! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
libxfconf crashes with a double free when cancelling a pending call in xfconf...
Status:
RESOLVED: FIXED
Priority:
High
Severity:
major
Product:
Xfconf
Component:
Libxfconf

Comments

Description Kevin Fenzi 2011-11-17 22:59:32 CET 
Downstream bug: 
https://bugzilla.redhat.com/show_bug.cgi?id=752781

From the report: 

Clicked "Reset to Default"
Clicked "Clear"
Clicked "Reset to Default"
Crashed

first part of the stacktrace:

Thread 1 (Thread 0x7fe8abbee980 (LWP 2518)):
#0  0x00000033be8362a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <optimized out>
        selftid = 2518
#1  0x00000033be837bbb in __GI_abort () at abort.c:91
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {5, 140734667134752, 14, 222240909771, 3, 140734667120842, 6, 222240909775, 2, 140734667120862, 2, 222240900938, 1, 222240909771, 3, 140734667120838}}, sa_flags = 10, sa_restorer = 0x33be9729cf}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00000033be875ffe in __libc_message (do_abort=2, fmt=0x33be9744f8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff57d76a40, reg_save_area = 0x7fff57d76950}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff57d76a40, reg_save_area = 0x7fff57d76950}}
        fd = 2
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00000033be87c606 in malloc_printerr (action=3, str=0x33be9746e8 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:5007
        buf = "000000000272f470"
        cp = <optimized out>
#4  0x00000033c581e435 in _dbus_pending_call_last_unref (pending=0x272f470) at dbus-pending-call.c:412
        connection = 0x2522e00
#5  0x00000033c740741e in xfconf_cache_set (cache=0x25b3d80, property=0x28f0250 "/xfwm4/custom/<Control><Alt>d", value=0x7fff57d76b80, error=<optimized out>) at xfconf-cache.c:782
        proxy = 0x2516b40
        item = <optimized out>
        old_item = 0x25a76e0
Comment 1 Olivier Fourdan editbugs 2011-11-18 15:01:09 CET 
This is a bug (double free) in either xfconf or dbus-glib, not in xfwm4 settings dialog.

Same error occurs with general shortcut dialog.

Crash occurs when calling dbus_g_proxy_cancel_call() in xfconf-cache.c
Comment 2 Olivier Fourdan editbugs 2011-11-18 18:32:11 CET 
Created attachment 3974 
Proposed patch

I think I have identified the problem.

Using debug, we see a lot of:

  xfconf-DEBUG: Couldn't find current cache item based on pending call (libxfconf bug?)

And that precisely what causes the crash later on.

In xfconf_cache_set_property_reply_handler() if the item is not found in cache->properties, the function exit (goto out;) without removing the old_property from cache->old_properties nor the call from cache->pending_calls.

Then when xfconf_cache_set() is called, the old_item is still found in the hash (as it wasn't removed previously) and therefore dbus_g_proxy_cancel_call() is called in a call which was completed, thus leading to the double-free and the crash.

Please apply ASAP, this is a fairly serious bug imho.
Comment 3 Nick Schermer editbugs 2011-11-21 11:52:40 CET 
I'll run the patch for a couple of days, if there are no issues i'll push it and make a release.
Comment 4 Nick Schermer editbugs 2011-12-20 10:59:03 CET 
Applied.

Bug #8169

Reported by:
Kevin Fenzi
Reported on: 2011-11-17
Last modified on: 2011-12-20

People

Assignee:
Brian J. Tarricone (not reading bugmail)
CC List:
1 user

Version

Version:
4.8.0
Target Milestone:
--

Attachments

Proposed patch (1012 bytes, patch)
2011-11-18 18:32 CET , Olivier Fourdan 		no flags

Additional information