Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1338561 - [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function
Summary: [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution
Version: 24
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Milan Crha
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:1f6209622c61c3fc9dd93ce9686...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-22 21:35 UTC by Michael Catanzaro
Modified: 2016-05-23 11:29 UTC (History)
4 users (show)

Fixed In Version: evolution-3.20.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-23 11:29:38 UTC
Type: ---


Attachments (Terms of Use)
File: backtrace (77.60 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: cgroup (242 bytes, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: core_backtrace (16.84 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: dso_list (24.37 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: environ (2.00 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: exploitable (82 bytes, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: limits (1.29 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: maps (119.81 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: mountinfo (3.76 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: namespaces (85 bytes, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: open_fds (3.61 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: proc_pid_status (1.10 KB, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details
File: var_log_messages (536 bytes, text/plain)
2016-05-22 21:35 UTC, Michael Catanzaro
no flags Details

Description Michael Catanzaro 2016-05-22 21:35:18 UTC
Description of problem:
I think it happened when the network turned on (or maybe off).

Version-Release number of selected component:
evolution-3.20.2-1.fc24

Additional info:
reporter:       libreport-2.7.0
backtrace_rating: 4
cmdline:        evolution
crash_function: free_send_data
executable:     /usr/bin/evolution
global_pid:     2344
kernel:         4.5.4-300.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
reproducible:   Not sure how to reproduce the problem
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 free_send_data at mail-send-recv.c:203
 #1 send_receive at mail-send-recv.c:1632
 #6 _gtk_action_emit_activate at deprecated/gtkaction.c:909
 #11 _g_closure_invoke_va at gclosure.c:867
 #13 g_signal_emit_by_name at gsignal.c:3481
 #14 _g_closure_invoke_va at gclosure.c:867
 #17 gtk_button_do_release at gtkbutton.c:1843
 #18 gtk_real_button_released at gtkbutton.c:1961
 #23 multipress_released_cb at gtkbutton.c:666
 #24 ffi_call_unix64 at ../src/x86/unix64.S:76

Comment 1 Michael Catanzaro 2016-05-22 21:35:23 UTC
Created attachment 1160404 [details]
File: backtrace

Comment 2 Michael Catanzaro 2016-05-22 21:35:24 UTC
Created attachment 1160405 [details]
File: cgroup

Comment 3 Michael Catanzaro 2016-05-22 21:35:25 UTC
Created attachment 1160406 [details]
File: core_backtrace

Comment 4 Michael Catanzaro 2016-05-22 21:35:26 UTC
Created attachment 1160407 [details]
File: dso_list

Comment 5 Michael Catanzaro 2016-05-22 21:35:27 UTC
Created attachment 1160408 [details]
File: environ

Comment 6 Michael Catanzaro 2016-05-22 21:35:28 UTC
Created attachment 1160409 [details]
File: exploitable

Comment 7 Michael Catanzaro 2016-05-22 21:35:29 UTC
Created attachment 1160410 [details]
File: limits

Comment 8 Michael Catanzaro 2016-05-22 21:35:31 UTC
Created attachment 1160411 [details]
File: maps

Comment 9 Michael Catanzaro 2016-05-22 21:35:32 UTC
Created attachment 1160412 [details]
File: mountinfo

Comment 10 Michael Catanzaro 2016-05-22 21:35:33 UTC
Created attachment 1160413 [details]
File: namespaces

Comment 11 Michael Catanzaro 2016-05-22 21:35:34 UTC
Created attachment 1160414 [details]
File: open_fds

Comment 12 Michael Catanzaro 2016-05-22 21:35:35 UTC
Created attachment 1160415 [details]
File: proc_pid_status

Comment 13 Michael Catanzaro 2016-05-22 21:35:36 UTC
Created attachment 1160416 [details]
File: var_log_messages

Comment 14 Milan Crha 2016-05-23 11:29:38 UTC
Thanks for a bug report. I see from the bactrace where the crash happened and from the code why it happened (there is missing a check for "data is not NULL"), but I do not see from it why it happened (aka what caused the crash). The var_log_messages shows that there was some quick connection change, the network got offline and immediately after that online. That's the most I see from the given data by the ABRT.

As the "data is not NULL" check is missing there, I will add it. It will fix this particular crash, but not the root cause (which is unknown). There is supposed to be done everything in the main thread, thus it shouldn't be about thread interleaving. It's probably more like the connection change caused a sudden operation cancel, which caused the operation not being finished in the next main loop idle round, but rather immediately, thus it could free the global 'send_data' variable before this particular main thread operation finished. It seems unlikely to me, but I can be wrong.

Created commit 362d39a in evo master (3.21.3+) [1]
Created commit 303442f in evo gnome-3-20 (3.20.3+)

[1] https://git.gnome.org/browse/evolution/commit/?id=362d39a


Note You need to log in before you can comment on or make changes to this bug.