Bug 42510 - read-after-free in packagekit-glib2 library
Summary: read-after-free in packagekit-glib2 library
Status: RESOLVED NOTABUG
Alias: None
Product: PackageKit
Classification: Unclassified
Component: client-library (show other bugs)
Version: unspecified
Hardware: Other All
: medium critical
Assignee: Richard Hughes
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-02 05:57 UTC by Christian Persch (GNOME)
Modified: 2018-08-21 15:53 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Persch (GNOME) 2011-11-02 05:57:19 UTC
PackageKit 0.6.19-3.fc16.i686

(I suspect this to be the cause of crashes in gnome-settings-daemon.)

==24355== Invalid read of size 4
==24355==    at 0xF1C8C64: pk_control_call_destroy_cb (pk-control.c:250)
==24355==    by 0x47C6509: d_pending_call_free (dbus-gproxy.c:1780)
==24355==    by 0x4806F51: _dbus_data_slot_list_clear (dbus-dataslot.c:335)
==24355==    by 0x4806FA2: _dbus_data_slot_list_free (dbus-dataslot.c:352)
==24355==    by 0x47FE0FA: _dbus_pending_call_last_unref (dbus-pending-call.c:394)
==24355==    by 0x47E922F: complete_pending_call_and_unlock (dbus-connection.c:2309)
==24355==    by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593)
==24355==    by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101)
==24355==    by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425)
==24355==    by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073)
==24355==    by 0x4A5D336: g_main_loop_run (gmain.c:3281)
==24355==    by 0x41B2064: gtk_main (gtkmain.c:1362)
==24355==    by 0x4B546B2: (below main) (libc-start.c:226)
==24355==  Address 0x93dba30 is 24 bytes inside a block of size 48 free'd
==24355==    at 0x4029EED: free (vg_replace_malloc.c:366)
==24355==    by 0x4A6305B: standard_free (gmem.c:101)
==24355==    by 0x4A63356: g_free (gmem.c:263)
==24355==    by 0x4A797D6: g_slice_free1 (gslice.c:907)
==24355==    by 0xF1C9760: pk_control_get_tid_state_finish (pk-control.c:206)
==24355==    by 0xF1CD04B: pk_control_get_tid_cb (pk-control.c:239)
==24355==    by 0x47C64CD: d_pending_call_notify (dbus-gproxy.c:1771)
==24355==    by 0x47FE551: _dbus_pending_call_complete (dbus-pending-call.c:197)
==24355==    by 0x47E9227: complete_pending_call_and_unlock (dbus-connection.c:2308)
==24355==    by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593)
==24355==    by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101)
==24355==    by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425)
==24355==    by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073)
==24355==    by 0x4A5D336: g_main_loop_run (gmain.c:3281)
==24355==    by 0x41B2064: gtk_main (gtkmain.c:1362)
==24355==    by 0x4B546B2: (below main) (libc-start.c:226)

The problematic code starts in pk_control_get_tid_async():

        /* call D-Bus method async */
        state->call = dbus_g_proxy_begin_call (control->priv->proxy, "GetTid",
                                               (DBusGProxyCallNotify) pk_control_get_tid_cb, state,
                                               (GDestroyNotify) pk_control_call_destroy_cb, G_TYPE_INVALID);


The GDestroyNotify callback accesses @state:
static void
pk_control_call_destroy_cb (PkControlState *state)
{
        if (state->call != NULL)
                g_warning ("%p was destroyed before it was cleared", state->call);
}

but the DBusGProxyCallNotify callback already destroys @state:
static void
pk_control_get_tid_cb (DBusGProxy *proxy, DBusGProxyCall *call, PkControlState *state)
{
        GError *error = NULL;
        gchar *tid = NULL;
        gboolean ret;

        /* finished this call */
        state->call = NULL;

        /* get the result */
        ret = dbus_g_proxy_end_call (proxy, call, &error,
                                     G_TYPE_STRING, &tid,
                                     G_TYPE_INVALID);
        if (!ret) {
                /* fix up the D-Bus error */
                pk_control_fixup_dbus_error (error);
                g_warning ("failed: %s", error->message);
====>           pk_control_get_tid_state_finish (state, error);
                g_error_free (error);
                goto out;
        }

        /* save results */
        state->tid = g_strdup (tid);

        /* we're done */
====>   pk_control_get_tid_state_finish (state, NULL);
out:
        g_free (tid);
}

because
static void
pk_control_get_tid_state_finish (PkControlState *state, const GError *error)
{
[...]
        g_slice_free (PkControlState, state);
}

NOTE: the same pattern of problem may exist for the other dbus calls; but I have checked only this one.
Comment 1 Richard Hughes 2018-08-21 15:53:03 UTC
We moved the upstream bugtracker to GitHub a long time ago. If this issue still affects you please re-create the issue here: https://github.com/hughsie/PackageKit/issues
 
Sorry for the impersonal message, and fingers crossed your issue no longer happens. Thanks.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.