1338561 – [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function

Bug 1338561 - [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function

Summary: [abrt] Avoid NULL dereference in mail-send-recv.c:free_send_data() function

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	evolution
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Milan Crha
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:1f6209622c61c3fc9dd93ce9686...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-22 21:35 UTC by Michael Catanzaro
Modified:	2016-05-23 11:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:	evolution-3.20.3
Clone Of:
Environment:
Last Closed:	2016-05-23 11:29:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (77.60 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: cgroup (242 bytes, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: core_backtrace (16.84 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: dso_list (24.37 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: environ (2.00 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: exploitable (82 bytes, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: limits (1.29 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: maps (119.81 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: mountinfo (3.76 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: namespaces (85 bytes, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: open_fds (3.61 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: proc_pid_status (1.10 KB, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
File: var_log_messages (536 bytes, text/plain) 2016-05-22 21:35 UTC, Michael Catanzaro	no flags	Details
View All

Description Michael Catanzaro 2016-05-22 21:35:18 UTC

Description of problem:
I think it happened when the network turned on (or maybe off).

Version-Release number of selected component:
evolution-3.20.2-1.fc24

Additional info:
reporter:       libreport-2.7.0
backtrace_rating: 4
cmdline:        evolution
crash_function: free_send_data
executable:     /usr/bin/evolution
global_pid:     2344
kernel:         4.5.4-300.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
reproducible:   Not sure how to reproduce the problem
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 free_send_data at mail-send-recv.c:203
 #1 send_receive at mail-send-recv.c:1632
 #6 _gtk_action_emit_activate at deprecated/gtkaction.c:909
 #11 _g_closure_invoke_va at gclosure.c:867
 #13 g_signal_emit_by_name at gsignal.c:3481
 #14 _g_closure_invoke_va at gclosure.c:867
 #17 gtk_button_do_release at gtkbutton.c:1843
 #18 gtk_real_button_released at gtkbutton.c:1961
 #23 multipress_released_cb at gtkbutton.c:666
 #24 ffi_call_unix64 at ../src/x86/unix64.S:76

Comment 1 Michael Catanzaro 2016-05-22 21:35:23 UTC

Created attachment 1160404 [details]
File: backtrace

Comment 2 Michael Catanzaro 2016-05-22 21:35:24 UTC

Created attachment 1160405 [details]
File: cgroup

Comment 3 Michael Catanzaro 2016-05-22 21:35:25 UTC

Created attachment 1160406 [details]
File: core_backtrace

Comment 4 Michael Catanzaro 2016-05-22 21:35:26 UTC

Created attachment 1160407 [details]
File: dso_list

Comment 5 Michael Catanzaro 2016-05-22 21:35:27 UTC

Created attachment 1160408 [details]
File: environ

Comment 6 Michael Catanzaro 2016-05-22 21:35:28 UTC

Created attachment 1160409 [details]
File: exploitable

Comment 7 Michael Catanzaro 2016-05-22 21:35:29 UTC

Created attachment 1160410 [details]
File: limits

Comment 8 Michael Catanzaro 2016-05-22 21:35:31 UTC

Created attachment 1160411 [details]
File: maps

Comment 9 Michael Catanzaro 2016-05-22 21:35:32 UTC

Created attachment 1160412 [details]
File: mountinfo

Comment 10 Michael Catanzaro 2016-05-22 21:35:33 UTC

Created attachment 1160413 [details]
File: namespaces

Comment 11 Michael Catanzaro 2016-05-22 21:35:34 UTC

Created attachment 1160414 [details]
File: open_fds

Comment 12 Michael Catanzaro 2016-05-22 21:35:35 UTC

Created attachment 1160415 [details]
File: proc_pid_status

Comment 13 Michael Catanzaro 2016-05-22 21:35:36 UTC

Created attachment 1160416 [details]
File: var_log_messages

Comment 14 Milan Crha 2016-05-23 11:29:38 UTC

Thanks for a bug report. I see from the bactrace where the crash happened and from the code why it happened (there is missing a check for "data is not NULL"), but I do not see from it why it happened (aka what caused the crash). The var_log_messages shows that there was some quick connection change, the network got offline and immediately after that online. That's the most I see from the given data by the ABRT.

As the "data is not NULL" check is missing there, I will add it. It will fix this particular crash, but not the root cause (which is unknown). There is supposed to be done everything in the main thread, thus it shouldn't be about thread interleaving. It's probably more like the connection change caused a sudden operation cancel, which caused the operation not being finished in the next main loop idle round, but rather immediately, thus it could free the global 'send_data' variable before this particular main thread operation finished. It seems unlikely to me, but I can be wrong.

Created commit 362d39a in evo master (3.21.3+) [1]
Created commit 303442f in evo gnome-3-20 (3.20.3+)

[1] https://git.gnome.org/browse/evolution/commit/?id=362d39a

Note You need to log in before you can comment on or make changes to this bug.