use-after-free in mimeapps test causes intermittent segfault during testing
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941550
gio/tests/mimeapps.c in GLib 2.62.0 intermittently segfaults, with a stack trace that suggests use-after-free of a DesktopFileDir. I've been able to reproduce this with unmodified GLib git master.
This is easily reproduced by configuring GLib with AddressSanitizer and running:
ASAN_OPTIONS=detect_leaks=0 meson test -C ~/tmp/build/glib/asan -v mimeapps
resulting in:
# GLib-GIO-DEBUG: ensure_dir: Ensuring /tmp/test_mimeapps_BHH28Z/appinfo/mime/default/.dirs/config
# GLib-GIO-DEBUG: desktop_file_dirs_lock: Resetting desktop app info dirs from /tmp/test_mimeapps_BHH28Z/appinfo/mime/api/.dirs/config to /tmp/test_mimeapps_BHH28Z/appinfo/mime/default/.dirs/config
=================================================================
==25713==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000002948 at pc 0x7fa6516764c9 bp 0x7fa64d0590d0 sp 0x7fa64d0590c8
READ of size 8 at 0x615000002948 thread T1 (gmain)
#0 0x7fa6516764c8 in desktop_file_dir_changed ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:237
#1 0x7fa651563379 in _g_cclosure_marshal_VOID__OBJECT_OBJECT_ENUMv ../../../../../../home/smcv/src/glib/gio/gmarshal-internal.c:1380
#2 0x7fa6522a042a in _g_closure_invoke_va ../../../../../../home/smcv/src/glib/gobject/gclosure.c:873
#3 0x7fa65230896f in g_signal_emit_valist ../../../../../../home/smcv/src/glib/gobject/gsignal.c:3310
#4 0x7fa65230c5f5 in g_signal_emit ../../../../../../home/smcv/src/glib/gobject/gsignal.c:3457
#5 0x7fa6515274a7 in g_file_monitor_emit_event ../../../../../../home/smcv/src/glib/gio/gfilemonitor.c:294
#6 0x7fa6518797a1 in g_file_monitor_source_dispatch ../../../../../../home/smcv/src/glib/gio/glocalfilemonitor.c:560
#7 0x7fa65294f3c5 in g_main_dispatch ../../../../../../home/smcv/src/glib/glib/gmain.c:3180
#8 0x7fa652955821 in g_main_context_dispatch ../../../../../../home/smcv/src/glib/glib/gmain.c:3845
#9 0x7fa65295622d in g_main_context_iterate ../../../../../../home/smcv/src/glib/glib/gmain.c:3918
#10 0x7fa6529563e5 in g_main_context_iteration ../../../../../../home/smcv/src/glib/glib/gmain.c:3979
#11 0x7fa65295dfc7 in glib_worker_main ../../../../../../home/smcv/src/glib/glib/gmain.c:5859
#12 0x7fa652a13180 in g_thread_proxy ../../../../../../home/smcv/src/glib/glib/gthread.c:805
#13 0x7fa6502e7fb6 in start_thread /build/glibc-sPWrSm/glibc-2.29/nptl/pthread_create.c:486
#14 0x7fa65040a2ee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa2ee)
0x615000002948 is located 200 bytes inside of 512-byte region [0x615000002880,0x615000002a80)
freed by thread T0 here:
#0 0x7fa6530b7187 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107187)
#1 0x7fa652977e78 in g_free ../../../../../../home/smcv/src/glib/glib/gmem.c:195
#2 0x7fa65167e226 in desktop_file_dirs_lock ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1497
#3 0x7fa65168233d in g_desktop_app_info_new ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1951
#4 0x55f3be85807c in test_mime_default ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:428
#5 0x7fa652a0971c in test_case_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2633
#6 0x7fa652a0a310 in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2721
#7 0x7fa652a0a51b in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2733
#8 0x7fa652a0a51b in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2733
#9 0x7fa652a0ac42 in g_test_run_suite ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2808
#10 0x7fa652a0744c in g_test_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2043
#11 0x55f3be85a8fb in main ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:647
#12 0x7fa650336bba in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7fa6530b793e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10793e)
#1 0x7fa652977e0f in g_realloc ../../../../../../home/smcv/src/glib/glib/gmem.c:167
#2 0x7fa65286ccbb in g_array_maybe_expand ../../../../../../home/smcv/src/glib/glib/garray.c:911
#3 0x7fa652868372 in g_array_append_vals ../../../../../../home/smcv/src/glib/glib/garray.c:428
#4 0x7fa65167cee1 in desktop_file_dir_create ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1269
#5 0x7fa65167e53c in desktop_file_dirs_lock ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1525
#6 0x7fa65168233d in g_desktop_app_info_new ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1951
#7 0x55f3be856362 in test_mime_api ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:217
#8 0x7fa652a0971c in test_case_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2633
#9 0x7fa652a0a310 in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2721
#10 0x7fa652a0a51b in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2733
#11 0x7fa652a0a51b in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2733
#12 0x7fa652a0ac42 in g_test_run_suite ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2808
#13 0x7fa652a0744c in g_test_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2043
#14 0x55f3be85a8fb in main ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:647
#15 0x7fa650336bba in __libc_start_main ../csu/libc-start.c:308
Thread T1 (gmain) created by T0 here:
#0 0x7fa652fe99b2 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x399b2)
#1 0x7fa652ab94d5 in g_system_thread_new ../../../../../../home/smcv/src/glib/glib/gthread-posix.c:1193
#2 0x7fa652a1349d in g_thread_new_internal ../../../../../../home/smcv/src/glib/glib/gthread.c:892
#3 0x7fa652a132dd in g_thread_new ../../../../../../home/smcv/src/glib/glib/gthread.c:848
#4 0x7fa65295e192 in g_get_worker_context ../../../../../../home/smcv/src/glib/glib/gmain.c:5886
#5 0x7fa6518b0f81 in ik_source_new ../../../../../../home/smcv/src/glib/gio/inotify/inotify-kernel.c:404
#6 0x7fa6518b10bb in _ik_startup ../../../../../../home/smcv/src/glib/gio/inotify/inotify-kernel.c:413
#7 0x7fa6518b1d17 in _ip_startup ../../../../../../home/smcv/src/glib/gio/inotify/inotify-path.c:117
#8 0x7fa6518b680a in _ih_startup ../../../../../../home/smcv/src/glib/gio/inotify/inotify-helper.c:82
#9 0x7fa6518b819e in g_inotify_file_monitor_is_supported ../../../../../../home/smcv/src/glib/gio/inotify/ginotifyfilemonitor.c:47
#10 0x7fa65154fcde in try_class ../../../../../../home/smcv/src/glib/gio/giomodule.c:700
#11 0x7fa6515503a3 in _g_io_module_get_default_type ../../../../../../home/smcv/src/glib/gio/giomodule.c:829
#12 0x7fa65187c26a in g_local_file_monitor_new ../../../../../../home/smcv/src/glib/gio/glocalfilemonitor.c:851
#13 0x7fa65187c381 in g_local_file_monitor_new_in_worker ../../../../../../home/smcv/src/glib/gio/glocalfilemonitor.c:897
#14 0x7fa65167dded in desktop_file_dir_init ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1370
#15 0x7fa65167e818 in desktop_file_dirs_lock ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:1538
#16 0x7fa6516923f4 in g_app_info_get_all ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:4544
#17 0x55f3be85a454 in test_all ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:620
#18 0x7fa652a0971c in test_case_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2633
#19 0x7fa652a0a310 in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2721
#20 0x7fa652a0a51b in g_test_run_suite_internal ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2733
#21 0x7fa652a0ac42 in g_test_run_suite ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2808
#22 0x7fa652a0744c in g_test_run ../../../../../../home/smcv/src/glib/glib/gtestutils.c:2043
#23 0x55f3be85a8fb in main ../../../../../../home/smcv/src/glib/gio/tests/mimeapps.c:647
#24 0x7fa650336bba in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../../../home/smcv/src/glib/gio/gdesktopappinfo.c:237 in desktop_file_dir_changed
Shadow bytes around the buggy address:
0x0c2a7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a7fff8520: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c2a7fff8530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==25713==ABORTING
1/1 glib:gio / mimeapps FAIL 0.22 s (exit status 1)
Ok: 0
Expected Fail: 0
Fail: 1
Unexpected Pass: 0
Skipped: 0
Timeout: 0