[Bug 44692] New: Use of finalised TpContact in contacts_context_remove_common_features() when fuzzing
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Jan 11 18:57:27 CET 2012
https://bugs.freedesktop.org/show_bug.cgi?id=44692
Bug #: 44692
Summary: Use of finalised TpContact in
contacts_context_remove_common_features() when fuzzing
Classification: Unclassified
Product: Telepathy
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: medium
Component: tp-glib
AssignedTo: telepathy-bugs at lists.freedesktop.org
ReportedBy: bugzilla at tecnocode.co.uk
QAContact: telepathy-bugs at lists.freedesktop.org
With git e88ba20da99e8ebd323dfb09e5c99171d5f17bb5 of tp-glib, my fuzzer's
managed to cause tp-glib to access the ->priv data in a TpContact which has
previously been finalised.
I have a core dump for the crash, which I can send to anyone who needs it.
(It's too big to attach here.)
Backtrace:
Core was generated by `/opt/gnome3/build/bin/empathy'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007ffff5d9cd24 in contacts_context_remove_common_features (
context=0xa9c0c0) at contact.c:4108
4108 minimal_feature_flags &= contact->priv->has_features;
(gdb) t a a bt
Thread 3 (Thread 0x7fffed1eb700 (LWP 8442)):
#0 0x0000003f41ee6af3 in poll () from /lib64/libc.so.6
#1 0x00007ffff26df68b in g_poll (fds=0x7fffe80010e0, nfds=3, timeout=-1)
at gpoll.c:132
#2 0x00007ffff26ceea5 in g_main_context_poll (context=0x8bbde0, timeout=-1,
priority=2147483647, fds=0x7fffe80010e0, n_fds=3) at gmain.c:3415
#3 0x00007ffff26ce835 in g_main_context_iterate (context=0x8bbde0, block=1,
dispatch=1, self=0x8bcd90) at gmain.c:3116
#4 0x00007ffff26cec86 in g_main_loop_run (loop=0x8bbd90) at gmain.c:3315
#5 0x00007ffff310d9e8 in gdbus_shared_thread_func (user_data=0x8bbdb0)
at gdbusprivate.c:276
#6 0x00007ffff26f97e8 in g_thread_proxy (data=0x8bcd90) at gthread.c:801
#7 0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#8 0x0000003f41eef48d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7fffe339d700 (LWP 8443)):
#0 0x0000003f4260be4f in pthread_cond_timedwait@@GLIBC_2.3.2 ()
from /lib64/libpthread.so.0
#1 0x00007ffff271b9a9 in g_cond_wait_until (cond=0xa21318, mutex=0xa21310,
end_time=314656236873) at gthread-posix.c:870
#2 0x00007ffff26999e0 in g_cond_timed_wait (cond=0xa21318, mutex=0xa21310,
abs_time=0x7fffe339cb80) at deprecated/gthread-deprecated.c:1585
---Type <return> to continue, or q <return> to quit---
#3 0x00007ffff269bc8f in g_async_queue_pop_intern_unlocked (queue=0xa21310,
wait=1, end_time=0x7fffe339cb80) at gasyncqueue.c:418
#4 0x00007ffff269bed9 in g_async_queue_timed_pop (queue=0xa21310,
end_time=0x7fffe339cb80) at gasyncqueue.c:542
#5 0x00007ffff26f9bdd in g_thread_pool_wait_for_new_pool ()
at gthreadpool.c:174
#6 0x00007ffff26f9ec4 in g_thread_pool_thread_proxy (data=0xa211c0)
at gthreadpool.c:374
#7 0x00007ffff26f97e8 in g_thread_proxy (data=0xa1dd40) at gthread.c:801
#8 0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#9 0x0000003f41eef48d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7fffee73c9c0 (LWP 8441)):
#0 0x00007ffff5d9cd24 in contacts_context_remove_common_features (
context=0xa9c0c0) at contact.c:4108
#1 0x00007ffff5d9cf67 in tp_connection_get_contacts_by_handle (self=0x8f9580,
n_handles=1, handles=0xb47290, n_features=7, features=0xad1ca0,
callback=0x7ffff74d7664 <get_contacts_by_handle_cb>, user_data=0xb3f4c0,
destroy=0, weak_object=0x8f9580) at contact.c:4193
#2 0x00007ffff74d78c2 in
folks_tp_lowlevel_connection_get_contacts_by_handle_async (conn=0x8f9580,
contact_handles=0xb47290, contact_handles_length=1,
features=0xad1ca0, features_length=7,
callback=0x7ffff74b6f34
<_tpf_persona_store_create_personas_from_channel_han---Type <return> to
continue, or q <return> to quit---
dles_async_ready>, user_data=0x8471c0) at tp-lowlevel.c:266
#3 0x00007ffff74b770b in
_tpf_persona_store_create_personas_from_channel_handles_async_co
(_data_=0x8471c0) at tpf-persona-store.c:6426
#4 0x00007ffff74b6dd0 in
_tpf_persona_store_create_personas_from_channel_handles_async (self=0xa131b0,
channel=0x96a6b0, channel_handles=0xb56720,
_callback_=0x7ffff74b393c
<_tpf_persona_store_channel_group_pend_incoming_adds_ready>,
_user_data_=0x80d3f0) at tpf-persona-store.c:6302
#5 0x00007ffff74b3b42 in
_tpf_persona_store_channel_group_pend_incoming_adds_co (_data_=0x80d3f0) at
tpf-persona-store.c:5700
#6 0x00007ffff74b38b0 in _tpf_persona_store_channel_group_pend_incoming_adds (
self=0xa131b0, channel=0x96a6b0, adds=0xb56720, create_personas=1,
_callback_=0, _user_data_=0x0) at tpf-persona-store.c:5654
#7 0x00007ffff74aff25 in
_tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb
(self=0xa131b0, channel=0x96a6b0, added=0xb56720,
removed=0xb565a0, local_pending=0xb35580, remote_pending=0xb43180,
details=0xb3f700) at tpf-persona-store.c:4881
#8 0x00007ffff74add89 in
__tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb_tp_channel_group_members_changed_detailed
(_sender=0x96a6b0,
added=0xb56720, removed=0xb565a0, local_pending=0xb35580,
remote_pending=0xb43180, details=0xb3f700, self=0xa131b0)
at tpf-persona-store.c:4422
#9 0x00007ffff5e06404 in _tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED (
closure=0xb31f60, return_value=0x0, n_param_values=6,
---Type <return> to continue, or q <return> to quit---
param_values=0xa9c4b0, invocation_hint=0x7fffffffe460, marshal_data=0x0)
at _gen/signals-marshal.c:360
#10 0x00007ffff2bd0e30 in g_closure_invoke (closure=0xb31f60,
return_value=0x0, n_param_values=6, param_values=0xa9c4b0,
invocation_hint=0x7fffffffe460) at gclosure.c:774
#11 0x00007ffff2bea38f in signal_emit_unlocked_R (node=0xabab60, detail=0,
instance=0x96a6b0, emission_return=0x0, instance_and_params=0xa9c4b0)
at gsignal.c:3302
#12 0x00007ffff2be959d in g_signal_emit_valist (instance=0x96a6b0,
signal_id=367, detail=0, var_args=0x7fffffffe6e0) at gsignal.c:3033
#13 0x00007ffff2be9c59 in g_signal_emit_by_name (instance=0x96a6b0,
detailed_signal=0x7ffff5e33688 "group-members-changed-detailed")
at gsignal.c:3127
#14 0x00007ffff5d51953 in handle_members_changed (self=0x96a6b0,
message=0x7ffff5e32f20 "", added=0xb56260, removed=0xb564c0,
local_pending=0xb56880, remote_pending=0xb566a0, actor=0, reason=0,
details=0xb3f760) at channel-group.c:1130
#15 0x00007ffff5d51c02 in tp_channel_group_members_changed_detailed_cb (
self=0x96a6b0, added=0xb56260, removed=0xb564c0, local_pending=0xb56880,
remote_pending=0xb566a0, details=0xb3f760, unused=0x0, weak_obj=0x0)
at channel-group.c:1208
#16 0x00007ffff5d26097 in
_tp_cli_channel_interface_group_invoke_callback_for_members_changed_detailed
(tpproxy=0x96a6b0, error=0x0, args=0xb42e40,
---Type <return> to continue, or q <return> to quit---
generic_callback=0x7ffff5d51afa
<tp_channel_group_members_changed_detailed_cb>, user_data=0x0, weak_object=0x0)
at _gen/tp-cli-channel-body.h:3173
#17 0x00007ffff5df5a55 in tp_proxy_signal_invocation_run (p=0xb56360)
at proxy-signals.c:266
#18 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb3fec0,
callback=0x7ffff5df59ad <tp_proxy_signal_invocation_run>,
user_data=0xb56360) at gmain.c:4632
#19 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
#20 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0)
at gmain.c:3050
#21 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1,
dispatch=1, self=0x8a6f80) at gmain.c:3121
#22 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0,
may_block=1) at gmain.c:3182
#23 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1,
argv=0x7fffffffeca8) at gapplication.c:1599
#24 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
(gdb) bt full
#0 0x00007ffff5d9cd24 in contacts_context_remove_common_features (
context=0xa9c0c0) at contact.c:4108
contact = 0xb3d9b0
minimal_feature_flags = 4294967295
i = 0
#1 0x00007ffff5d9cf67 in tp_connection_get_contacts_by_handle (self=0x8f9580,
n_handles=1, handles=0xb47290, n_features=7, features=0xad1ca0,
callback=0x7ffff74d7664 <get_contacts_by_handle_cb>, user_data=0xb3f4c0,
destroy=0, weak_object=0x8f9580) at contact.c:4193
feature_flags = 247
context = 0xa9c0c0
contacts = 0xb56480
__PRETTY_FUNCTION__ = "tp_connection_get_contacts_by_handle"
#2 0x00007ffff74d78c2 in
folks_tp_lowlevel_connection_get_contacts_by_handle_async (conn=0x8f9580,
contact_handles=0xb47290, contact_handles_length=1,
features=0xad1ca0, features_length=7,
callback=0x7ffff74b6f34
<_tpf_persona_store_create_personas_from_channel_handles_async_ready>,
user_data=0x8471c0) at tp-lowlevel.c:266
result = 0xb3f4c0
#3 0x00007ffff74b770b in
_tpf_persona_store_create_personas_from_channel_handles_async_co
(_data_=0x8471c0) at tpf-persona-store.c:6426
__PRETTY_FUNCTION__ =
"_tpf_persona_store_create_personas_from_channel_handles_async_co"
---Type <return> to continue, or q <return> to quit---
#4 0x00007ffff74b6dd0 in
_tpf_persona_store_create_personas_from_channel_handles_async (self=0xa131b0,
channel=0x96a6b0, channel_handles=0xb56720,
_callback_=0x7ffff74b393c
<_tpf_persona_store_channel_group_pend_incoming_adds_ready>,
_user_data_=0x80d3f0) at tpf-persona-store.c:6302
_data_ = 0x8471c0
_tmp0_ = 0xa131b0
_tmp1_ = 0x96a6b0
_tmp2_ = 0x96a6b0
_tmp3_ = 0xb56720
_tmp4_ = 0xb56720
#5 0x00007ffff74b3b42 in
_tpf_persona_store_channel_group_pend_incoming_adds_co (_data_=0x80d3f0) at
tpf-persona-store.c:5700
__PRETTY_FUNCTION__ =
"_tpf_persona_store_channel_group_pend_incoming_adds_co"
#6 0x00007ffff74b38b0 in _tpf_persona_store_channel_group_pend_incoming_adds (
self=0xa131b0, channel=0x96a6b0, adds=0xb56720, create_personas=1,
_callback_=0, _user_data_=0x0) at tpf-persona-store.c:5654
_data_ = 0x80d3f0
_tmp0_ = 0xa131b0
_tmp1_ = 0x96a6b0
_tmp2_ = 0x96a6b0
_tmp3_ = 0xb56720
_tmp4_ = 0xb56720
---Type <return> to continue, or q <return> to quit---
_tmp5_ = 1
#7 0x00007ffff74aff25 in
_tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb
(self=0xa131b0, channel=0x96a6b0, added=0xb56720,
removed=0xb565a0, local_pending=0xb35580, remote_pending=0xb43180,
details=0xb3f700) at tpf-persona-store.c:4881
_tmp2_ = 0x96a6b0
_tmp3_ = 0xb56720
_tmp4_ = 0x7fffffffe270
_tmp0_ = 0xb56720
_tmp1_ = 1
__PRETTY_FUNCTION__ =
"_tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb"
#8 0x00007ffff74add89 in
__tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb_tp_channel_group_members_changed_detailed
(_sender=0x96a6b0,
added=0xb56720, removed=0xb565a0, local_pending=0xb35580,
remote_pending=0xb43180, details=0xb3f700, self=0xa131b0)
at tpf-persona-store.c:4422
No locals.
#9 0x00007ffff5e06404 in _tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED (
closure=0xb31f60, return_value=0x0, n_param_values=6,
param_values=0xa9c4b0, invocation_hint=0x7fffffffe460, marshal_data=0x0)
at _gen/signals-marshal.c:360
callback = 0x7ffff74add2a
<__tpf_persona_store_subscribe_channel_group_m---Type <return> to continue, or
q <return> to quit---
embers_changed_detailed_cb_tp_channel_group_members_changed_detailed>
cc = 0x7ffff74add2a
data1 = 0x96a6b0
data2 = 0xa131b0
__PRETTY_FUNCTION__ = "_tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED"
#10 0x00007ffff2bd0e30 in g_closure_invoke (closure=0xb31f60,
return_value=0x0, n_param_values=6, param_values=0xa9c4b0,
invocation_hint=0x7fffffffe460) at gclosure.c:774
marshal = 0x7ffff5e06313
<_tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED>
marshal_data = 0x0
in_marshal = 0
__PRETTY_FUNCTION__ = "g_closure_invoke"
#11 0x00007ffff2bea38f in signal_emit_unlocked_R (node=0xabab60, detail=0,
instance=0x96a6b0, emission_return=0x0, instance_and_params=0xa9c4b0)
at gsignal.c:3302
tmp = 0x7fffffffe520
handler = 0xb3ea70
accumulator = 0x0
emission = {next = 0x0, instance = 0x96a6b0, ihint = {signal_id = 367,
detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN,
chain_type = 4}
class_closure = 0x0
---Type <return> to continue, or q <return> to quit---
hlist = 0xb3d4f8
handler_list = 0xb3ea70
return_accu = 0x0
accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0,
v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0,
v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0,
v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0,
v_double = 0, v_pointer = 0x0}}}
signal_id = 367
max_sequential_handler_number = 1215
return_value_altered = 0
#12 0x00007ffff2be959d in g_signal_emit_valist (instance=0x96a6b0,
signal_id=367, detail=0, var_args=0x7fffffffe6e0) at gsignal.c:3033
instance_and_params = 0xa9c4b0
signal_return_type = 4
param_values = 0xa9c4c8
node = 0xabab60
i = 5
n_params = 5
__PRETTY_FUNCTION__ = "g_signal_emit_valist"
#13 0x00007ffff2be9c59 in g_signal_emit_by_name (instance=0x96a6b0,
detailed_signal=0x7ffff5e33688 "group-members-changed-detailed")
at gsignal.c:3127
---Type <return> to continue, or q <return> to quit---
var_args = {{gp_offset = 48, fp_offset = 48,
overflow_arg_area = 0x7fffffffe7c8,
reg_save_area = 0x7fffffffe700}}
detail = 0
signal_id = 367
__PRETTY_FUNCTION__ = "g_signal_emit_by_name"
#14 0x00007ffff5d51953 in handle_members_changed (self=0x96a6b0,
message=0x7ffff5e32f20 "", added=0xb56260, removed=0xb564c0,
local_pending=0xb56880, remote_pending=0xb566a0, actor=0, reason=0,
details=0xb3f760) at channel-group.c:1130
i = 0
__PRETTY_FUNCTION__ = "handle_members_changed"
#15 0x00007ffff5d51c02 in tp_channel_group_members_changed_detailed_cb (
self=0x96a6b0, added=0xb56260, removed=0xb564c0, local_pending=0xb56880,
remote_pending=0xb566a0, details=0xb3f760, unused=0x0, weak_obj=0x0)
at channel-group.c:1208
message = 0x7ffff5e32f20 ""
actor = 0
reason = 0
__PRETTY_FUNCTION__ = "tp_channel_group_members_changed_detailed_cb"
#16 0x00007ffff5d26097 in
_tp_cli_channel_interface_group_invoke_callback_for_members_changed_detailed
(tpproxy=0x96a6b0, error=0x0, args=0xb42e40,
generic_callback=0x7ffff5d51afa
<tp_channel_group_members_changed_detailed_c---Type <return> to continue, or q
<return> to quit---
b>, user_data=0x0, weak_object=0x0) at _gen/tp-cli-channel-body.h:3173
callback = 0x7ffff5d51afa
<tp_channel_group_members_changed_detailed_cb>
#17 0x00007ffff5df5a55 in tp_proxy_signal_invocation_run (p=0xb56360)
at proxy-signals.c:266
invocation = 0xb56360
popped = 0xb56360
__PRETTY_FUNCTION__ = "tp_proxy_signal_invocation_run"
#18 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb3fec0,
callback=0x7ffff5df59ad <tp_proxy_signal_invocation_run>,
user_data=0xb56360) at gmain.c:4632
No locals.
#19 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
dispatch = 0x7ffff26d0097 <g_idle_dispatch>
was_in_call = 0
user_data = 0xb56360
callback = 0x7ffff5df59ad <tp_proxy_signal_invocation_run>
cb_funcs = 0x7ffff29bdfe0
cb_data = 0xb5a550
need_destroy = 7827920
current_source_link = {data = 0xb3fec0, next = 0x0}
source = 0xb3fec0
current = 0x8b9fa0
---Type <return> to continue, or q <return> to quit---
i = 0
__PRETTY_FUNCTION__ = "g_main_dispatch"
#20 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0)
at gmain.c:3050
No locals.
#21 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1,
dispatch=1, self=0x8a6f80) at gmain.c:3121
max_priority = -100
timeout = 0
some_ready = 1
nfds = 0
allocated_nfds = 7
fds = 0xa8eef0
#22 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0,
may_block=1) at gmain.c:3182
retval = 1
#23 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1,
argv=0x7fffffffeca8) at gapplication.c:1599
arguments = 0x8a4d90
status = 0
i = 1
__PRETTY_FUNCTION__ = "g_application_run"
#24 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
---Type <return> to continue, or q <return> to quit---
app = 0x7bb360
retval = 0
(gdb) frame 0
#0 0x00007ffff5d9cd24 in contacts_context_remove_common_features (
context=0xa9c0c0) at contact.c:4108
4108 minimal_feature_flags &= contact->priv->has_features;
(gdb) print *contact
$1 = {parent = {g_type_instance = {g_class = 0xb3d8f0}, ref_count = 0,
qdata = 0xaaaaaaaaaaaaaaaa}, priv = 0xaaaaaaaaaaaaaaaa}
(gdb) print *context
$2 = {refcount = 1, connection = 0x8f9580, contacts = 0xb56420,
handles = 0xb566e0, invalid = 0xb494c0, request_ids = 0x0,
request_errors = 0x0, wanted = 247, signature = CB_BY_HANDLE, callback = {
by_handle = 0x7ffff74d7664 <get_contacts_by_handle_cb>,
by_id = 0x7ffff74d7664 <get_contacts_by_handle_cb>,
upgrade = 0x7ffff74d7664 <get_contacts_by_handle_cb>},
user_data = 0xb3f4c0, destroy = 0, weak_object = 0x8f9580,
no_purpose_in_life = 0, todo = {head = 0x0, tail = 0x0, length = 0},
next_index = 0, contacts_have_ids = 1}
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the telepathy-bugs
mailing list