Use-after-free under send_message_with_reply_cleanup():gdbusconnection.c:1792
Submitted by Milan Crha @mcrha
Link to original bug (#781847)
Description
I just got this report when running under address sanitizer with glib 2.50.2:
==29601==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000a1a6c0 at pc 0x7f7f6f369fe4 bp 0x7f7f526ec460 sp 0x7f7f526ec450
READ of size 8 at 0x611000a1a6c0 thread T4 (gdbus)
#0 0x7f7f6f369fe3 in g_object_unref .../glib-2.50.2/gobject/gobject.c:3115
#1 0x7f7f6fc4c510 in send_message_with_reply_cleanup .../glib-2.50.2/gio/gdbusconnection.c:1792
#2 0x7f7f6fc4c5ca in send_message_data_deliver_reply_unlocked .../glib-2.50.2/gio/gdbusconnection.c:1809
#3 0x7f7f6fc4e477 in on_worker_message_received .../glib-2.50.2/gio/gdbusconnection.c:2287
#4 0x7f7f6fc8bd68 in _g_dbus_worker_emit_message_received .../glib-2.50.2/gio/gdbusprivate.c:457
#5 0x7f7f6fc8bfc3 in _g_dbus_worker_queue_or_deliver_received_message .../glib-2.50.2/gio/gdbusprivate.c:485
#6 0x7f7f6fc8db9a in _g_dbus_worker_do_read_cb .../glib-2.50.2/gio/gdbusprivate.c:770
#7 0x7f7f6fbb384b in g_task_return_now .../glib-2.50.2/gio/gtask.c:1121
#8 0x7f7f6fbb392f in complete_in_idle_cb .../glib-2.50.2/gio/gtask.c:1135
#9 0x7f7f6eca4048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545
#10 0x7f7f6ec9aabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203
#11 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856
#12 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929
#13 0x7f7f6eca0074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125
#14 0x7f7f6fc8b3a8 in gdbus_shared_thread_func .../glib-2.50.2/gio/gdbusprivate.c:247
#15 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
#16 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
#17 0x7f7f6d0daf7e in clone (/lib64/libc.so.6+0x107f7e)
0x611000a1a6c0 is located 0 bytes inside of 208-byte region [0x611000a1a6c0,0x611000a1a790)
freed by thread T0 here:
#0 0x7f7f71b25b00 in free (/usr/lib64/libasan.so.3+0xc6b00)
#1 0x7f7f6ecb547c in g_free .../glib-2.50.2/glib/gmem.c:189
#2 0x7f7f6ed00eff in g_slice_free1 .../glib-2.50.2/glib/gslice.c:1136
#3 0x7f7f6f3a694f in g_type_free_instance .../glib-2.50.2/gobject/gtype.c:1943
#4 0x7f7f6f36a841 in g_object_unref .../glib-2.50.2/gobject/gobject.c:3215
#5 0x7f7f6ec95230 in g_source_callback_unref .../glib-2.50.2/glib/gmain.c:1547
#6 0x7f7f6ec936d2 in g_source_destroy_internal .../glib-2.50.2/glib/gmain.c:1236
#7 0x7f7f6ec9aeb9 in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3227
#8 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856
#9 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929
#10 0x7f7f6eca0074 in g_main_loop_run .../glib-2.50.2/glib/gmain.c:4125
#11 0x4043d0 in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:217
#12 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400)
previously allocated by thread T1659 here:
#0 0x7f7f71b25e60 in malloc (/usr/lib64/libasan.so.3+0xc6e60)
#1 0x7f7f6ecb5313 in g_malloc .../glib-2.50.2/glib/gmem.c:94
#2 0x7f7f6ed00c0c in g_slice_alloc .../glib-2.50.2/glib/gslice.c:1025
#3 0x7f7f6ed00c4c in g_slice_alloc0 .../glib-2.50.2/glib/gslice.c:1051
#4 0x7f7f6f3a53ac in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1848
#5 0x7f7f6f361dc3 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1783
#6 0x7f7f6f362888 in g_object_newv .../glib-2.50.2/gobject/gobject.c:1930
#7 0x7f7f6f361391 in g_object_new .../glib-2.50.2/gobject/gobject.c:1623
#8 0x7f7f6fbb27f0 in g_task_new .../glib-2.50.2/gio/gtask.c:693
#9 0x7f7f6fc4c8ff in g_dbus_connection_send_message_with_reply_unlocked .../glib-2.50.2/gio/gdbusconnection.c:1908
#10 0x7f7f6fc4d060 in g_dbus_connection_send_message_with_reply .../glib-2.50.2/gio/gdbusconnection.c:2008
#11 0x7f7f6fc5eb28 in g_dbus_connection_call_internal .../glib-2.50.2/gio/gdbusconnection.c:5781
#12 0x7f7f6fc5f98c in g_dbus_connection_call_with_unix_fd_list .../glib-2.50.2/gio/gdbusconnection.c:6209
#13 0x7f7f6fc88edf in g_dbus_proxy_call_internal .../glib-2.50.2/gio/gdbusproxy.c:2724
#14 0x7f7f6fc89d87 in g_dbus_proxy_call .../glib-2.50.2/gio/gdbusproxy.c:2964
#15 0x7f7f6d419ce1 in e_dbus_source_proxy_set_property .../evolution-data-server/_build/src/private/e-dbus-source.c:1630
#16 0x7f7f6f35fbdd in object_set_property .../glib-2.50.2/gobject/gobject.c:1423
#17 0x7f7f6f36513c in g_object_set_valist .../glib-2.50.2/gobject/gobject.c:2167
#18 0x7f7f6f366625 in g_object_set .../glib-2.50.2/gobject/gobject.c:2277
#19 0x7f7f6d418988 in e_dbus_source_set_connection_status .../evolution-data-server/_build/src/private/e-dbus-source.c:936
#20 0x7f7f6d8e550c in e_source_set_connection_status .../evolution-data-server/src/libedataserver/e-source.c:3520
#21 0x7f7f39c3924d in ecb_caldav_connect_sync .../evolution-data-server/src/calendar/backends/caldav/e-cal-backend-caldav.c:211
#22 0x7f7f706253fe in e_cal_meta_backend_connect_sync .../evolution-data-server/src/calendar/libedata-cal/e-cal-meta-backend.c:3968
#23 0x7f7f7061cb81 in ecmb_authenticate_sync .../evolution-data-server/src/calendar/libedata-cal/e-cal-meta-backend.c:2847
#24 0x7f7f6de041ee in e_backend_authenticate_sync .../evolution-data-server/src/libebackend/e-backend.c:254
#25 0x7f7f6de048d9 in backend_source_authenticate_thread .../evolution-data-server/src/libebackend/e-backend.c:315
#26 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
#27 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
Thread T4 (gdbus) created by T1 (dconf worker) here:
#0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
#1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
#2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
#3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
#4 0x7f7f6fc8b59d in _g_dbus_shared_thread_ref .../glib-2.50.2/gio/gdbusprivate.c:275
#5 0x7f7f6fc9348d in _g_dbus_worker_new .../glib-2.50.2/gio/gdbusprivate.c:1651
#6 0x7f7f6fc4fb1b in initable_init .../glib-2.50.2/gio/gdbusconnection.c:2577
#7 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
#8 0x7f7f6fc64147 in g_bus_get_sync .../glib-2.50.2/gio/gdbusconnection.c:7257
#9 0x7f7f54007d08 in dconf_gdbus_get_bus_in_worker .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:185
#10 0x7f7f54008448 in dconf_gdbus_method_call .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:243
#11 0x7f7f6eca4048 in g_idle_dispatch .../glib-2.50.2/glib/gmain.c:5545
#12 0x7f7f6ec9aabc in g_main_dispatch .../glib-2.50.2/glib/gmain.c:3203
#13 0x7f7f6ec9ef4c in g_main_context_dispatch .../glib-2.50.2/glib/gmain.c:3856
#14 0x7f7f6ec9f522 in g_main_context_iterate .../glib-2.50.2/glib/gmain.c:3929
#15 0x7f7f6ec9f65a in g_main_context_iteration .../glib-2.50.2/glib/gmain.c:3990
#16 0x7f7f54007767 in dconf_gdbus_worker_thread .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:82
#17 0x7f7f6ed20049 in g_thread_proxy .../glib-2.50.2/glib/gthread.c:784
#18 0x7f7f70b306c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
Thread T1 (dconf worker) created by T0 here:
#0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
#1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
#2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
#3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
#4 0x7f7f540077c0 in dconf_gdbus_get_worker_context .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:98
#5 0x7f7f54008b1b in dconf_engine_dbus_call_async_func .../dconf-0.26.0/gdbus/dconf-gdbus-thread.c:284
#6 0x7f7f53fff11f in dconf_engine_watch_fast .../dconf-0.26.0/engine/dconf-engine.c:868
#7 0x7f7f53ffb4f2 in dconf_settings_backend_subscribe .../dconf-0.26.0/gsettings/dconfsettingsbackend.c:135
#8 0x7f7f6fd4d6c6 in g_settings_backend_subscribe .../glib-2.50.2/gio/gsettingsbackend.c:890
#9 0x7f7f6fd5ce4c in g_settings_constructed .../glib-2.50.2/gio/gsettings.c:682
#10 0x7f7f6f362100 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1823
#11 0x7f7f6f363c6c in g_object_new_valist .../glib-2.50.2/gobject/gobject.c:2042
#12 0x7f7f6f3613d3 in g_object_new .../glib-2.50.2/gobject/gobject.c:1626
#13 0x7f7f6fd5d8d6 in g_settings_new .../glib-2.50.2/gio/gsettings.c:965
#14 0x7f7f6d93a879 in e_source_registry_init .../evolution-data-server/src/libedataserver/e-source-registry.c:1729
#15 0x7f7f6f3a58ad in g_type_create_instance .../glib-2.50.2/gobject/gtype.c:1866
#16 0x7f7f6f361dc3 in g_object_new_internal .../glib-2.50.2/gobject/gobject.c:1783
#17 0x7f7f6f362888 in g_object_newv .../glib-2.50.2/gobject/gobject.c:1930
#18 0x7f7f6f361391 in g_object_new .../glib-2.50.2/gobject/gobject.c:1623
#19 0x7f7f6d93489c in source_registry_dup_uninitialized_singleton .../evolution-data-server/src/libedataserver/e-source-registry.c:301
#20 0x7f7f6d93aa7b in e_source_registry_new_sync .../evolution-data-server/src/libedataserver/e-source-registry.c:1765
#21 0x7f7f6de53268 in subprocess_factory_initable_init .../evolution-data-server/src/libebackend/e-subprocess-factory.c:160
#22 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
#23 0x7f7f6fb22732 in g_initable_new_valist .../glib-2.50.2/gio/ginitable.c:228
#24 0x7f7f6fb225a4 in g_initable_new .../glib-2.50.2/gio/ginitable.c:146
#25 0x7f7f706401e0 in e_subprocess_cal_factory_new .../evolution-data-server/src/calendar/libedata-cal/e-subprocess-cal-factory.c:174
#26 0x40431b in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:191
#27 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400)
Thread T1659 created by T2 here:
#0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
#1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
#2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
#3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
#4 0x7f7f6de0a5db in e_backend_schedule_authenticate .../evolution-data-server/src/libebackend/e-backend.c:1224
#5 0x7f7f6de05099 in backend_source_authenticate_cb .../evolution-data-server/src/libebackend/e-backend.c:403
#6 0x7f7f6f356d33 in g_cclosure_marshal_VOID__BOXED .../glib-2.50.2/gobject/gmarshal.c:1910
#7 0x7f7f6f349b48 in g_closure_invoke .../glib-2.50.2/gobject/gclosure.c:804
#8 0x7f7f6f396658 in signal_emit_unlocked_R .../glib-2.50.2/gobject/gsignal.c:3635
#9 0x7f7f6f39441b in g_signal_emit_valist .../glib-2.50.2/gobject/gsignal.c:3391
#10 0x7f7f6f395217 in g_signal_emit .../glib-2.50.2/gobject/gsignal.c:3447
#11 0x7f7f6d8d9b31 in source_dbus_authenticate_cb .../evolution-data-server/src/libedataserver/e-source.c:1021
#12 0x7f7f6b086c57 in ffi_call_unix64 (/lib64/libffi.so.6+0x5c57)
#13 0x7f7f537951ff (`<unknown module>`)
Thread T2 created by T0 here:
#0 0x7f7f71a90488 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x31488)
#1 0x7f7f6ed8d62b in g_system_thread_new .../glib-2.50.2/glib/gthread-posix.c:1170
#2 0x7f7f6ed2031f in g_thread_new_internal .../glib-2.50.2/glib/gthread.c:874
#3 0x7f7f6ed20179 in g_thread_new .../glib-2.50.2/glib/gthread.c:827
#4 0x7f7f6d939706 in source_registry_initable_init .../evolution-data-server/src/libedataserver/e-source-registry.c:1385
#5 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
#6 0x7f7f6d93aab2 in e_source_registry_new_sync .../evolution-data-server/src/libedataserver/e-source-registry.c:1767
#7 0x7f7f6de53268 in subprocess_factory_initable_init .../evolution-data-server/src/libebackend/e-subprocess-factory.c:160
#8 0x7f7f6fb22473 in g_initable_init .../glib-2.50.2/gio/ginitable.c:112
#9 0x7f7f6fb22732 in g_initable_new_valist .../glib-2.50.2/gio/ginitable.c:228
#10 0x7f7f6fb225a4 in g_initable_new .../glib-2.50.2/gio/ginitable.c:146
#11 0x7f7f706401e0 in e_subprocess_cal_factory_new .../evolution-data-server/src/calendar/libedata-cal/e-subprocess-cal-factory.c:174
#12 0x40431b in main .../evolution-data-server/src/calendar/libedata-cal/evolution-calendar-factory-subprocess.c:191
#13 0x7f7f6cff3400 in __libc_start_main (/lib64/libc.so.6+0x20400)
SUMMARY: AddressSanitizer: heap-use-after-free .../glib-2.50.2/gobject/gobject.c:3115 in g_object_unref
Shadow bytes around the buggy address:
0x0c228013b480: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c228013b490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c228013b4a0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228013b4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c228013b4c0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c228013b4d0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c228013b4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228013b4f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228013b500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228013b510: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c228013b520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29601==ABORTINGThread 5 (Thread 0x7f7f526ed700 (LWP 29612)):
#0 0x00007f7f6d09f5db in waitpid () from /lib64/libc.so.6
#1 0x00007f7f6d01842b in do_system () from /lib64/libc.so.6
#2 0x00007f7f54317549 in bugbuddy_segv_handle (signum=6) at gnome-segvhanlder.c:180
#3 <signal handler called>
#4 0x00007f7f6d00891f in raise () from /lib64/libc.so.6
#5 0x00007f7f6d00a51a in abort () from /lib64/libc.so.6
#6 0x00007f7f71b410e9 in ?? () from /usr/lib64/libasan.so.3
#7 0x00007f7f71b35ffb in ?? () from /usr/lib64/libasan.so.3
#8 0x00007f7f71b2f3f7 in ?? () from /usr/lib64/libasan.so.3
#9 0x00007f7f71b2fdb7 in __asan_report_load8 () from /usr/lib64/libasan.so.3
#10 0x00007f7f6f369fe4 in g_object_unref (_object=0x611000a1a6c0) at gobject.c:3115
#11 0x00007f7f6fc4c511 in send_message_with_reply_cleanup (task=0x611000a1a6c0, remove=1) at gdbusconnection.c:1792
#12 0x00007f7f6fc4c5cb in send_message_data_deliver_reply_unlocked (task=0x611000a1a6c0, reply=0x60700194a370) at gdbusconnection.c:1809
#13 0x00007f7f6fc4e478 in on_worker_message_received (worker=0x611000094380, message=0x60700194a370, user_data=0x6110000958c0) at gdbusconnection.c:2287
#14 0x00007f7f6fc8bd69 in _g_dbus_worker_emit_message_received (worker=0x611000094380, message=0x60700194a370) at gdbusprivate.c:457
#15 0x00007f7f6fc8bfc4 in _g_dbus_worker_queue_or_deliver_received_message (worker=0x611000094380, message=0x60700194a370) at gdbusprivate.c:485
#16 0x00007f7f6fc8db9b in _g_dbus_worker_do_read_cb (input_stream=0x613000029df0, res=0x611000cb0d80, user_data=0x611000094380) at gdbusprivate.c:770
#17 0x00007f7f6fbb384c in g_task_return_now (task=0x611000cb0d80) at gtask.c:1121
#18 0x00007f7f6fbb3930 in complete_in_idle_cb (task=0x611000cb0d80) at gtask.c:1135
#19 0x00007f7f6eca4049 in g_idle_dispatch (source=0x608000351020, callback=0x7f7f6fbb3918 <complete_in_idle_cb>, user_data=0x611000cb0d80) at gmain.c:5545
#20 0x00007f7f6ec9aabd in g_main_dispatch (context=0x60f00001dc80) at gmain.c:3203
#21 0x00007f7f6ec9ef4d in g_main_context_dispatch (context=0x60f00001dc80) at gmain.c:3856
#22 0x00007f7f6ec9f523 in g_main_context_iterate (context=0x60f00001dc80, block=1, dispatch=1, self=0x607000022060) at gmain.c:3929
#23 0x00007f7f6eca0075 in g_main_loop_run (loop=0x602000054650) at gmain.c:4125
#24 0x00007f7f6fc8b3a9 in gdbus_shared_thread_func (user_data=0x60300005c800) at gdbusprivate.c:247
#25 0x00007f7f6ed2004a in g_thread_proxy (data=0x607000022060) at gthread.c:784
#26 0x00007f7f70b306ca in start_thread () from /lib64/libpthread.so.0
#27 0x00007f7f6d0daf7f in clone () from /lib64/libc.so.6Version: 2.50.x