Bug 1538865 - [abrt] [composer-autosave] Use-after-free during snapshot save to file
Summary: [abrt] [composer-autosave] Use-after-free during snapshot save to file
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Milan Crha
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:480c8bcc95aaeee5b47fed2d3c8...
: 1543644 1554144 1554146 1583000 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-26 00:55 UTC by Matt McAdoo
Modified: 2018-05-29 11:24 UTC (History)
9 users (show)

Fixed In Version: evolution-3.28.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-29 11:24:49 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (74.53 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: cgroup (289 bytes, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: core_backtrace (8.83 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: cpuinfo (1.39 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: dso_list (27.92 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: environ (1.75 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: exploitable (82 bytes, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: limits (1.29 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: maps (137.78 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: open_fds (5.48 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: proc_pid_status (1.27 KB, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details
File: var_log_messages (314 bytes, text/plain)
2018-01-26 00:55 UTC, Matt McAdoo
no flags Details

Description Matt McAdoo 2018-01-26 00:55:19 UTC
Description of problem:
Office 365 email account.  Sending email with 15 individual attachments, not zipped.  Crash seems to occur right after sending.  Message shows up in the Sent Items folder.

Version-Release number of selected component:
evolution-3.24.6-1.fc26

Additional info:
reporter:       libreport-2.9.1
backtrace_rating: 4
cmdline:        /usr/bin/evolution
crash_function: e_attachment_store_get_num_attachments
executable:     /usr/bin/evolution
journald_cursor: s=48d44bcb09e3459289cb018456d15da4;i=2c21e;b=cb95d257295744dab35eeaba5712f84b;m=193171cf38;t=563a31903f578;x=93221f5f218a332f
kernel:         4.14.13-200.fc26.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (7 frames)
 #0 e_attachment_store_get_num_attachments at /usr/src/debug/evolution-3.24.6/src/e-util/e-attachment-store.c:542
 #1 composer_build_message at /usr/src/debug/evolution-3.24.6/src/composer/e-msg-composer.c:1451
 #2 e_msg_composer_get_message_draft at /usr/src/debug/evolution-3.24.6/src/composer/e-msg-composer.c:5076
 #3 save_snapshot_replace_cb at /usr/src/debug/evolution-3.24.6/src/modules/composer-autosave/e-autosave-utils.c:329
 #4 g_task_return_now at gtask.c:1145
 #5 complete_in_idle_cb at gtask.c:1159
 #11 gtk_main at gtkmain.c:1322

Comment 1 Matt McAdoo 2018-01-26 00:55:24 UTC
Created attachment 1386390 [details]
File: backtrace

Comment 2 Matt McAdoo 2018-01-26 00:55:25 UTC
Created attachment 1386391 [details]
File: cgroup

Comment 3 Matt McAdoo 2018-01-26 00:55:26 UTC
Created attachment 1386392 [details]
File: core_backtrace

Comment 4 Matt McAdoo 2018-01-26 00:55:27 UTC
Created attachment 1386393 [details]
File: cpuinfo

Comment 5 Matt McAdoo 2018-01-26 00:55:28 UTC
Created attachment 1386394 [details]
File: dso_list

Comment 6 Matt McAdoo 2018-01-26 00:55:29 UTC
Created attachment 1386395 [details]
File: environ

Comment 7 Matt McAdoo 2018-01-26 00:55:30 UTC
Created attachment 1386396 [details]
File: exploitable

Comment 8 Matt McAdoo 2018-01-26 00:55:31 UTC
Created attachment 1386397 [details]
File: limits

Comment 9 Matt McAdoo 2018-01-26 00:55:32 UTC
Created attachment 1386398 [details]
File: maps

Comment 10 Matt McAdoo 2018-01-26 00:55:33 UTC
Created attachment 1386399 [details]
File: open_fds

Comment 11 Matt McAdoo 2018-01-26 00:55:34 UTC
Created attachment 1386400 [details]
File: proc_pid_status

Comment 12 Matt McAdoo 2018-01-26 00:55:35 UTC
Created attachment 1386401 [details]
File: var_log_messages

Comment 13 Milan Crha 2018-01-26 08:14:13 UTC
Thanks for a bug report. It looks like a coincidence, when you finished the message and sent it there also triggered an autosave of it, which had been accessing already freed memory or something like that.

Comment 14 Milan Crha 2018-01-29 15:03:06 UTC
I've been able to reproduce this by cheating in the code, to have time to close the composer while it was saving the content. It's fixed for the next release with:

Created commit 79dd568d6d in evo master (3.27.90+) [1]
Created commit 963e2b721a in evo gnome-3-26 (3.26.5+)

[1] https://git.gnome.org/browse/evolution/commit/?id=79dd568d6d

Comment 15 Milan Crha 2018-01-31 18:15:53 UTC
It looks like I didn't fix it completely, I just noticed something odd. I'll investigate it further and then update this bug report.

Comment 16 Milan Crha 2018-02-01 10:17:38 UTC
Hrm, while it seemed like I'm able to reproduce this just by sending the message yesterday, I'm not able to reproduce it today. I'll keep watching for this issue and update the bug if I find anything.

Comment 17 Matt McAdoo 2018-02-08 22:33:50 UTC
*** Bug 1543644 has been marked as a duplicate of this bug. ***

Comment 18 Christian Stadelmann 2018-03-11 21:27:40 UTC
*** Bug 1554144 has been marked as a duplicate of this bug. ***

Comment 19 Milan Crha 2018-03-13 09:58:55 UTC
*** Bug 1554146 has been marked as a duplicate of this bug. ***

Comment 20 Milan Crha 2018-03-13 10:00:36 UTC
I'm reopening this bug report, both due comment #15 and due to the duplicates.

Comment 21 Milan Crha 2018-03-29 08:17:23 UTC
I'm still not able to reproduce this reliably. It looks like one of the prerequisites is to close the composer while it is auto-saving the message, thus when the auto-save is done the composer window is gone.

Comment 22 Milan Crha 2018-05-28 07:23:59 UTC
*** Bug 1583000 has been marked as a duplicate of this bug. ***

Comment 23 Milan Crha 2018-05-29 11:24:49 UTC
I made some enhancements in the previous change which might help with this. I hope.

Created commit 2179125d83 in evo master (3.29.3+) [1]
Created commit f5f57a0f05 in evo gnome-3-28 (3.28.3+)

[1] https://gitlab.gnome.org/GNOME/evolution/commit/2179125d83


Note You need to log in before you can comment on or make changes to this bug.