FS#20136 - [synce-odccm] odccm crash in libdbus

Attached to Project: Community Packages
Opened by Sergej Pupykin (sergej) - Saturday, 10 July 2010, 12:48 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 12 July 2010, 11:15 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It seems there is a bug in dbus sanity checks, workaround is rebuild dbus-core with --disable-checks key.

Actually it aborts in _dbus_warn_check_failed which just should print warning, about incorrect function usage.

In this example incorrect usage is in hal libhal_device_get_property_string() function.

Here is the gdb log:

# gdb odccm
GNU gdb (GDB) 7.1
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/sergej/community-my.svn/synce-odccm/trunk/src/odccm-0.13/src/odccm...done.

(gdb) r -f -l 3 --local-ip 192.168.222.1
Starting program: /home/sergej/community-my.svn/synce-odccm/trunk/src/odccm-0.13/src/odccm -f -l 3 --local-ip 192.168.222.1
[Thread debugging using libthread_db enabled]
** (odccm:21852): DEBUG: _odccm_interface_address: waiting for IP address on ppp0
** (odccm:21852): DEBUG: _odccm_interface_address: found matching interface
** (odccm:21852): DEBUG: PDA network interface discovered! udi='/devices/virtual/net/ppp0'
process 21852: arguments to dbus_move_error() were incorrect, assertion "(dest) == NULL || !dbus_error_is_set ((dest))" failed in file dbus-errors.c line 278.
This is normally a bug in some application using the D-Bus library.
D-Bus not built with -rdynamic so unable to print a backtrace

Program received signal SIGABRT, Aborted.
0x00007ffff64b3565 in raise () from /lib/libc.so.6

(gdb) bt
#0 0x00007ffff64b3565 in raise () from /lib/libc.so.6
#1 0x00007ffff64b49e6 in abort () from /lib/libc.so.6
#2 0x00007ffff6c34775 in _dbus_abort () from /usr/lib/libdbus-1.so.3
#3 0x00007ffff6c3067a in _dbus_warn_check_failed () from /usr/lib/libdbus-1.so.3
#4 0x00007ffff67e35a0 in libhal_device_get_property_string () from /usr/lib/libhal.so.1
#5 0x000000000040799e in hal_device_is_pda (ctx=0x645600, udi=0x6457e4 "/org/freedesktop/Hal/devices/net_computer_0") at odccm-device-manager.c:512
#6 hal_device_added_cb (ctx=0x645600, udi=0x6457e4 "/org/freedesktop/Hal/devices/net_computer_0") at odccm-device-manager.c:536
#7 0x00007ffff67e23f0 in filter_func () from /usr/lib/libhal.so.1
#8 0x00007ffff6c1a936 in dbus_connection_dispatch () from /usr/lib/libdbus-1.so.3
#9 0x00007ffff6e52975 in message_queue_dispatch () from /usr/lib/libdbus-glib-1.so.2
#10 0x00007ffff72ceb33 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#11 0x00007ffff72cf310 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#12 0x00007ffff72cf982 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#13 0x0000000000408b28 in main (argc=1, argv=0x7fffffffe2e8) at odccm.c:207
This task depends upon

Closed by  Sergej Pupykin (sergej)
Monday, 12 July 2010, 11:15 GMT
Reason for closing:  Fixed
Comment by Sergej Pupykin (sergej) - Saturday, 10 July 2010, 13:06 GMT
you should start synce-serial-start with windows PDA to reproduce this problem

or write small test application which calls dbus_move_error and misses condition "(dest) == NULL || !dbus_error_is_set ((dest))"
Comment by Sergej Pupykin (sergej) - Monday, 12 July 2010, 09:21 GMT
Compile with:
gcc -o dbus-crash dbus-crash.c `pkg-config dbus-1 --cflags --libs`
   dbus-crash.c (0.2 KiB)
Comment by Jan de Groot (JGC) - Monday, 12 July 2010, 09:25 GMT
Your testcase is a bug in the testcase itself:

http://dbus.freedesktop.org/doc/api/html/group__DBusErrors.html#g8bf93a2cbd05f95d6309ffaec567c6b1

Both src and dest must be initialized. src is reinitialized to an empty error. dest may not contain an existing error. If the destination is NULL, just frees and reinits the source error.
Comment by Sergej Pupykin (sergej) - Monday, 12 July 2010, 09:37 GMT
I see. I am debugging it now. But odccm passes initialized error structure. It is strange...

482 static int
483 hal_device_is_pda (LibHalContext *ctx, const char *udi, gchar **ret_ifname)
484 {
485 int result = 0;
486
487 DBusError error;
488 dbus_error_init (&error);
489
490 /* Be sure it is a network interface */
491 gchar *ifname = libhal_device_get_property_string (ctx, udi, "net.interface",
492 &error);

then in hal

1454 <------>dbus_error_init (&_error);
1455 <------>reply = dbus_connection_send_with_reply_and_block (ctx->connection,
1456 <------><------><------><------><------><------><------> message, -1,
1457 <------><------><------><------><------><------><------> &_error);
1458
1459 <------>dbus_message_unref (message);
1460
1461 <------>dbus_move_error (&_error, error);
Comment by Jan de Groot (JGC) - Monday, 12 July 2010, 09:46 GMT
I checked synce-odccm, in the hal_device_is_pda function the DbusError object is re-used multiple times without ever checking it. From the documentation:

"There are some rules. An error passed to a D-Bus function must always be unset; you can't pass in an error that's already set."
and
"An error only needs to be freed if it's been set, not if it's merely been initialized."

Synce-odccm just passes the same error object to the hal functions without checking or unsetting it. Instead of passing an error object without checking, it should just pass NULL everywhere.
Comment by Sergej Pupykin (sergej) - Monday, 12 July 2010, 09:53 GMT
I'll try to fix and check odccm today.
I did not catch that libhal_device_get_property_string called multiple times.
Thanks.

Loading...