1754321 – [abrt] alarm-notify: Double-free with certain types of the reminder

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1754321 - [abrt] alarm-notify: Double-free with certain types of the reminder

Summary: [abrt] alarm-notify: Double-free with certain types of the reminder

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	evolution-data-server
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Milan Crha
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:7bc92b5897237abcfdd4dad53c5...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-22 18:28 UTC by Andre Klapper
Modified:	2020-03-02 21:52 UTC (History)
CC List:	20 users (show)
Fixed In Version:	evolution-data-server-3.35.3-2.fc32 evolution-data-server-3.34.3-2.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-13 02:19:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (77.38 KB, text/plain) 2019-09-22 18:28 UTC, Andre Klapper	no flags	Details
File: core_backtrace (24.39 KB, text/plain) 2019-09-22 18:28 UTC, Andre Klapper	no flags	Details
File: exploitable (82 bytes, text/plain) 2019-09-22 18:28 UTC, Andre Klapper	no flags	Details
File: maps (117.01 KB, text/plain) 2019-09-22 18:28 UTC, Andre Klapper	no flags	Details
View All

Description Andre Klapper 2019-09-22 18:28:15 UTC

Version-Release number of selected component:
evolution-data-server-3.34.0-1.fc31

Additional info:
reporter:       libreport-2.10.1
backtrace_rating: 4
cmdline:        /usr/libexec/evolution-data-server/evolution-alarm-notify
crash_function: magazine_chain_pop_head
executable:     /usr/libexec/evolution-data-server/evolution-alarm-notify
kernel:         5.3.0-1.fc31.x86_64
type:           CCpp

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 magazine_chain_pop_head at ../glib/gslice.c:538
 #1 thread_memory_magazine1_alloc at ../glib/gslice.c:841
 #2 g_slice_alloc at ../glib/gslice.c:1015
 #3 g_slist_prepend at ../glib/gslist.c:259
 #4 g_object_notify_queue_add at ../gobject/gobject.c:333
 #5 object_set_property at ../gobject/gobject.c:1478
 #6 g_object_new_internal at ../gobject/gobject.c:1861
 #7 g_object_new_with_properties at ../gobject/gobject.c:1995
 #9 i_cal_object_construct at /usr/src/debug/libical-3.0.6-1.fc31.x86_64/x86_64-redhat-linux-gnu/src/libical-glib/i-cal-object.c:351
 #10 i_cal_property_new_full at /usr/src/debug/libical-3.0.6-1.fc31.x86_64/x86_64-redhat-linux-gnu/src/libical-glib/i-cal-property.c:60

Potential duplicate: bug 769523

Comment 1 Andre Klapper 2019-09-22 18:28:19 UTC

Created attachment 1617921 [details]
File: backtrace

Comment 2 Andre Klapper 2019-09-22 18:28:22 UTC

Created attachment 1617922 [details]
File: core_backtrace

Comment 3 Andre Klapper 2019-09-22 18:28:23 UTC

Created attachment 1617923 [details]
File: exploitable

Comment 4 Andre Klapper 2019-09-22 18:28:27 UTC

Created attachment 1617924 [details]
File: maps

Comment 5 Milan Crha 2019-09-23 07:56:09 UTC

Thanks for a bug report. If I read the backtrace properly, then you clicked "Dismiss", after which the Reminders window, aka evolution-alarm-notify process, crashed. I use it few times too and I didn't see this crash yet. Do you run X.org or Wayland? There had been some weird X.org-reported issues in the alarm notify in the past, which I've not been able to reproduce too. Maybe they are related even when running under Wayland. I guess you are not able to reproduce this, are you? It should not dismiss the reminder on which it crashed, but I'm afraid the issue happened sooner than on the dismiss itself.

Comment 6 Andre Klapper 2019-09-23 08:57:53 UTC

I have no idea which steps I performed or not. I'm on Wayland, not X.org.

Comment 7 Gwendal 2019-09-26 14:06:32 UTC

I observed the same crash with Gnome+Wayland on fedora 31 beta, and I am not able to reproduce it. I don't even remember seeing any "Reminders window" when the notification of the crash popped up?

Comment 8 Andre Klapper 2019-09-26 14:37:09 UTC

I'm also pretty sure that I did not interact with any Reminders window, as I do not actively use the Evolution Calendar UI. e-d-s and g-o-a might automatically include and remind me of events I have in remote calendars, but my only interaction would be closing stuff about events in the GNOME 3 notification area, not in some Evolution dialog.

Comment 9 Milan Crha 2019-09-30 12:01:55 UTC

Maybe I'm wrong, but could you try what is referenced below, please? (Andre is already on that bug)
https://bugzilla.redhat.com/show_bug.cgi?id=1756271#c8

Comment 10 Gwendal 2019-10-02 09:06:14 UTC

Just installed the new glib build from the link you gave, I'll try to let you know whether the crash still pops in abrt.

Comment 11 Nils Philippsen 2019-10-14 13:33:32 UTC

Similar problem has been detected:

Logged into GNOME

reporter:       libreport-2.11.0
backtrace_rating: 4
cgroup:         0::/user.slice/user-1000.slice/user/gnome\x2dsession\x2dmanager.slice/gnome-session-manager
cmdline:        /usr/libexec/evolution-data-server/evolution-alarm-notify
crash_function: magazine_chain_pop_head
executable:     /usr/libexec/evolution-data-server/evolution-alarm-notify
journald_cursor: s=5d447bb8a9984231ae694daf20a06bee;i=2c64e6;b=31413b395e724a5297d90f2bce8ad80a;m=285fa8dbc;t=594a0c8321469;x=8b79c88b8f57e7dd
kernel:         5.3.5-300.fc31.x86_64
package:        evolution-data-server-3.34.1-1.fc31
reason:         evolution-alarm-notify killed by SIGSEGV
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000
xsession_errors: (evolution-alarm-notify:1835): Gdk-WARNING **: evolution-alarm-notify: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.

Comment 12 Nils Philippsen 2019-10-21 09:27:35 UTC

Similar problem has been detected:

Logged into GNOME desktop.

reporter:       libreport-2.11.1
backtrace_rating: 4
cgroup:         0::/user.slice/user-1000.slice/user/gnome\x2dsession\x2dmanager.slice/gnome-session-manager
cmdline:        /usr/libexec/evolution-data-server/evolution-alarm-notify
crash_function: magazine_chain_pop_head
executable:     /usr/libexec/evolution-data-server/evolution-alarm-notify
journald_cursor: s=5d447bb8a9984231ae694daf20a06bee;i=3c5f44;b=a065e7e035144ec7a8da2cc4411d1261;m=44202e3;t=595684012a9bf;x=74770d4953edd0d3
kernel:         5.3.7-300.fc31.x86_64
package:        evolution-data-server-3.34.1-1.fc31
reason:         evolution-alarm-notify killed by SIGSEGV
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000
xsession_errors: (evolution-alarm-notify:1835): Gdk-WARNING **: evolution-alarm-notify: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.

Comment 13 Marty Wesley 2019-11-06 13:51:26 UTC

*** Bug 1769378 has been marked as a duplicate of this bug. ***

Comment 14 vincent 2019-11-21 09:11:41 UTC

*** Bug 1774901 has been marked as a duplicate of this bug. ***

Comment 15 Doug Maxey 2019-11-27 12:27:00 UTC

*** Bug 1777326 has been marked as a duplicate of this bug. ***

Comment 16 Ben Cotton 2019-11-27 14:17:30 UTC

Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 17 Ben Cotton 2019-11-27 15:01:15 UTC

This bug was accidentally closed due to a query error. Reopening.

Comment 18 tj.kaufmann 2019-12-14 07:25:37 UTC

*** Bug 1783630 has been marked as a duplicate of this bug. ***

Comment 19 Evgeniy 2019-12-16 15:04:28 UTC

The bug still reproduces on Fedora 31. The crash occur as soon as I log in to the Gnome. I can provide a core dump or anything that could help fixing that.

Comment 20 alex.hart658 2019-12-30 13:43:38 UTC

*** Bug 1787031 has been marked as a duplicate of this bug. ***

Comment 21 mbroberg 2020-01-02 21:18:09 UTC

*** Bug 1787446 has been marked as a duplicate of this bug. ***

Comment 22 Milan Crha 2020-01-06 14:19:27 UTC

(In reply to Evgeniy from comment #19)
> The bug still reproduces on Fedora 31. The crash occur as soon as I log in
> to the Gnome. I can provide a core dump or anything that could help fixing
> that.

That would be great. There's surely happening something odd with evolution-alarm-notify, but I do not see what it is, neither I see it crashing here. Could you follow the steps from bug #1782541 comment #12 and upload the log here, please?

Comment 23 Evgeniy 2020-01-06 16:28:51 UTC

(In reply to Milan Crha from comment #22)
> (In reply to Evgeniy from comment #19)
> > The bug still reproduces on Fedora 31. The crash occur as soon as I log in
> > to the Gnome. I can provide a core dump or anything that could help fixing
> > that.
> 
> That would be great. There's surely happening something odd with
> evolution-alarm-notify, but I do not see what it is, neither I see it
> crashing here. Could you follow the steps from bug #1782541 comment #12 and
> upload the log here, please?

Sure thing, I’ll do that as soon as I get access to my laptop.

Comment 24 mbroberg 2020-01-06 22:42:30 UTC

Hey all, I'm new to bugzilla so a little confused. In case you were asking me for the same, here it is:

```
$ /usr/libexec/evolution-data-server/evolution-alarm-notify 

(evolution-alarm-notify:13385): evolution-alarm-notify-WARNING **: 12:10:01.655: e_alarm_notify_audio: Failed to convert URI to filename: The URI “Chord” is not an absolute URI using the “file” scheme

(evolution-alarm-notify:13385): GLib-GObject-CRITICAL **: 12:10:01.656: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Segmentation fault (core dumped)
$ rpm -qa evolution-data-server\* glib2\* gtk3\* | sort
evolution-data-server-3.34.2-1.fc31.x86_64
evolution-data-server-debuginfo-3.34.2-1.fc31.x86_64
evolution-data-server-debugsource-3.34.2-1.fc31.x86_64
evolution-data-server-langpacks-3.34.2-1.fc31.noarch
glib2-2.62.3-1.fc31.x86_64
gtk3-3.24.13-1.fc31.x86_64
gtk3-debuginfo-3.24.13-1.fc31.x86_64
gtk3-debugsource-3.24.13-1.fc31.x86_64
$ export GIGACAGE_ENABLED=0
$ G_SLICE=always-malloc valgrind --num-callers=30 --aspace-minaddr=0x100000000 \
>         /usr/libexec/evolution-data-server/evolution-alarm-notify &>~/log.txt
```

The resulting log.txt is available here: https://gist.github.com/mbbroberg/6652deb4326f8f79fd926950d9924bc8

Comment 25 Milan Crha 2020-01-07 10:58:12 UTC

Thanks a lot. It helped. The problem is that when there is a reminder with an 'audio' or 'procedure' type, then the attachments of such reminder are freed twice - obviously in error. My fault, I'm sorry.

I fixed it upstream with [1] for 3.35.90+ and 3.34.4+. I'll backport the change to Fedora for the time being.

[1] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/09f81bbeb

Comment 26 Fedora Update System 2020-01-07 11:28:37 UTC

FEDORA-2020-a20255dba8 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a20255dba8

Comment 27 Fedora Update System 2020-01-08 14:15:40 UTC

evolution-3.34.3-1.fc31, evolution-data-server-3.34.3-2.fc31, evolution-ews-3.34.3-1.fc31, evolution-mapi-3.34.3-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a20255dba8

Comment 28 jose.miguel.perez.hernandez 2020-01-11 00:04:23 UTC

Similar problem has been detected:

it happens regularly

reporter:       libreport-2.11.3
backtrace_rating: 4
cgroup:         0::/user.slice/user-1002.slice/user/gnome-launched-org.gnome.Evolution-alarm-notify.desktop-6127.scope
cmdline:        /usr/libexec/evolution-data-server/evolution-alarm-notify
crash_function: magazine_chain_pop_head
executable:     /usr/libexec/evolution-data-server/evolution-alarm-notify
journald_cursor: s=1835e6306a614ac7afc03f7b32d3a580;i=18f2e;b=564add5964704e6689eb904108d07ab9;m=9a5a4c8;t=59bcbfdf61ad7;x=2039fccfd94615e4
kernel:         5.4.8-200.fc31.x86_64
package:        evolution-data-server-3.34.2-1.fc31
reason:         evolution-alarm-notify killed by SIGSEGV
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1002

Comment 29 Fedora Update System 2020-01-13 02:19:34 UTC

evolution-3.34.3-1.fc31, evolution-data-server-3.34.3-2.fc31, evolution-ews-3.34.3-1.fc31, evolution-mapi-3.34.3-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Monika Hristova 2020-02-28 15:00:26 UTC

*** Bug 1808455 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

alex.hart658
bz
caillon+fedoraproject
daniel
ezwen-redhatbugzilla
john.j5live
jose.miguel.perez.hernandez
mbroberg
mcatanza
mcrha
mnencheva
morozov.evgeniy.95
mwesley
nphilipp
pajak92
rhughes
rstrode
sandmann
tj.kaufmann
vincent