Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1536856 - [abrt] atril: ev_page_cache_schedule_job_if_needed(): atril killed by SIGSEGV
Summary: [abrt] atril: ev_page_cache_schedule_job_if_needed(): atril killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: atril
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Wolfgang Ulbrich
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:008cb9f2e107858487e96f970cb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-21 18:23 UTC by Kyle Marek
Modified: 2018-03-30 13:55 UTC (History)
3 users (show)

Fixed In Version: atril-1.19.6-4.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-30 13:55:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (52.53 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: cgroup (289 bytes, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: core_backtrace (40.57 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: cpuinfo (1.25 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: dso_list (14.44 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: environ (1.51 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: exploitable (82 bytes, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: limits (1.29 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: maps (68.91 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: mountinfo (4.04 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: open_fds (2.04 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
File: proc_pid_status (1.27 KB, text/plain)
2018-01-21 18:23 UTC, Kyle Marek
no flags Details
test pdf (100.00 KB, application/pdf)
2018-03-15 23:59 UTC, Sam Tygier
no flags Details

Description Kyle Marek 2018-01-21 18:23:40 UTC
Description of problem:
Opened a corrupt PDF (about first 3.9 M of https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf)

Version-Release number of selected component:
atril-1.19.4-1.fc27

Additional info:
reporter:       libreport-2.9.3
backtrace_rating: 4
cmdline:        atril /home/kmarek/Downloads/tails/325462-sdm-vol-1-2abcd-3abcd.pdf
crash_function: ev_page_cache_schedule_job_if_needed
executable:     /usr/bin/atril
journald_cursor: s=232da011bd4c418e8e541df2095e8361;i=d1c26;b=2f1c7b137b794e0bb17f7e1d47ea034d;m=f2ae6ffa75;t=5634cf152ea05;x=72309f5376a9265e
kernel:         4.13.13-300.fc27.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (9 frames)
 #0 ev_page_cache_schedule_job_if_needed at ev-page-cache.c:329
 #1 ev_page_cache_set_page_range at ev-page-cache.c:361
 #2 setup_caches at ev-view.c:6686
 #3 ev_view_document_changed_cb at ev-view.c:6841
 #9 g_object_notify_by_spec_internal at gobject.c:1173
 #11 ev_document_model_set_document at ev-document-model.c:338
 #12 ev_window_load_job_cb at ev-window.c:1865
 #17 emit_finished at ev-jobs.c:189
 #23 gtk_main at gtkmain.c:1322

Comment 1 Kyle Marek 2018-01-21 18:23:44 UTC
Created attachment 1384101 [details]
File: backtrace

Comment 2 Kyle Marek 2018-01-21 18:23:45 UTC
Created attachment 1384102 [details]
File: cgroup

Comment 3 Kyle Marek 2018-01-21 18:23:46 UTC
Created attachment 1384103 [details]
File: core_backtrace

Comment 4 Kyle Marek 2018-01-21 18:23:47 UTC
Created attachment 1384104 [details]
File: cpuinfo

Comment 5 Kyle Marek 2018-01-21 18:23:48 UTC
Created attachment 1384105 [details]
File: dso_list

Comment 6 Kyle Marek 2018-01-21 18:23:49 UTC
Created attachment 1384106 [details]
File: environ

Comment 7 Kyle Marek 2018-01-21 18:23:50 UTC
Created attachment 1384107 [details]
File: exploitable

Comment 8 Kyle Marek 2018-01-21 18:23:51 UTC
Created attachment 1384108 [details]
File: limits

Comment 9 Kyle Marek 2018-01-21 18:23:53 UTC
Created attachment 1384109 [details]
File: maps

Comment 10 Kyle Marek 2018-01-21 18:23:54 UTC
Created attachment 1384110 [details]
File: mountinfo

Comment 11 Kyle Marek 2018-01-21 18:23:55 UTC
Created attachment 1384111 [details]
File: open_fds

Comment 12 Kyle Marek 2018-01-21 18:23:56 UTC
Created attachment 1384112 [details]
File: proc_pid_status

Comment 13 Kyle Marek 2018-01-21 18:32:13 UTC
Seems like it is 100% reproducible when opening the resulting file of `truncate --size=4M /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf`. In this example, /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf was the completed download of https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf

evince, which has a lot of deviations but shares a codebase ancestor with atril, is unaffected. Might be worth investigating if they have a fix?

Comment 14 Sam Tygier 2018-03-13 21:32:32 UTC
Similar problem has been detected:

rewriting a pdf that is open in atril

reporter:       libreport-2.9.3
backtrace_rating: 4
cmdline:        atril test.pdf
crash_function: ev_page_cache_schedule_job_if_needed
executable:     /usr/bin/atril
journald_cursor: s=b0fd28a48c3e497fb4bb0da91df759c4;i=5c3fa;b=749775ad35a64145a901671015b402e6;m=4d5138a57f;t=56751d2993385;x=537b374017e5a6c0
kernel:         4.15.6-300.fc27.x86_64
package:        atril-1.19.6-1.fc27
reason:         atril killed by SIGSEGV
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Comment 15 Wolfgang Ulbrich 2018-03-14 08:19:38 UTC
I opened your pdf from given link with that fixed scratch build
and the document doesn't crash.
Can you please try this scratch build?
https://koji.fedoraproject.org/koji/taskinfo?taskID=25681394

Comment 16 Kyle Marek 2018-03-14 18:22:59 UTC
I think you forgot to truncate the PDF after downloading.

Issue applies to the scratch build when reading the same PDF truncated to 4M.

Comment 17 Wolfgang Ulbrich 2018-03-14 19:51:23 UTC
How should that work?
And why?

Comment 18 Kyle Marek 2018-03-14 20:17:41 UTC
No it should not "work" [1], but it should not crash Atril. This indicates there is a bug in Atril, and is potentially exploitable (jump to an invalid address). See: https://bugzilla.redhat.com/attachment.cgi?id=1384107

While it is true that there is such a thing as "untrusted data", it is a bug for a program to consciously handle input data as such; it means missing error-handling. It makes relatively harmless formats like plain images capable of inducing the execution of native code. Example: https://www.kb.cert.org/vuls/id/189754


[1]: Or maybe it could work. See: https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-Questions/e81e9207c1d6a90d9e89f517ce3bf25f3d8d8f90#corrupted-pdf

Comment 19 Kyle Marek 2018-03-14 20:18:54 UTC
Whoops!

Correction: it is a bug for a program to *not* consciously handle input data as such

Comment 20 Sam Tygier 2018-03-15 23:59:08 UTC
Created attachment 1408605 [details]
test pdf

I can still reproduce with the koji build atril-1.19.6-2.fc27.x86_64.

I have attached a truncated version of the pdf from intel, which triggers the crash.

Comment 21 Wolfgang Ulbrich 2018-03-20 19:09:15 UTC
Can you please test this new scratch build?
This fixes the problem with a truncated pdf for me.
https://koji.fedoraproject.org/koji/taskinfo?taskID=25840846

Comment 22 Kyle Marek 2018-03-20 19:27:05 UTC
That build works as expected with various truncations of this PDF.

Comment 23 Fedora Update System 2018-03-20 20:33:24 UTC
atril-1.19.6-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b

Comment 24 Fedora Update System 2018-03-21 15:57:34 UTC
atril-1.19.6-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b

Comment 25 Fedora Update System 2018-03-22 09:22:43 UTC
atril-1.19.6-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b

Comment 26 Fedora Update System 2018-03-22 17:38:44 UTC
atril-1.19.6-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b

Comment 27 Fedora Update System 2018-03-30 13:55:13 UTC
atril-1.19.6-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.