usr/include/osg/MatrixTransform:37
[...]

Patch:
https://github.com/openscenegraph/osg/commit/49d560f4d9d0641c98df67264b7ace4733c6b9a9

Reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765855
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1271802.html
Comment 1 Ralf Corsepius 2014-10-30 06:33:14 UTC 
Thanks for the report.

I am going to apply the patch and rebuild for f21 and rawhide, ASAP.

Unfortunately,  thanks to RH/Fedora's freeze policy, propagating this fix into the f21 repos will likely take a long time and f21 be released with this bug (and many others) unfixed.

AFAIU, SimGear would require a rebuilt? Are you going to take care about this or shall I do so?
Comment 2 Fedora Update System 2014-10-30 08:44:24 UTC 
OpenSceneGraph-3.2.1-3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/OpenSceneGraph-3.2.1-3.fc21
Comment 3 Fabrice Bellet 2014-10-30 09:18:15 UTC 
Thanks for the update! Would it be possible to create a buildroot overrides for f-21 with this one, so I can update SimGear too ? (yes, it needs a rebuilt).
Comment 4 Fedora Update System 2014-10-31 01:24:47 UTC 
Package OpenSceneGraph-3.2.1-3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing OpenSceneGraph-3.2.1-3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13898/OpenSceneGraph-3.2.1-3.fc21
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-11-03 05:24:39 UTC 
OpenSceneGraph-3.2.1-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Ralf Corsepius 2014-11-03 07:39:29 UTC 
I rebuilt SimGears for f21 and rawhide to inherit this change.
Note You need to log in before you can comment on or make changes to this bug.