Bug 4840 - core dump unsubscribing from newsgroups
Summary: core dump unsubscribing from newsgroups
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail
Classification: Unclassified
Component: NNTP (show other bugs)
Version: GIT
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2024-11-12 07:33 UTC by Nigel Reed
Modified: 2024-11-13 17:31 UTC (History)
1 user (show)

See Also:


Attachments
Start up & bt (74.74 KB, text/plain)
2024-11-12 07:33 UTC, Nigel Reed
Details
Fix free of free()ed pointer (625 bytes, text/plain)
2024-11-12 19:49 UTC, claws-mail@sjh.sh
Details
As previous patch, but Coverity friendly (802 bytes, patch)
2024-11-12 20:00 UTC, claws-mail@sjh.sh
Details | Diff

Description Nigel Reed 2024-11-12 07:33:54 UTC
Created attachment 2524 [details]
Start up & bt

When I click on a newsgroup to unsubscribe or when I click to subscribe and then click again to unsubscribe I get a core dump.

This is also a confirmed issue on Windows.
Comment 1 claws-mail@sjh.sh 2024-11-12 08:29:36 UTC
This appears to be a use-after-free, so if you don't have some malloc() validation, it can be hard to reproduce.  On FreeBSD, if I set MALLOC_CONF=junk:true,utrace:true in the environment and run it, I can reproduce this trivially with the following backtrace:

Thread 1 received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x0000000802503450 in ?? () from /lib/libc.so.7
(gdb) bt
#0  0x0000000802503450 in ?? () from /lib/libc.so.7
#1  0x000000000038dc38 in button_press_cb (ctree=0x80718f310, button=<optimized out>, data=<optimized out>)
    at grouplistdialog.c:606
#2  0x0000000800a14ca9 in ?? () from /usr/local/lib/libgtk-3.so.0
#3  0x00000008021e888f in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.0
#4  0x0000000802201f76 in ?? () from /usr/local/lib/libgobject-2.0.so.0
#5  0x0000000802200b08 in ?? () from /usr/local/lib/libgobject-2.0.so.0
#6  0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0
#7  0x0000000800cebd01 in ?? () from /usr/local/lib/libgtk-3.so.0
#8  0x0000000800b8c12f in gtk_propagate_event () from /usr/local/lib/libgtk-3.so.0
#9  0x0000000800b8bc36 in gtk_main_do_event () from /usr/local/lib/libgtk-3.so.0
#10 0x0000000800e59071 in ?? () from /usr/local/lib/libgdk-3.so.0
#11 0x0000000800eaedf7 in ?? () from /usr/local/lib/libgdk-3.so.0
#12 0x000000080210da91 in ?? () from /usr/local/lib/libglib-2.0.so.0
#13 0x000000080210de29 in ?? () from /usr/local/lib/libglib-2.0.so.0
#14 0x000000080210e159 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.0
#15 0x0000000800b8b59a in gtk_main () from /usr/local/lib/libgtk-3.so.0
#16 0x000000000038d425 in grouplist_dialog (folder=folder@entry=0x8055658e0) at grouplistdialog.c:122
#17 0x00000000003d0003 in subscribe_newsgroup_cb (action=<optimized out>, data=0x803d73440) at news_gtk.c:174
#18 0x00000008021e888f in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.0
#19 0x0000000802201f76 in ?? () from /usr/local/lib/libgobject-2.0.so.0
#20 0x0000000802200a9d in ?? () from /usr/local/lib/libgobject-2.0.so.0
#21 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0
#22 0x0000000800d33644 in ?? () from /usr/local/lib/libgtk-3.so.0
#23 0x00000008021e8b0e in ?? () from /usr/local/lib/libgobject-2.0.so.0
#24 0x0000000802200e4e in ?? () from /usr/local/lib/libgobject-2.0.so.0
#25 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0
#26 0x0000000800cec497 in gtk_widget_activate () from /usr/local/lib/libgtk-3.so.0
#27 0x0000000800ba07ca in gtk_menu_shell_activate_item () from /usr/local/lib/libgtk-3.so.0
#28 0x0000000800ba2150 in ?? () from /usr/local/lib/libgtk-3.so.0
#29 0x0000000800a14daa in ?? () from /usr/local/lib/libgtk-3.so.0
#30 0x00000008021e8b0e in ?? () from /usr/local/lib/libgobject-2.0.so.0
#31 0x0000000802200802 in ?? () from /usr/local/lib/libgobject-2.0.so.0
#32 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0
#33 0x0000000800cebd01 in ?? () from /usr/local/lib/libgtk-3.so.0
#34 0x0000000800b8c12f in gtk_propagate_event () from /usr/local/lib/libgtk-3.so.0
#35 0x0000000800b8bc36 in gtk_main_do_event () from /usr/local/lib/libgtk-3.so.0
#36 0x0000000800e59071 in ?? () from /usr/local/lib/libgdk-3.so.0
#37 0x0000000800eaedf7 in ?? () from /usr/local/lib/libgdk-3.so.0
#38 0x000000080210da91 in ?? () from /usr/local/lib/libglib-2.0.so.0
#39 0x000000080210de29 in ?? () from /usr/local/lib/libglib-2.0.so.0
#40 0x000000080210e159 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.0
#41 0x0000000800b8b59a in gtk_main () from /usr/local/lib/libgtk-3.so.0
#42 0x00000000003a33e6 in main (argc=1, argv=0x7fffffffe710) at main.c:1574
Comment 2 claws-mail@sjh.sh 2024-11-12 08:38:06 UTC
Looking at it, it appears that list has been free()ed at this point:

(gdb) up
#1  0x000000000038dcf2 in button_press_cb (ctree=0x80718f610, button=<optimized out>, data=<optimized out>)
    at grouplistdialog.c:612
612                     g_free(list->data);
(gdb) print list
$1 = (GSList *) 0x803c60410
(gdb) print *list
$2 = {data = 0x5a5a5a5a5a5a5a5a, next = 0x5a5a5a5a5a5a5a5a}
(gdb) 

Filling free()ed allocations with 0x5a is one of the things the debugging malloc() does.
Comment 3 claws-mail@sjh.sh 2024-11-12 08:47:18 UTC
Valgrind turns up this:

==23789== Invalid read of size 8
==23789==    at 0x38DCE6: button_press_cb (grouplistdialog.c:611)
==23789==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==    by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==    by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==  Address 0x8720120 is 0 bytes inside a block of size 16 free'd
==23789==    at 0x484ECFC: free (vg_replace_malloc.c:989)
==23789==    by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x38DCD7: button_press_cb (grouplistdialog.c:610)
==23789==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==  Block was alloc'd at
==23789==    at 0x484CD24: malloc (vg_replace_malloc.c:446)
==23789==    by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x38D416: grouplist_dialog (grouplistdialog.c:115)
==23789==    by 0x3D0102: subscribe_newsgroup_cb (news_gtk.c:174)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789== 
==23789== Invalid read of size 8
==23789==    at 0x38DCFE: button_press_cb (grouplistdialog.c:612)
==23789==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==    by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==    by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==  Address 0x8720120 is 0 bytes inside a block of size 16 free'd
==23789==    at 0x484ECFC: free (vg_replace_malloc.c:989)
==23789==    by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x38DCD7: button_press_cb (grouplistdialog.c:610)
==23789==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==23789==  Block was alloc'd at
==23789==    at 0x484CD24: malloc (vg_replace_malloc.c:446)
==23789==    by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==23789==    by 0x38D416: grouplist_dialog (grouplistdialog.c:115)
==23789==    by 0x3D0102: subscribe_newsgroup_cb (news_gtk.c:174)
==23789==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==23789==    by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==23789==    by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
Comment 4 claws-mail@sjh.sh 2024-11-12 08:49:20 UTC
Note, the line numbers in Valgrind are a bit off (too high) as I had some debug output in there.
Comment 5 claws-mail@sjh.sh 2024-11-12 09:02:46 UTC
Here's the Valgrind output with the correct code at 2b61e4b2c:

==24409== Invalid read of size 8
==24409==    at 0x38DC2F: button_press_cb (grouplistdialog.c:606)
==24409==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==24409==    by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==24409==    by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==24409==  Address 0xc43b5c0 is 0 bytes inside a block of size 16 free'd
==24409==    at 0x484ECFC: free (vg_replace_malloc.c:989)
==24409==    by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==24409==    by 0x38DC27: button_press_cb (grouplistdialog.c:605)
==24409==    by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32)
==24409==  Block was alloc'd at
==24409==    at 0x484CD24: malloc (vg_replace_malloc.c:446)
==24409==    by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==24409==    by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4)
==24409==    by 0x38D3E6: grouplist_dialog (grouplistdialog.c:115)
==24409==    by 0x3D0002: subscribe_newsgroup_cb (news_gtk.c:174)
==24409==    by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32)
==24409==    by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
==24409==    by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
Comment 6 claws-mail@sjh.sh 2024-11-12 19:49:30 UTC
Created attachment 2525 [details]
Fix free of free()ed pointer

list->data needs to be free()ed before calling g_slist_remove() because g_slist_remove() free()s list.
Comment 7 claws-mail@sjh.sh 2024-11-12 19:56:21 UTC
It looks like this was introduced by de1fd9b0e2 to fix a use-after-free issue report from Coverity (list->data is passed to g_slist_remove())

I'll can whip up another patch that takes a copy of the pointer and calls g_free() on the copy in case you prefer clean scan results.
Comment 8 claws-mail@sjh.sh 2024-11-12 20:00:51 UTC
Created attachment 2526 [details]
As previous patch, but Coverity friendly

This patch prevents a harmless issue from being found by Coverity.
Comment 9 claws-mail@sjh.sh 2024-11-12 20:02:24 UTC
It looks like there's at least one more instance in the same patch that introduced the same bug...
mainwindow.c ~ 3853
Comment 10 claws-mail@sjh.sh 2024-11-12 20:05:07 UTC
Actually, that one isn't as clear-cut... maybe it's a double-free?
Comment 11 Nigel Reed 2024-11-12 20:43:05 UTC
I can confirm that patch provided in attachment 2526 [details] appears to have fixed my issue. Thank you.
Comment 12 Ricardo Mones 2024-11-13 17:31:32 UTC
Pushed to master, thanks for the patch!

Note You need to log in before you can comment on or make changes to this bug.