Bug 42510

Summary: read-after-free in packagekit-glib2 library
Product: PackageKit Reporter: Christian Persch (GNOME) <chpe>
Component: client-libraryAssignee: Richard Hughes <richard>
Status: RESOLVED NOTABUG QA Contact:
Severity: critical    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Christian Persch (GNOME) 2011-11-02 05:57:19 UTC 
PackageKit 0.6.19-3.fc16.i686

(I suspect this to be the cause of crashes in gnome-settings-daemon.)

==24355== Invalid read of size 4
==24355==    at 0xF1C8C64: pk_control_call_destroy_cb (pk-control.c:250)
==24355==    by 0x47C6509: d_pending_call_free (dbus-gproxy.c:1780)
==24355==    by 0x4806F51: _dbus_data_slot_list_clear (dbus-dataslot.c:335)
==24355==    by 0x4806FA2: _dbus_data_slot_list_free (dbus-dataslot.c:352)
==24355==    by 0x47FE0FA: _dbus_pending_call_last_unref (dbus-pending-call.c:394)
==24355==    by 0x47E922F: complete_pending_call_and_unlock (dbus-connection.c:2309)
==24355==    by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593)
==24355==    by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101)
==24355==    by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425)
==24355==    by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073)
==24355==    by 0x4A5D336: g_main_loop_run (gmain.c:3281)
==24355==    by 0x41B2064: gtk_main (gtkmain.c:1362)
==24355==    by 0x4B546B2: (below main) (libc-start.c:226)
==24355==  Address 0x93dba30 is 24 bytes inside a block of size 48 free'd
==24355==    at 0x4029EED: free (vg_replace_malloc.c:366)
==24355==    by 0x4A6305B: standard_free (gmem.c:101)
==24355==    by 0x4A63356: g_free (gmem.c:263)
==24355==    by 0x4A797D6: g_slice_free1 (gslice.c:907)
==24355==    by 0xF1C9760: pk_control_get_tid_state_finish (pk-control.c:206)
==24355==    by 0xF1CD04B: pk_control_get_tid_cb (pk-control.c:239)
==24355==    by 0x47C64CD: d_pending_call_notify (dbus-gproxy.c:1771)
==24355==    by 0x47FE551: _dbus_pending_call_complete (dbus-pending-call.c:197)
==24355==    by 0x47E9227: complete_pending_call_and_unlock (dbus-connection.c:2308)
==24355==    by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593)
==24355==    by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101)
==24355==    by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425)
==24355==    by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073)
==24355==    by 0x4A5D336: g_main_loop_run (gmain.c:3281)
==24355==    by 0x41B2064: gtk_main (gtkmain.c:1362)
==24355==    by 0x4B546B2: (below main) (libc-start.c:226)

The problematic code starts in pk_control_get_tid_async():

        /* call D-Bus method async */
        state->call = dbus_g_proxy_begin_call (control->priv->proxy, "GetTid",
                                               (DBusGProxyCallNotify) pk_control_get_tid_cb, state,
                                               (GDestroyNotify) pk_control_call_destroy_cb, G_TYPE_INVALID);


The GDestroyNotify callback accesses @state:
static void
pk_control_call_destroy_cb (PkControlState *state)
{
        if (state->call != NULL)
                g_warning ("%p was destroyed before it was cleared", state->call);
}

but the DBusGProxyCallNotify callback already destroys @state:
static void
pk_control_get_tid_cb (DBusGProxy *proxy, DBusGProxyCall *call, PkControlState *state)
{
        GError *error = NULL;
        gchar *tid = NULL;
        gboolean ret;

        /* finished this call */
        state->call = NULL;

        /* get the result */
        ret = dbus_g_proxy_end_call (proxy, call, &error,
                                     G_TYPE_STRING, &tid,
                                     G_TYPE_INVALID);
        if (!ret) {
                /* fix up the D-Bus error */
                pk_control_fixup_dbus_error (error);
                g_warning ("failed: %s", error->message);
====>           pk_control_get_tid_state_finish (state, error);
                g_error_free (error);
                goto out;
        }

        /* save results */
        state->tid = g_strdup (tid);

        /* we're done */
====>   pk_control_get_tid_state_finish (state, NULL);
out:
        g_free (tid);
}

because
static void
pk_control_get_tid_state_finish (PkControlState *state, const GError *error)
{
[...]
        g_slice_free (PkControlState, state);
}

NOTE: the same pattern of problem may exist for the other dbus calls; but I have checked only this one.
Comment 1 Richard Hughes 2018-08-21 15:53:03 UTC 
We moved the upstream bugtracker to GitHub a long time ago. If this issue still affects you please re-create the issue here: https://github.com/hughsie/PackageKit/issues
 
Sorry for the impersonal message, and fingers crossed your issue no longer happens. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.