Bug 903241 - Double-free on message copy/move
Double-free on message copy/move
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: evolution-mapi (Show other bugs)
6.4
All Linux
high Severity high
: rc
: ---
Assigned To: Matthew Barnes
Desktop QE
: Patch
Depends On:
Blocks: 905536
  Show dependency treegraph
 
Reported: 2013-01-23 09:46 EST by Jiri Koten
Modified: 2013-03-21 04:49 EDT (History)
5 users (show)

See Also:
Fixed In Version: evolution-mapi-0.28.3-12.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 05:21:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
evolution-mapi-0.28.3-copymove-doublefree.patch (726 bytes, patch)
2013-01-23 12:07 EST, Milan Crha
no flags Details | Diff

  None (edit)
Description Jiri Koten 2013-01-23 09:46:02 EST
Description of problem:
After a msg is deleted, evolution fails to refresh the Inbox and crashes.
It keeps crashing when I start it again.

Tested with MS Exchange 2010.   

Version-Release number of selected component (if applicable):
evolution-2.28.3-30.el6
evolution-mapi-0.28.3-11.el6
openchange-1.0-4.el6
samba4-libs-4.0.0-53.el6.rc4

How reproducible:
100%

Steps to Reproduce:
1. Delete a msg
2. Click Send/Receive
3. Open the Evolution again
  
Actual results:
crash

Expected results:
no crash

Additional info:
Comment 2 Milan Crha 2013-01-23 11:52:21 EST
From the log:
talloc: access after free error - first free may be at exchange-mapi-connection.c:2508
Bad talloc magic value - access after free

And backtrace:
Thread 1 (Thread 0x7ffa8bfff700 (LWP 23725)):
#0  0x0000003e6f6328a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003e6f634085 in abort () at abort.c:92
#2  0x00007ffa9321dc3c in talloc_abort (reason=0x7ffa93223348 "Bad talloc magic value - access after free") at ../talloc.c:317
#3  0x00007ffa9321db20 in talloc_abort_access_after_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:336
#4  talloc_chunk_from_ptr (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:357
#5  _talloc_free (ptr=0x7ffa74014400, location=0x7ffa93967d88 "libmapi/mapi_id_array.c:84") at ../talloc.c:1348
#6  0x00007ffa938b85c5 in mapi_id_array_release (id=<value optimized out>) at libmapi/mapi_id_array.c:84
#7  0x00007ffa93bdb005 in mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mid_list=<value optimized out>, do_copy=0)
    at exchange-mapi-connection.c:2509
#8  0x00007ffa93bdb0a8 in exchange_mapi_move_items (src_fid=6481818957832524355, dest_fid=6697991739946308163, mids=0x171c130 = {...})
    at exchange-mapi-connection.c:2544
#9  0x00007ffa93df45d3 in mapi_sync (folder=0x16b7600, expunge=<value optimized out>, ex=0x7ffa8bffeb40) at camel-mapi-folder.c:910
#10 0x000000357dc300e1 in camel_folder_sync (folder=0x16b7600, expunge=0, ex=0x7ffa8bffeb40) at camel-folder.c:321
#11 0x00007ffab0855e7d in refresh_folders_exec (m=0x7ffa84001400) at mail-send-recv.c:829
#12 0x00007ffab085431f in mail_msg_proxy (msg=0x7ffa84001400) at mail-mt.c:522
#13 0x0000003e7066359b in g_thread_pool_thread_proxy (data=<value optimized out>) at gthreadpool.c:265
#14 0x0000003e70662004 in g_thread_create_proxy (data=0x179c5c0) at gthread.c:635
#15 0x0000003e6fa07851 in start_thread (arg=0x7ffa8bfff700) at pthread_create.c:301
#16 0x0000003e6f6e890d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Fix is under go, the problem here is that the talloc mem_ctx, which was used to allocate array of ids was freed just before the id array itself, which caused the use-after-free.
Comment 3 RHEL Product and Program Management 2013-01-23 12:00:20 EST
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 4 Milan Crha 2013-01-23 12:05:33 EST
It caused double-free, actually. If you want a bit more background here, then the message delete in other than Deleted Items causes message move from the folder to Deleted Items, and at the end of this the double-free happened. Internal data doesn't know that the message was already moved on the server, and tries the next start again.
Comment 5 Milan Crha 2013-01-23 12:07:10 EST
Created attachment 686082 [details]
evolution-mapi-0.28.3-copymove-doublefree.patch

for evolution-mapi;

Here's the two-liner, which fixes it. The upstream code is unaffected, same as RHEL7 code. Here [1] is currently building a test package with the patch included.

[1] http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5311828
Comment 6 Milan Crha 2013-01-23 13:15:06 EST
The patch is included in evolution-mapi-0.28.3-12.el6.
Comment 10 errata-xmlrpc 2013-02-21 05:21:01 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0515.html

Note You need to log in before you can comment on or make changes to this bug.