Bug 1291116 - [abrt] Possible use-after-free on factory subprocess close
[abrt] Possible use-after-free on factory subprocess close
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: evolution-data-server (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Milan Crha
Fedora Extras Quality Assurance
https://retrace.fedoraproject.org/faf...
abrt_hash:d37e3c2801ba65b95927a7e7c87...
:
: 1331032 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-13 21:38 EST by 汪明衡
Modified: 2016-04-27 14:04 EDT (History)
3 users (show)

See Also:
Fixed In Version: evolution-data-server-3.20.2-1.f24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-27 14:04:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (31.62 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: cgroup (190 bytes, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: core_backtrace (6.44 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: dso_list (17.58 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: environ (854 bytes, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: exploitable (82 bytes, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: limits (1.29 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: maps (81.95 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: mountinfo (3.75 KB, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: namespaces (85 bytes, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: open_fds (790 bytes, text/plain)
2015-12-13 21:39 EST, 汪明衡
no flags Details
File: proc_pid_status (1016 bytes, text/plain)
2015-12-13 21:40 EST, 汪明衡
no flags Details

  None (edit)
Description 汪明衡 2015-12-13 21:38:51 EST
Version-Release number of selected component:
evolution-data-server-3.18.2-2.fc23

Additional info:
reporter:       libreport-2.6.3
backtrace_rating: 4
cmdline:        /usr/libexec/evolution-calendar-factory-subprocess --factory caldav --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx2967x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/2967/2
crash_function: g_mutex_lock
executable:     /usr/libexec/evolution-calendar-factory-subprocess
global_pid:     3000
kernel:         4.2.6-301.fc23.x86_64
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 g_mutex_lock at gthread-posix.c:1338
 #1 g_main_loop_quit at gmain.c:4059
 #2 subprocess_backend_handle_close_cb at evolution-calendar-factory-subprocess.c:99
 #3 ffi_call_unix64 at ../src/x86/unix64.S:76
 #4 ffi_call at ../src/x86/ffi64.c:525
 #5 g_cclosure_marshal_generic at gclosure.c:1487
 #8 g_signal_emitv at gsignal.c:3122
 #9 _e_dbus_subprocess_backend_skeleton_handle_method_call at e-dbus-subprocess-backend.c:1164
 #10 g_dbus_interface_method_dispatch_helper at gdbusinterfaceskeleton.c:609
 #11 skeleton_intercept_handle_method_call at gdbusinterfaceskeleton.c:650
Comment 1 汪明衡 2015-12-13 21:39:10 EST
Created attachment 1105417 [details]
File: backtrace
Comment 2 汪明衡 2015-12-13 21:39:12 EST
Created attachment 1105418 [details]
File: cgroup
Comment 3 汪明衡 2015-12-13 21:39:16 EST
Created attachment 1105419 [details]
File: core_backtrace
Comment 4 汪明衡 2015-12-13 21:39:20 EST
Created attachment 1105420 [details]
File: dso_list
Comment 5 汪明衡 2015-12-13 21:39:25 EST
Created attachment 1105421 [details]
File: environ
Comment 6 汪明衡 2015-12-13 21:39:28 EST
Created attachment 1105422 [details]
File: exploitable
Comment 7 汪明衡 2015-12-13 21:39:41 EST
Created attachment 1105423 [details]
File: limits
Comment 8 汪明衡 2015-12-13 21:39:45 EST
Created attachment 1105424 [details]
File: maps
Comment 9 汪明衡 2015-12-13 21:39:48 EST
Created attachment 1105425 [details]
File: mountinfo
Comment 10 汪明衡 2015-12-13 21:39:51 EST
Created attachment 1105426 [details]
File: namespaces
Comment 11 汪明衡 2015-12-13 21:39:55 EST
Created attachment 1105427 [details]
File: open_fds
Comment 12 汪明衡 2015-12-13 21:40:02 EST
Created attachment 1105428 [details]
File: proc_pid_status
Comment 13 Milan Crha 2016-01-12 08:10:42 EST
Thanks for a bug report. I didn't find anything similar upstream and according to the FAF report this had been reported only once till now. Were you able to reproduce it, please? Maybe the things could change when you updated to the evolution-data-server 3.18.3? There will be an release of 3.18.4 the next week, though it's currently pretty much the same as 3.18.3 in this area, thus it's not needed to wait for the new version.

I see from the backtrace that the crash happened when one of your CalDAV calendars had been closing, but nothing more from it.
Comment 14 汪明衡 2016-01-12 09:07:47 EST
(In reply to Milan Crha from comment #13)
> Thanks for a bug report. I didn't find anything similar upstream and
> according to the FAF report this had been reported only once till now. Were
> you able to reproduce it, please? Maybe the things could change when you
> updated to the evolution-data-server 3.18.3? There will be an release of
> 3.18.4 the next week, though it's currently pretty much the same as 3.18.3
> in this area, thus it's not needed to wait for the new version.
> 
> I see from the backtrace that the crash happened when one of your CalDAV
> calendars had been closing, but nothing more from it.

Sorry I can't reproduce. The calendar doesn't really work on Yahoo account. Bugs like this happen during normal operation. Evolution does, Nautilus does, and gnome shell does, transmission does too. I've encountered tons of them, I just click report button as a habit.
Comment 15 Milan Crha 2016-01-19 09:38:19 EST
Thanks for the update. Regarding the Yahoo! calendar, I managed to figure out what the reason is and filled bug [1].

The rest depends on various occasions. It's definitely weird to see so many applications crashing.

I will keep this opened, but I'd still need a reproducer to be able to properly identify the cause of the crash.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=760832
Comment 16 Milan Crha 2016-04-27 12:44:24 EDT
*** Bug 1331032 has been marked as a duplicate of this bug. ***
Comment 17 Milan Crha 2016-04-27 14:04:14 EDT
I figured that the issue could happen also when the main factory process had been replaced with some other, thena use-after-free on the GMainLoop variable could happen. I fixed this upstream:

Created commit 8568699 in eds master (3.21.2+) [1]
Created commit c23159f in eds gnome-3-20 (3.20.2+)

[1] https://git.gnome.org/browse/evolution-data-server/commit/?id=8568699

Note You need to log in before you can comment on or make changes to this bug.