Bug 1447

Summary: Accessing freed memory in libSM
Product: xorg Reporter: Mark McLoughlin <mark>
Component: Lib/otherAssignee: Adam Jackson <ajax>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: ajax, alan.coopersmith, eich, kmaraas, roland.mainz
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
patch against lib/SM/sm_process.c none

Description Mark McLoughlin 2004-09-23 05:58:57 UTC 
Library: libSM

The docs for the RegisterClient callback says:

  Call free on the previous_id pointer when it is no longer needed.

However, if the callback returns zero, SmsProcessMessage() still tries to access
previousId even though the callback should have freed it.

Problem shown up by some valgrinding on gnome-session by Kjatan Maraas.

Attaching what I think looks like a reasonable patch.
Comment 1 Mark McLoughlin 2004-09-23 05:59:42 UTC 
Created attachment 962 [details] [review]
patch against lib/SM/sm_process.c
Comment 2 Roland Mainz 2004-09-28 20:38:05 UTC 
Who can review the patch ?
Comment 3 Kjartan Maraas 2005-02-09 01:33:53 UTC 
This is still causing reports of invalid reads in gnome-session, could someone
take a look at this patch in the not too distant future?
Comment 4 Adam Jackson 2005-03-26 19:18:14 UTC 
this looks good to me.  i'll commit in a day or so if no one complains.
Comment 5 Adam Jackson 2005-04-03 11:24:44 UTC 
applied to head, closing.  thanks!
Comment 6 Kjartan Maraas 2005-09-13 01:25:44 UTC 
Reopening since I'm still seeing this in gnome-session:

==4915== Invalid read of size 1
==4915==    at 0x1BA1F847: _SmsProcessMessage (in /usr/X11R6/lib/libSM.so.6.0)
==4915==    by 0x1BA2BC7F: IceProcessMessages (in /usr/X11R6/lib/libICE.so.6.3)
==4915==    by 0x1B9611B5: process_ice_messages (gnome-ice.c:57)
==4915==    by 0x1C67495A: g_io_unix_dispatch (giounix.c:162)
==4915==    by 0x1C64E7A1: g_main_context_dispatch (gmain.c:1934)
==4915==    by 0x1C651575: g_main_context_iterate (gmain.c:2565)
==4915==    by 0x1C651A76: g_main_loop_run (gmain.c:2769)
==4915==    by 0x1BB97834: gtk_main (gtkmain.c:976)
==4915==    by 0x805412C: main (main.c:464)
==4915==  Address 0x1CED3FF8 is 0 bytes inside a block of size 9 free'd
==4915==    at 0x1B90237F: free (vg_replace_malloc.c:235)
==4915==    by 0x8051DDD: register_client (manager.c:889)
==4915==    by 0x1BA1F82C: _SmsProcessMessage (in /usr/X11R6/lib/libSM.so.6.0)
==4915==    by 0x1BA2BC7F: IceProcessMessages (in /usr/X11R6/lib/libICE.so.6.3)
==4915==    by 0x1B9611B5: process_ice_messages (gnome-ice.c:57)
==4915==    by 0x1C67495A: g_io_unix_dispatch (giounix.c:162)
==4915==    by 0x1C64E7A1: g_main_context_dispatch (gmain.c:1934)
==4915==    by 0x1C651575: g_main_context_iterate (gmain.c:2565)
==4915==    by 0x1C651A76: g_main_loop_run (gmain.c:2769)
==4915==    by 0x1BB97834: gtk_main (gtkmain.c:976)
==4915==    by 0x805412C: main (main.c:464)
Comment 7 Kjartan Maraas 2005-09-13 01:41:52 UTC 
Btw, this is current Fedora rawhide with gnome 2.12 built from CVS
Comment 8 Mark McLoughlin 2005-09-30 02:08:51 UTC 
Kjartan: no-one said anything about this being fixed in rawhide. The fix went
into CVS after 6.8.2

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.