1251366 – dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp_t twice

Bug 1251366 - dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp_t twice

Summary: dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dleyna-renderer
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Debarshi Ray
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:dc3e1c78f8895ccc2a8bc57aa4b...
Duplicates (7):	1134358 1253007 1253072 1299104 1301249 1301746 1357281 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-07 06:24 UTC by Steven Newbury
Modified:	2016-10-03 20:19 UTC (History)
CC List:	6 users (show)
Fixed In Version:	dleyna-renderer-0.5.0-5.fc25 dleyna-renderer-0.5.0-5.fc24 dleyna-renderer-0.5.0-4.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-26 00:20:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (14.99 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: cgroup (231 bytes, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: core_backtrace (3.70 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: dso_list (2.86 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: environ (710 bytes, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: limits (1.29 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: maps (14.15 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: mountinfo (3.65 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: namespaces (85 bytes, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: open_fds (1.00 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: proc_pid_status (1.13 KB, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
File: var_log_messages (28 bytes, text/plain) 2015-08-07 06:24 UTC, Steven Newbury	no flags	Details
View All

Description Steven Newbury 2015-08-07 06:24:07 UTC

Version-Release number of selected component:
dleyna-renderer-0.5.0-2.fc23

Additional info:
reporter:       libreport-2.6.2
backtrace_rating: 3
cmdline:        /usr/libexec/dleyna-renderer-service
crash_function: dlr_upnp_delete
executable:     /usr/libexec/dleyna-renderer-service
global_pid:     3428
kernel:         4.2.0-0.rc4.git4.1.fc24.x86_64
runlevel:       N 5
type:           CCpp
uid:            1001

Truncated backtrace:
Thread no. 1 (5 frames)
 #7 dlr_upnp_delete at upnp.c:423
 #8 prv_control_point_stop_service at server.c:725
 #9 prv_context_quit_cb at libdleyna/core/main-loop.c:61
 #14 dleyna_main_loop_start at libdleyna/core/main-loop.c:155
 #16 _start

Potential duplicate: bug 1134358

Comment 1 Steven Newbury 2015-08-07 06:24:10 UTC

Created attachment 1060215 [details]
File: backtrace

Comment 2 Steven Newbury 2015-08-07 06:24:11 UTC

Created attachment 1060216 [details]
File: cgroup

Comment 3 Steven Newbury 2015-08-07 06:24:13 UTC

Created attachment 1060217 [details]
File: core_backtrace

Comment 4 Steven Newbury 2015-08-07 06:24:14 UTC

Created attachment 1060218 [details]
File: dso_list

Comment 5 Steven Newbury 2015-08-07 06:24:15 UTC

Created attachment 1060219 [details]
File: environ

Comment 6 Steven Newbury 2015-08-07 06:24:16 UTC

Created attachment 1060220 [details]
File: limits

Comment 7 Steven Newbury 2015-08-07 06:24:18 UTC

Created attachment 1060221 [details]
File: maps

Comment 8 Steven Newbury 2015-08-07 06:24:19 UTC

Created attachment 1060222 [details]
File: mountinfo

Comment 9 Steven Newbury 2015-08-07 06:24:20 UTC

Created attachment 1060223 [details]
File: namespaces

Comment 10 Steven Newbury 2015-08-07 06:24:21 UTC

Created attachment 1060224 [details]
File: open_fds

Comment 11 Steven Newbury 2015-08-07 06:24:23 UTC

Created attachment 1060225 [details]
File: proc_pid_status

Comment 12 Steven Newbury 2015-08-07 06:24:24 UTC

Created attachment 1060226 [details]
File: var_log_messages

Comment 13 Jan Kurik 2016-02-24 13:35:40 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 14 Debarshi Ray 2016-09-15 14:35:37 UTC

*** Bug 1134358 has been marked as a duplicate of this bug. ***

Comment 15 Debarshi Ray 2016-09-15 14:36:18 UTC

*** Bug 1299104 has been marked as a duplicate of this bug. ***

Comment 16 Debarshi Ray 2016-09-15 14:40:26 UTC

*** Bug 1357281 has been marked as a duplicate of this bug. ***

Comment 17 Debarshi Ray 2016-09-15 14:41:47 UTC

*** Bug 1253007 has been marked as a duplicate of this bug. ***

Comment 18 Debarshi Ray 2016-09-15 15:27:32 UTC

The problem here is two-fold.

First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double free. Filed as: https://github.com/01org/dleyna-renderer/pull/160

Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than once. The dleyna-renderer code is not ready for this (see above), and hits a double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed as: https://github.com/01org/dleyna-core/pull/48

Comment 19 Debarshi Ray 2016-09-15 15:29:29 UTC

*** Bug 1253072 has been marked as a duplicate of this bug. ***

Comment 20 Debarshi Ray 2016-09-15 15:29:45 UTC

*** Bug 1301746 has been marked as a duplicate of this bug. ***

Comment 21 Debarshi Ray 2016-09-15 15:32:13 UTC

*** Bug 1301249 has been marked as a duplicate of this bug. ***

Comment 22 Debarshi Ray 2016-09-15 15:49:53 UTC

(In reply to Debarshi Ray from comment #18)
> The problem here is two-fold.
> 
> First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the
> dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double
> free. Filed as: https://github.com/01org/dleyna-renderer/pull/160
> 
> Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than
> once. The dleyna-renderer code is not ready for this (see above), and hits a
> double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed
> as: https://github.com/01org/dleyna-core/pull/48

Let's wait for some upstream reviews before we add these to Fedora.

Comment 23 Fedora Update System 2016-09-22 09:55:38 UTC

dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4cc484e18

Comment 24 Fedora Update System 2016-09-22 09:55:47 UTC

dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8b47d28f07

Comment 25 Fedora Update System 2016-09-23 06:54:05 UTC

dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c0573a805d

Comment 26 Fedora Update System 2016-09-23 06:54:17 UTC

dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d3927e6a71

Comment 27 Fedora Update System 2016-09-23 08:01:23 UTC

dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-83b2fee0aa

Comment 28 Fedora Update System 2016-09-23 08:01:32 UTC

dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-603b9f4445

Comment 29 Fedora Update System 2016-09-26 00:20:34 UTC

dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2016-09-27 00:34:25 UTC

dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2016-09-27 00:34:34 UTC

dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2016-10-03 17:22:29 UTC

dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2016-10-03 20:19:46 UTC

dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2016-10-03 20:19:54 UTC

dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.