Bug 44692 - Use of finalised TpContact in contacts_context_remove_common_features() when fuzzing
Summary: Use of finalised TpContact in contacts_context_remove_common_features() when ...
Status: RESOLVED MOVED
Alias: None
Product: Telepathy
Classification: Unclassified
Component: tp-glib (show other bugs)
Version: unspecified
Hardware: All All
: medium major
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-11 09:57 UTC by Philip Withnall
Modified: 2019-12-03 20:39 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Empathy/folks/tp-glib log (38.17 KB, text/plain)
2012-01-11 09:59 UTC, Philip Withnall 		Details
Simulator log (100.93 KB, text/plain)
2012-01-11 09:59 UTC, Philip Withnall 		Details
View All

Description Philip Withnall 2012-01-11 09:57:27 UTC 
With git e88ba20da99e8ebd323dfb09e5c99171d5f17bb5 of tp-glib, my fuzzer's managed to cause tp-glib to access the ->priv data in a TpContact which has previously been finalised.

I have a core dump for the crash, which I can send to anyone who needs it. (It's too big to attach here.)

Backtrace:

Core was generated by `/opt/gnome3/build/bin/empathy'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007ffff5d9cd24 in contacts_context_remove_common_features (
    context=0xa9c0c0) at contact.c:4108
4108	      minimal_feature_flags &= contact->priv->has_features;
(gdb) t a a bt

Thread 3 (Thread 0x7fffed1eb700 (LWP 8442)):
#0  0x0000003f41ee6af3 in poll () from /lib64/libc.so.6
#1  0x00007ffff26df68b in g_poll (fds=0x7fffe80010e0, nfds=3, timeout=-1)
    at gpoll.c:132
#2  0x00007ffff26ceea5 in g_main_context_poll (context=0x8bbde0, timeout=-1, 
    priority=2147483647, fds=0x7fffe80010e0, n_fds=3) at gmain.c:3415
#3  0x00007ffff26ce835 in g_main_context_iterate (context=0x8bbde0, block=1, 
    dispatch=1, self=0x8bcd90) at gmain.c:3116
#4  0x00007ffff26cec86 in g_main_loop_run (loop=0x8bbd90) at gmain.c:3315
#5  0x00007ffff310d9e8 in gdbus_shared_thread_func (user_data=0x8bbdb0)
    at gdbusprivate.c:276
#6  0x00007ffff26f97e8 in g_thread_proxy (data=0x8bcd90) at gthread.c:801
#7  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#8  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7fffe339d700 (LWP 8443)):
#0  0x0000003f4260be4f in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib64/libpthread.so.0
#1  0x00007ffff271b9a9 in g_cond_wait_until (cond=0xa21318, mutex=0xa21310, 
    end_time=314656236873) at gthread-posix.c:870
#2  0x00007ffff26999e0 in g_cond_timed_wait (cond=0xa21318, mutex=0xa21310, 
    abs_time=0x7fffe339cb80) at deprecated/gthread-deprecated.c:1585
---Type <return> to continue, or q <return> to quit---
#3  0x00007ffff269bc8f in g_async_queue_pop_intern_unlocked (queue=0xa21310, 
    wait=1, end_time=0x7fffe339cb80) at gasyncqueue.c:418
#4  0x00007ffff269bed9 in g_async_queue_timed_pop (queue=0xa21310, 
    end_time=0x7fffe339cb80) at gasyncqueue.c:542
#5  0x00007ffff26f9bdd in g_thread_pool_wait_for_new_pool ()
    at gthreadpool.c:174
#6  0x00007ffff26f9ec4 in g_thread_pool_thread_proxy (data=0xa211c0)
    at gthreadpool.c:374
#7  0x00007ffff26f97e8 in g_thread_proxy (data=0xa1dd40) at gthread.c:801
#8  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#9  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fffee73c9c0 (LWP 8441)):
#0  0x00007ffff5d9cd24 in contacts_context_remove_common_features (
    context=0xa9c0c0) at contact.c:4108
#1  0x00007ffff5d9cf67 in tp_connection_get_contacts_by_handle (self=0x8f9580, 
    n_handles=1, handles=0xb47290, n_features=7, features=0xad1ca0, 
    callback=0x7ffff74d7664 <get_contacts_by_handle_cb>, user_data=0xb3f4c0, 
    destroy=0, weak_object=0x8f9580) at contact.c:4193
#2  0x00007ffff74d78c2 in folks_tp_lowlevel_connection_get_contacts_by_handle_async (conn=0x8f9580, contact_handles=0xb47290, contact_handles_length=1, 
    features=0xad1ca0, features_length=7, 
    callback=0x7ffff74b6f34 <_tpf_persona_store_create_personas_from_channel_han---Type <return> to continue, or q <return> to quit---
dles_async_ready>, user_data=0x8471c0) at tp-lowlevel.c:266
#3  0x00007ffff74b770b in _tpf_persona_store_create_personas_from_channel_handles_async_co (_data_=0x8471c0) at tpf-persona-store.c:6426
#4  0x00007ffff74b6dd0 in _tpf_persona_store_create_personas_from_channel_handles_async (self=0xa131b0, channel=0x96a6b0, channel_handles=0xb56720, 
    _callback_=0x7ffff74b393c <_tpf_persona_store_channel_group_pend_incoming_adds_ready>, _user_data_=0x80d3f0) at tpf-persona-store.c:6302
#5  0x00007ffff74b3b42 in _tpf_persona_store_channel_group_pend_incoming_adds_co (_data_=0x80d3f0) at tpf-persona-store.c:5700
#6  0x00007ffff74b38b0 in _tpf_persona_store_channel_group_pend_incoming_adds (
    self=0xa131b0, channel=0x96a6b0, adds=0xb56720, create_personas=1, 
    _callback_=0, _user_data_=0x0) at tpf-persona-store.c:5654
#7  0x00007ffff74aff25 in _tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb (self=0xa131b0, channel=0x96a6b0, added=0xb56720, 
    removed=0xb565a0, local_pending=0xb35580, remote_pending=0xb43180, 
    details=0xb3f700) at tpf-persona-store.c:4881
#8  0x00007ffff74add89 in __tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb_tp_channel_group_members_changed_detailed (_sender=0x96a6b0, 
    added=0xb56720, removed=0xb565a0, local_pending=0xb35580, 
    remote_pending=0xb43180, details=0xb3f700, self=0xa131b0)
    at tpf-persona-store.c:4422
#9  0x00007ffff5e06404 in _tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED (
    closure=0xb31f60, return_value=0x0, n_param_values=6, 
---Type <return> to continue, or q <return> to quit---
    param_values=0xa9c4b0, invocation_hint=0x7fffffffe460, marshal_data=0x0)
    at _gen/signals-marshal.c:360
#10 0x00007ffff2bd0e30 in g_closure_invoke (closure=0xb31f60, 
    return_value=0x0, n_param_values=6, param_values=0xa9c4b0, 
    invocation_hint=0x7fffffffe460) at gclosure.c:774
#11 0x00007ffff2bea38f in signal_emit_unlocked_R (node=0xabab60, detail=0, 
    instance=0x96a6b0, emission_return=0x0, instance_and_params=0xa9c4b0)
    at gsignal.c:3302
#12 0x00007ffff2be959d in g_signal_emit_valist (instance=0x96a6b0, 
    signal_id=367, detail=0, var_args=0x7fffffffe6e0) at gsignal.c:3033
#13 0x00007ffff2be9c59 in g_signal_emit_by_name (instance=0x96a6b0, 
    detailed_signal=0x7ffff5e33688 "group-members-changed-detailed")
    at gsignal.c:3127
#14 0x00007ffff5d51953 in handle_members_changed (self=0x96a6b0, 
    message=0x7ffff5e32f20 "", added=0xb56260, removed=0xb564c0, 
    local_pending=0xb56880, remote_pending=0xb566a0, actor=0, reason=0, 
    details=0xb3f760) at channel-group.c:1130
#15 0x00007ffff5d51c02 in tp_channel_group_members_changed_detailed_cb (
    self=0x96a6b0, added=0xb56260, removed=0xb564c0, local_pending=0xb56880, 
    remote_pending=0xb566a0, details=0xb3f760, unused=0x0, weak_obj=0x0)
    at channel-group.c:1208
#16 0x00007ffff5d26097 in _tp_cli_channel_interface_group_invoke_callback_for_members_changed_detailed (tpproxy=0x96a6b0, error=0x0, args=0xb42e40, 
---Type <return> to continue, or q <return> to quit---
    generic_callback=0x7ffff5d51afa <tp_channel_group_members_changed_detailed_cb>, user_data=0x0, weak_object=0x0) at _gen/tp-cli-channel-body.h:3173
#17 0x00007ffff5df5a55 in tp_proxy_signal_invocation_run (p=0xb56360)
    at proxy-signals.c:266
#18 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb3fec0, 
    callback=0x7ffff5df59ad <tp_proxy_signal_invocation_run>, 
    user_data=0xb56360) at gmain.c:4632
#19 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
#20 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0)
    at gmain.c:3050
#21 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, 
    dispatch=1, self=0x8a6f80) at gmain.c:3121
#22 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, 
    may_block=1) at gmain.c:3182
#23 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, 
    argv=0x7fffffffeca8) at gapplication.c:1599
#24 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
(gdb) bt full
#0  0x00007ffff5d9cd24 in contacts_context_remove_common_features (
    context=0xa9c0c0) at contact.c:4108
        contact = 0xb3d9b0
        minimal_feature_flags = 4294967295
        i = 0
#1  0x00007ffff5d9cf67 in tp_connection_get_contacts_by_handle (self=0x8f9580, 
    n_handles=1, handles=0xb47290, n_features=7, features=0xad1ca0, 
    callback=0x7ffff74d7664 <get_contacts_by_handle_cb>, user_data=0xb3f4c0, 
    destroy=0, weak_object=0x8f9580) at contact.c:4193
        feature_flags = 247
        context = 0xa9c0c0
        contacts = 0xb56480
        __PRETTY_FUNCTION__ = "tp_connection_get_contacts_by_handle"
#2  0x00007ffff74d78c2 in folks_tp_lowlevel_connection_get_contacts_by_handle_async (conn=0x8f9580, contact_handles=0xb47290, contact_handles_length=1, 
    features=0xad1ca0, features_length=7, 
    callback=0x7ffff74b6f34 <_tpf_persona_store_create_personas_from_channel_handles_async_ready>, user_data=0x8471c0) at tp-lowlevel.c:266
        result = 0xb3f4c0
#3  0x00007ffff74b770b in _tpf_persona_store_create_personas_from_channel_handles_async_co (_data_=0x8471c0) at tpf-persona-store.c:6426
        __PRETTY_FUNCTION__ = "_tpf_persona_store_create_personas_from_channel_handles_async_co"
---Type <return> to continue, or q <return> to quit---
#4  0x00007ffff74b6dd0 in _tpf_persona_store_create_personas_from_channel_handles_async (self=0xa131b0, channel=0x96a6b0, channel_handles=0xb56720, 
    _callback_=0x7ffff74b393c <_tpf_persona_store_channel_group_pend_incoming_adds_ready>, _user_data_=0x80d3f0) at tpf-persona-store.c:6302
        _data_ = 0x8471c0
        _tmp0_ = 0xa131b0
        _tmp1_ = 0x96a6b0
        _tmp2_ = 0x96a6b0
        _tmp3_ = 0xb56720
        _tmp4_ = 0xb56720
#5  0x00007ffff74b3b42 in _tpf_persona_store_channel_group_pend_incoming_adds_co (_data_=0x80d3f0) at tpf-persona-store.c:5700
        __PRETTY_FUNCTION__ = "_tpf_persona_store_channel_group_pend_incoming_adds_co"
#6  0x00007ffff74b38b0 in _tpf_persona_store_channel_group_pend_incoming_adds (
    self=0xa131b0, channel=0x96a6b0, adds=0xb56720, create_personas=1, 
    _callback_=0, _user_data_=0x0) at tpf-persona-store.c:5654
        _data_ = 0x80d3f0
        _tmp0_ = 0xa131b0
        _tmp1_ = 0x96a6b0
        _tmp2_ = 0x96a6b0
        _tmp3_ = 0xb56720
        _tmp4_ = 0xb56720
---Type <return> to continue, or q <return> to quit---
        _tmp5_ = 1
#7  0x00007ffff74aff25 in _tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb (self=0xa131b0, channel=0x96a6b0, added=0xb56720, 
    removed=0xb565a0, local_pending=0xb35580, remote_pending=0xb43180, 
    details=0xb3f700) at tpf-persona-store.c:4881
        _tmp2_ = 0x96a6b0
        _tmp3_ = 0xb56720
        _tmp4_ = 0x7fffffffe270
        _tmp0_ = 0xb56720
        _tmp1_ = 1
        __PRETTY_FUNCTION__ = "_tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb"
#8  0x00007ffff74add89 in __tpf_persona_store_subscribe_channel_group_members_changed_detailed_cb_tp_channel_group_members_changed_detailed (_sender=0x96a6b0, 
    added=0xb56720, removed=0xb565a0, local_pending=0xb35580, 
    remote_pending=0xb43180, details=0xb3f700, self=0xa131b0)
    at tpf-persona-store.c:4422
No locals.
#9  0x00007ffff5e06404 in _tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED (
    closure=0xb31f60, return_value=0x0, n_param_values=6, 
    param_values=0xa9c4b0, invocation_hint=0x7fffffffe460, marshal_data=0x0)
    at _gen/signals-marshal.c:360
        callback = 0x7ffff74add2a <__tpf_persona_store_subscribe_channel_group_m---Type <return> to continue, or q <return> to quit---
embers_changed_detailed_cb_tp_channel_group_members_changed_detailed>
        cc = 0x7ffff74add2a
        data1 = 0x96a6b0
        data2 = 0xa131b0
        __PRETTY_FUNCTION__ = "_tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED"
#10 0x00007ffff2bd0e30 in g_closure_invoke (closure=0xb31f60, 
    return_value=0x0, n_param_values=6, param_values=0xa9c4b0, 
    invocation_hint=0x7fffffffe460) at gclosure.c:774
        marshal = 0x7ffff5e06313 <_tp_marshal_VOID__BOXED_BOXED_BOXED_BOXED_BOXED>
        marshal_data = 0x0
        in_marshal = 0
        __PRETTY_FUNCTION__ = "g_closure_invoke"
#11 0x00007ffff2bea38f in signal_emit_unlocked_R (node=0xabab60, detail=0, 
    instance=0x96a6b0, emission_return=0x0, instance_and_params=0xa9c4b0)
    at gsignal.c:3302
        tmp = 0x7fffffffe520
        handler = 0xb3ea70
        accumulator = 0x0
        emission = {next = 0x0, instance = 0x96a6b0, ihint = {signal_id = 367, 
            detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, 
          chain_type = 4}
        class_closure = 0x0
---Type <return> to continue, or q <return> to quit---
        hlist = 0xb3d4f8
        handler_list = 0xb3ea70
        return_accu = 0x0
        accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, 
              v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, 
              v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}}}
        signal_id = 367
        max_sequential_handler_number = 1215
        return_value_altered = 0
#12 0x00007ffff2be959d in g_signal_emit_valist (instance=0x96a6b0, 
    signal_id=367, detail=0, var_args=0x7fffffffe6e0) at gsignal.c:3033
        instance_and_params = 0xa9c4b0
        signal_return_type = 4
        param_values = 0xa9c4c8
        node = 0xabab60
        i = 5
        n_params = 5
        __PRETTY_FUNCTION__ = "g_signal_emit_valist"
#13 0x00007ffff2be9c59 in g_signal_emit_by_name (instance=0x96a6b0, 
    detailed_signal=0x7ffff5e33688 "group-members-changed-detailed")
    at gsignal.c:3127
---Type <return> to continue, or q <return> to quit---
        var_args = {{gp_offset = 48, fp_offset = 48, 
            overflow_arg_area = 0x7fffffffe7c8, 
            reg_save_area = 0x7fffffffe700}}
        detail = 0
        signal_id = 367
        __PRETTY_FUNCTION__ = "g_signal_emit_by_name"
#14 0x00007ffff5d51953 in handle_members_changed (self=0x96a6b0, 
    message=0x7ffff5e32f20 "", added=0xb56260, removed=0xb564c0, 
    local_pending=0xb56880, remote_pending=0xb566a0, actor=0, reason=0, 
    details=0xb3f760) at channel-group.c:1130
        i = 0
        __PRETTY_FUNCTION__ = "handle_members_changed"
#15 0x00007ffff5d51c02 in tp_channel_group_members_changed_detailed_cb (
    self=0x96a6b0, added=0xb56260, removed=0xb564c0, local_pending=0xb56880, 
    remote_pending=0xb566a0, details=0xb3f760, unused=0x0, weak_obj=0x0)
    at channel-group.c:1208
        message = 0x7ffff5e32f20 ""
        actor = 0
        reason = 0
        __PRETTY_FUNCTION__ = "tp_channel_group_members_changed_detailed_cb"
#16 0x00007ffff5d26097 in _tp_cli_channel_interface_group_invoke_callback_for_members_changed_detailed (tpproxy=0x96a6b0, error=0x0, args=0xb42e40, 
    generic_callback=0x7ffff5d51afa <tp_channel_group_members_changed_detailed_c---Type <return> to continue, or q <return> to quit---
b>, user_data=0x0, weak_object=0x0) at _gen/tp-cli-channel-body.h:3173
        callback = 0x7ffff5d51afa <tp_channel_group_members_changed_detailed_cb>
#17 0x00007ffff5df5a55 in tp_proxy_signal_invocation_run (p=0xb56360)
    at proxy-signals.c:266
        invocation = 0xb56360
        popped = 0xb56360
        __PRETTY_FUNCTION__ = "tp_proxy_signal_invocation_run"
#18 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb3fec0, 
    callback=0x7ffff5df59ad <tp_proxy_signal_invocation_run>, 
    user_data=0xb56360) at gmain.c:4632
No locals.
#19 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
        dispatch = 0x7ffff26d0097 <g_idle_dispatch>
        was_in_call = 0
        user_data = 0xb56360
        callback = 0x7ffff5df59ad <tp_proxy_signal_invocation_run>
        cb_funcs = 0x7ffff29bdfe0
        cb_data = 0xb5a550
        need_destroy = 7827920
        current_source_link = {data = 0xb3fec0, next = 0x0}
        source = 0xb3fec0
        current = 0x8b9fa0
---Type <return> to continue, or q <return> to quit---
        i = 0
        __PRETTY_FUNCTION__ = "g_main_dispatch"
#20 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0)
    at gmain.c:3050
No locals.
#21 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, 
    dispatch=1, self=0x8a6f80) at gmain.c:3121
        max_priority = -100
        timeout = 0
        some_ready = 1
        nfds = 0
        allocated_nfds = 7
        fds = 0xa8eef0
#22 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, 
    may_block=1) at gmain.c:3182
        retval = 1
#23 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, 
    argv=0x7fffffffeca8) at gapplication.c:1599
        arguments = 0x8a4d90
        status = 0
        i = 1
        __PRETTY_FUNCTION__ = "g_application_run"
#24 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
---Type <return> to continue, or q <return> to quit---
        app = 0x7bb360
        retval = 0
(gdb) frame 0
#0  0x00007ffff5d9cd24 in contacts_context_remove_common_features (
    context=0xa9c0c0) at contact.c:4108
4108	      minimal_feature_flags &= contact->priv->has_features;
(gdb) print *contact
$1 = {parent = {g_type_instance = {g_class = 0xb3d8f0}, ref_count = 0, 
    qdata = 0xaaaaaaaaaaaaaaaa}, priv = 0xaaaaaaaaaaaaaaaa}
(gdb) print *context
$2 = {refcount = 1, connection = 0x8f9580, contacts = 0xb56420, 
  handles = 0xb566e0, invalid = 0xb494c0, request_ids = 0x0, 
  request_errors = 0x0, wanted = 247, signature = CB_BY_HANDLE, callback = {
    by_handle = 0x7ffff74d7664 <get_contacts_by_handle_cb>, 
    by_id = 0x7ffff74d7664 <get_contacts_by_handle_cb>, 
    upgrade = 0x7ffff74d7664 <get_contacts_by_handle_cb>}, 
  user_data = 0xb3f4c0, destroy = 0, weak_object = 0x8f9580, 
  no_purpose_in_life = 0, todo = {head = 0x0, tail = 0x0, length = 0}, 
  next_index = 0, contacts_have_ids = 1}
Comment 1 Philip Withnall 2012-01-11 09:59:20 UTC 
Created attachment 55454 [details]
Empathy/folks/tp-glib log

Log file made using FOLKS_DEBUG=telepathy EMPATHY_DEBUG=all.
Comment 2 Philip Withnall 2012-01-11 09:59:55 UTC 
Created attachment 55455 [details]
Simulator log

Fake CM simulation log, which (if read carefully enough) gives the D-Bus
messages which were thrown around.
Comment 3 GitLab Migration User 2019-12-03 20:39:22 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/telepathy/telepathy-glib/issues/81.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.