974296 – [abrt] GError instance use-after-free in collection_backend_load_resources()

Bug 974296 - [abrt] GError instance use-after-free in collection_backend_load_resources()

Summary: [abrt] GError instance use-after-free in collection_backend_load_resources()

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	evolution-data-server
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Barnes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:95a396940772422bb50fd422d9b...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-13 21:53 UTC by Wayne Stidolph
Modified:	2013-07-10 09:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:	evolution-data-server-3.8.4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-01 10:08:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (25.93 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: cgroup (140 bytes, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: core_backtrace (2.52 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: dso_list (14.87 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: environ (1.00 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: limits (1.29 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: maps (69.40 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: open_fds (614 bytes, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: proc_pid_status (924 bytes, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
File: var_log_messages (6.18 KB, text/plain) 2013-06-13 21:53 UTC, Wayne Stidolph	no flags	Details
evolution sources file, is dated 5/16/2013 (wasn't it re-created?) (337 bytes, text/plain) 2013-06-20 15:57 UTC, Wayne Stidolph	no flags	Details
files as of 6/18 (best response to comment #19) (1.58 KB, application/x-compressed-tar) 2013-06-29 22:42 UTC, Wayne Stidolph	no flags	Details
View All

Description Wayne Stidolph 2013-06-13 21:53:10 UTC

Description of problem:
Boot F19 x86_64 in Oracle VirtualBox 4.2.12 r84980, running over Win8 Pro 64bit i7 16GB RAM (was running OK until updates starting approx 11 June

Version-Release number of selected component:
evolution-data-server-3.8.3-1.fc19

Additional info:
reporter:       libreport-2.1.4
backtrace_rating: 3
cmdline:        /usr/libexec/evolution-source-registry
executable:     /usr/libexec/evolution-source-registry
kernel:         3.9.5-301.fc19.x86_64
runlevel:       N 5
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 ??
 #1 g_param_value_validate at gparam.c:649
 #2 object_set_property at gobject.c:1343
 #3 g_object_set_property at gobject.c:2155
 #4 source_set_property_from_key_file at e-source.c:531
 #5 source_load_from_key_file at e-source.c:555
 #6 source_parse_dbus_data at e-source.c:639
 #7 source_notify_dbus_data_cb at e-source.c:661
 #13 g_object_notify_queue_thaw at gobject.c:292
 #14 g_object_set_valist at gobject.c:1959

Comment 1 Wayne Stidolph 2013-06-13 21:53:13 UTC

Created attachment 760979 [details]
File: backtrace

Comment 2 Wayne Stidolph 2013-06-13 21:53:16 UTC

Created attachment 760980 [details]
File: cgroup

Comment 3 Wayne Stidolph 2013-06-13 21:53:18 UTC

Created attachment 760981 [details]
File: core_backtrace

Comment 4 Wayne Stidolph 2013-06-13 21:53:21 UTC

Created attachment 760982 [details]
File: dso_list

Comment 5 Wayne Stidolph 2013-06-13 21:53:24 UTC

Created attachment 760983 [details]
File: environ

Comment 6 Wayne Stidolph 2013-06-13 21:53:26 UTC

Created attachment 760984 [details]
File: limits

Comment 7 Wayne Stidolph 2013-06-13 21:53:30 UTC

Created attachment 760985 [details]
File: maps

Comment 8 Wayne Stidolph 2013-06-13 21:53:33 UTC

Created attachment 760986 [details]
File: open_fds

Comment 9 Wayne Stidolph 2013-06-13 21:53:35 UTC

Created attachment 760987 [details]
File: proc_pid_status

Comment 10 Wayne Stidolph 2013-06-13 21:53:38 UTC

Created attachment 760988 [details]
File: var_log_messages

Comment 11 Milan Crha 2013-06-18 06:09:19 UTC

Thanks for a bug report. It seems that one of the .source files in your /home/wstidolph/.config/evolution/sources is corrupted in some way, causing evolution crash. Could you backup content of
   /home/wstidolph/.config/goa-1.0
   /home/wstidolph/.config/evolution/sources
   /home/wstidolph/.cache/evolution/sources
and then reconfigure your GMail account in GNOME Online Accounts, please? I suppose from the backtrace that the account configure in Online Accounts is causing this trouble. When you open the Online Accounts, does it claim anything there?

Comment 12 Wayne Stidolph 2013-06-18 17:07:09 UTC

I did the backup, then deleted and re-created the Gmail account, then rebooted. Online Accounts shows the account (both immediately after I created it, and still there after the reboot) However, I am stil getting errors - here is the summary from /var/log/messages:

Jun 18 09:30:04 f19-localdomain kernel: [   13.166554] traps: evolution-sourc[1504] general protection ip:3244a634b7 sp:7fffb55a4e70 error:0 in libglib-2.0.so.0.3600.3[
3244a00000+12a000]
Jun 18 09:30:05 f19-localdomain abrt[1516]: Saved core dump of pid 1504 (/usr/libexec/evolution-source-registry) to /var/tmp/abrt/ccpp-2013-06-18-09:30:04-1504 (2336358
4 bytes)
Jun 18 09:30:05 f19-localdomain abrtd: Directory 'ccpp-2013-06-18-09:30:04-1504' creation detected
Jun 18 09:30:05 f19-localdomain kernel: [   13.525808] traps: gnome-shell-cal[1498] trap int3 ip:3244a4ee0d sp:7fff00b78ed0 error:0
Jun 18 09:30:05 f19-localdomain abrt[1536]: Saved core dump of pid 1498 (/usr/libexec/gnome-shell-calendar-server) to /var/tmp/abrt/ccpp-2013-06-18-09:30:05-1498 (35905
536 bytes)
Jun 18 09:30:05 f19-localdomain abrtd: Directory 'ccpp-2013-06-18-09:30:05-1498' creation detected
Jun 18 09:30:05 f19-localdomain abrtd: Generating core_backtrace
Jun 18 09:30:05 f19-localdomain abrtd: Generating backtrace
Jun 18 09:30:06 f19-localdomain kernel: [   15.358303] traps: evolution-sourc[1714] general protection ip:3244a634b7 sp:7fff1f26ea80 error:0 in libglib-2.0.so.0.3600.3[
3244a00000+12a000]
Jun 18 09:30:07 f19-localdomain abrt[1719]: Saved core dump of pid 1714 (/usr/libexec/evolution-source-registry) to /var/tmp/abrt/ccpp-2013-06-18-09:30:06-1714 (2336358
4 bytes)
Jun 18 09:30:07 f19-localdomain abrtd: Directory 'ccpp-2013-06-18-09:30:06-1714' creation detected
Jun 18 09:30:09 f19-localdomain abrtd: Backtrace is generated, 37003 bytes
Jun 18 09:30:09 f19-localdomain udisksd[1371]: Mounted /dev/sr0 at /run/media/wstidolph/VBOXADDITIONS_4.2.12_84980 on behalf of uid 1000
Jun 18 09:30:09 f19-localdomain abrtd: Core backtrace is generated and saved, 3102 bytes
Jun 18 09:30:09 f19-localdomain kernel: [   18.343043] traps: evolution-sourc[1797] general protection ip:3244a634b7 sp:7fffcc8a1370 error:0 in libglib-2.0.so.0.3600.3[
3244a00000+12a000]
Jun 18 09:30:09 f19-localdomain abrt[1816]: Not saving repeating crash in '/usr/libexec/evolution-source-registry'


There's also a crash in gnome-contacts, I don't know if it's related but they both started happening about the same time, they both still happen with the new gmail account created; it looks like this in /var/log/messages:
Jun 18 09:30:09 f19-localdomain kernel: [   18.358354] traps: gnome-contacts-[1778] trap int3 ip:3244a4ee0d sp:7fff4839d5d0 error:0
Jun 18 09:30:10 f19-localdomain abrt[1817]: Saved core dump of pid 1778 (/usr/libexec/gnome-contacts-search-provider) to /var/tmp/abrt/ccpp-2013-06-18-09:30:09-1778 (28
655616 bytes)
Jun 18 09:30:10 f19-localdomain abrtd: Directory 'ccpp-2013-06-18-09:30:09-1778' creation detected
Jun 18 09:30:10 f19-localdomain abrtd: Duplicate: core backtrace
Jun 18 09:30:10 f19-localdomain abrtd: DUP_OF_DIR: /var/tmp/abrt/ccpp-2013-06-11-17:51:45-3430
Jun 18 09:30:10 f19-localdomain abrtd: Deleting problem directory ccpp-2013-06-18-09:30:04-1504 (dup of ccpp-2013-06-11-17:51:45-3430)
Jun 18 09:30:10 f19-localdomain abrtd: Duplicate: core backtrace
Jun 18 09:30:10 f19-localdomain abrtd: DUP_OF_DIR: /var/tmp/abrt/ccpp-2013-06-13-16:50:10-1571
Jun 18 09:30:10 f19-localdomain abrtd: Deleting problem directory ccpp-2013-06-18-09:30:05-1498 (dup of ccpp-2013-06-13-16:50:10-1571)
Jun 18 09:30:11 f19-localdomain abrtd: BDB2053 Freeing read locks for locker 0x289: 1860/140608066312192
Jun 18 09:30:11 f19-localdomain abrtd: BDB2053 Freeing read locks for locker 0x28a: 1860/140608066312192
Jun 18 09:30:11 f19-localdomain abrtd: BDB2053 Freeing read locks for locker 0x28b: 1860/140608066312192
Jun 18 09:30:11 f19-localdomain abrtd: BDB2053 Freeing read locks for locker 0x28c: 1860/140608066312192
Jun 18 09:30:11 f19-localdomain abrtd: Lock file '/var/tmp/abrt/ccpp-2013-06-13-16:50:10-1571/.lock' is locked by process 1874
Jun 18 09:30:11 f19-localdomain abrtd: Generating core_backtrace
Jun 18 09:30:11 f19-localdomain abrtd: Generating backtrace
Jun 18 09:30:12 f19-localdomain abrtd: Backtrace is generated, 38031 bytes
Jun 18 09:30:12 f19-localdomain abrtd: Core backtrace is generated and saved, 4299 bytes
Jun 18 09:30:13 f19-localdomain abrtd: Duplicate: core backtrace
Jun 18 09:30:13 f19-localdomain abrtd: DUP_OF_DIR: /var/tmp/abrt/ccpp-2013-06-16-09:31:21-1514
Jun 18 09:30:13 f19-localdomain abrtd: Deleting problem directory ccpp-2013-06-18-09:30:06-1714 (dup of ccpp-2013-06-16-09:31:21-1514)
Jun 18 09:30:13 f19-localdomain abrtd: Lock file '/var/tmp/abrt/ccpp-2013-06-16-09:31:21-1514/.lock' is locked by process 1957
Jun 18 09:30:13 f19-localdomain abrtd: Generating core_backtrace
Jun 18 09:30:13 f19-localdomain abrtd: Generating backtrace
Jun 18 09:30:14 f19-localdomain abrtd: Backtrace is generated, 24882 bytes
Jun 18 09:30:14 f19-localdomain abrtd: Core backtrace is generated and saved, 1724 bytes
Jun 18 09:30:14 f19-localdomain abrtd: Duplicate: core backtrace
Jun 18 09:30:14 f19-localdomain abrtd: DUP_OF_DIR: /var/tmp/abrt/ccpp-2013-06-11-17:26:07-1850
Jun 18 09:30:14 f19-localdomain abrtd: Deleting problem directory ccpp-2013-06-18-09:30:09-1778 (dup of ccpp-2013-06-11-17:26:07-1850)

Comment 13 Milan Crha 2013-06-19 06:53:13 UTC

Weird. The first part of the log suggests that the gnome-calendar-server crashed, and two seconds later also evolution-source-registry. These seem to be related. Could you run from a console the /usr/libexec/evolution-source-registry, to check its output, please? It prints quite much information, I hope some of it will be related to the crash itself.

Comment 14 Wayne Stidolph 2013-06-19 17:12:07 UTC

[wstidolph@f19-localdomain ~]$ /usr/libexec/evolution-source-registry > esr_out.txt

(process:2207): libebackend-WARNING **: collection_backend_load_resources: Data source is missing a [Data Source] group

(process:2207): libebackend-WARNING **: (e-collection-backend.c:247):collection_backend_load_resources: runtime check failed: (source == NULL)

(process:2207): libebackend-WARNING **: collection_backend_load_resources: (null)
Segmentation fault (core dumped)

[wstidolph@f19-localdomain ~]$ cat esr_out.txt 
Migrating mail accounts from GConf...
Migrating addressbook sources from GConf...
Migrating calendar sources from GConf...
Migrating task list sources from GConf...
Migrating memo list sources from GConf...
Registering EGoogleBackendFactory ('google')
Registering EEwsBackendFactory ('ews')
Registering EYahooBackendFactory ('yahoo')
Registering EOwncloudBackendFactory ('owncloud')
Registering ECollectionBackendFactory ('none')
Adding 1368752369.4969.0 ('Source')

Comment 15 Milan Crha 2013-06-20 06:05:55 UTC

Thanks for the update. Could you attach (sanitized, without any private information) the affected file, please? I'd like to see in what way the file is broken. Thanks in advance.

If I'm not mistaken, then the file might be:
  ~/.config/evolution/sources/1368752369.4969.0.source

Comment 16 Wayne Stidolph 2013-06-20 15:57:50 UTC

Created attachment 763498 [details]
evolution sources file, is dated 5/16/2013 (wasn't it re-created?)

Attaching as requested, but puzzled. I assumed that when I deleted then recreated the Online Account (the only one) that any files like this would be re-created as well ... but this file is dated on disk from *before* that account change. Also, there are four files in that folder, all with that sae date:
[wstidolph@f19-localdomain ~]$ ls -l ~/.config/evolution/sources
total 16
-rw-r--r--. 1 wstidolph root 337 May 16 17:59 1368752369.4969.0.source
-rw-r--r--. 1 wstidolph root 812 May 16 17:59 1368752369.4969.1.source
-rw-r--r--. 1 wstidolph root 322 May 16 17:59 1368752369.4969.2.source
-rw-r--r--. 1 wstidolph root 293 May 16 17:59 1368752369.4969.3.source

The.1 file has much more setup info in it, all the IMAP stuff which I don't see in the .0 file; the .2 and .3 files have some authentication control, but nothing IMAP specific. Do you need the other three files?

Comment 17 Milan Crha 2013-06-24 12:01:13 UTC

Thanks for the update. I see the file is pretty much the same as one of mine GOA account .source files, and despite the error:
> libebackend-WARNING **: collection_backend_load_resources: Data source
> is missing a [Data Source] group
this particular file has it there and looks correct as well.

That makes me wonder, do you still face the crash?

You are right with the account removal too, once you remove the GOA account, all its fallouts in evolution's sources directory should be removed as well. If this doesn't work for some reason, then I'd remove them by hand (but make a backup of them, for testing purposes). If you do not have configured any other accounts/calendars/books/... in evolution and you use GOA exclusively, then I'd say you can safely move away from
   ~/.config/evolution/sources/
and
   ~/.cache/evolution/sources/
all files or directories which have the name of the similar form as the attached one. The best if you do that from a text terminal (like Ctrl+Alt+F2), when you are not logged in a desktop session, thus the files will not be used by underlying processes, and the next desktop session login they will be regenerated as expected, and any leftovers will be gone as well.

Comment 18 Wayne Stidolph 2013-06-24 17:59:12 UTC

I was still facing the crash; I took your suggestion and removed the files from ~/.config/evolution/sources and ~/.cache/evolution/sources and then I rebooted - no more evolution server crash.

So then I opened the Online Accounts control panel, and I see the Google account is still there. Remove it, recreate it (allowing permissions for all uses - Mail, Calendar, Contacts, Chat, Documents). Log out, log in. No crash.

At this point, the Evolution email client is seeing mail properly, there's no crashes, and the dirs have these files:

[wstidolph@f19-localdomain ~]$ ls .cache/evolution/sources/
1372096240.1513.6@f19-localdomain/
1372096240.1513.10
1372096240.1513.11

[wstidolph@f19-localdomain ~]$ ls .config/evolution/sources/
1372096240.1513.6
1372096240.1513.9
1372096240.1513.8
1372096240.1513.7
local.source
vfolder.source                          
node_modules/

So I don't know what the corruption was or how it occurred, but dumping the existing files manually cleared it up - thanks! From my point of view you could close this bug, then.

Comment 19 Milan Crha 2013-06-25 06:31:13 UTC

I'm happy it works for you again. To make a wild guess from the all above information, I guess there was some crash, or unexpected interruption, of the source registry process, right during managing the older GOA account, which left the stale outdated files in the sources folder, with some of the file(s) left broken. The "start from fresh" made the cleanup work done, which is what was the source registry process supposed to do on its own.

If you still have the old files dated May 16 (from comment #16), I'll appreciate if you could send them all to me, I would try to reproduce the crash here, just in case. If there were similar files/folders also in the ~/.cache, then them too. I promise to use the files for testing only, but feel free to replace any sensitive information in the files with 'x' letters. Once I'd be able to reproduce this here I might come with a real fix in the code.

Comment 20 Wayne Stidolph 2013-06-29 22:42:36 UTC

Created attachment 766949 [details]
files as of 6/18 (best response to comment #19)

Files as backed up 6/18 still crashing) hope that's close enough to the 6/16 files requested in comment #19 (note there is a 6/16 sources file previously attached to this bug report)

Comment 21 Milan Crha 2013-07-01 09:36:30 UTC

Thanks for the files, I can reproduce the crash with them. The magic is that one of the files at ~/.config/evolution/sources is 0-byte long.

Comment 22 Milan Crha 2013-07-01 10:06:49 UTC

Since I was able to reproduce this and debug it locally, then I see it's crashing due to use-after-free of a GError instance. The console output of the source registry just before the crash was:
> Adding 1359973097.29736.13@zyxPad ('Source_150')
>
> (evolution-source-registry:31683): libebackend-WARNING **:
> collection_backend_load_resources: Data source is missing a [Data Source]
> group
>
> (evolution-source-registry:31683): libebackend-WARNING **: (e-collection-
> backend.c:247):collection_backend_load_resources: runtime check failed:
> (source == NULL)
>
> (evolution-source-registry:31683): libebackend-WARNING **:
> collection_backend_load_resources: (null)
> GSlice: MemChecker: attempt to release non-allocated block: 0xa820b0 size=16
>
> Program received signal SIGABRT, Aborted.

Comment 23 Milan Crha 2013-07-01 10:08:00 UTC

Created commit 91ca0f in eds master (3.9.4+)
Created commit 8aa6114 in eds gnome-3-8 (3.8.4+)

Comment 24 Milan Crha 2013-07-10 09:43:14 UTC

I'm building an update for this within bug #982737.

Note You need to log in before you can comment on or make changes to this bug.