Bug#1010282: gvfsd-dav: segfaults when mounting a share

Yves-Alexis Perez corsac at debian.org
Wed Apr 27 20:03:05 BST 2022


Package: gvfs-backends
Version: 1.50.0-1
Severity: important

Hi,

I'm currently experiencing a segfault in gvfs-dav when mounting a share
(using gio mount davs://<url>/remote.php/dav/corsac on a Nextcloud
instance).

I only started experiencing the issue now but it's been a while since I
tried to mount using gio so I'm unsure when it started appearing.

Running gvfsd from a terminal with GVFS_DEBUG=1 I get:

dav: Added new job source 0x64a7363fc080 (GVfsBackendDav)
dav: Queued new job 0x64a7363f4a70 (GVfsJobMount)
dav: + mount
dav: + soup_authenticate (interactive, first auth)
dav: - soup_authenticate
dav:  [/remote.php/dav/files/corsac] webdav: 1, collection 1 [res: 1]

Adding GVFS_HTTP_DEBUG=all I get at the end:

> PROPFIND /remote.php/dav/files/ HTTP/1.1
[...]
> <?xml version="1.0" encoding="utf-8" ?>
>  <D:propfind xmlns:D="DAV:">
>   <D:prop>
> <D:resourcetype/>
> <D:getcontentlength/>
>   </D:prop>
>  </D:propfind>

< HTTP/1.1 405 Method Not Allowed
< Soup-Debug-Timestamp: 1651085719
< Soup-Debug: SoupMessage 2 (0x784f50007210)
< Date: Wed, 27 Apr 2022 18:55:19 GMT
< Server: nginx/1.18.0
< Content-Type: application/xml; charset=utf-8
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'none';
< Vary: Brief,Prefer
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Keep-Alive: timeout=5, max=97
< Connection: Keep-Alive
< Transfer-Encoding: chunked
< Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
< DAV: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar
< Allow: OPTIONS, GET, HEAD, DELETE, PROPFIND, PUT, PROPPATCH, COPY, MOVE, REPORT
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
<
< <?xml version="1.0" encoding="utf-8"?>
< <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<   <s:exception>Sabre\DAV\Exception\MethodNotAllowed</s:exception>
<   <s:message>Listing members of this collection is disabled</s:message>
< </d:error>
dav:  [/remote.php/dav/files/] webdav: 1, collection 0 [res: 0]
dav: send_reply(0x57419e1afab0), failed=0 ()
malloc(): unsorted double linked list corrupted


I'm not sure why gvfs-dav tries to access /remote.php/dav/files/ but in
any case it should crash on receiving a 405 error. Also I'm a bit
worried about the malloc error, memory corruption is bad.

I've installed some debugging symbols and try to get a backtrace but I'm
unsure if it's really helpful:

corsac at scapa: gdb -p 874753
GNU gdb (Debian 10.1-2+b1) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 874753
[New LWP 874754]
[New LWP 874755]
[New LWP 874756]
[New LWP 874758]
[New LWP 874759]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x000071c244b9a87f in __GI___poll (fds=0x5f89614d0600, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
29	../sysdeps/unix/sysv/linux/poll.c: No such file or directory.
(gdb) c
Continuing.

Thread 5 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x71c23b7fe640 (LWP 874758)]
__strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
115	../sysdeps/x86_64/multiarch/strcmp-avx2.S: No such file or directory.
(gdb) bt
#0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
#1  0x000071c244e9441e in soup_body_input_stream_read_chunked
    (error=0x71c23b7fda18, cancellable=0x0, blocking=1, count=4096, buffer=0x0, bistream=0x71c22835ec90 [SoupBodyInputStream])
    at ../libsoup/http1/soup-body-input-stream.c:234
#2  read_internal (stream=<optimized out>, buffer=0x0, count=4096, blocking=1, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/http1/soup-body-input-stream.c:267
#3  0x000071c24510a271 in g_input_stream_skip
    (stream=0x71c22835ec90 [SoupBodyInputStream], count=count at entry=4096, cancellable=cancellable at entry=0x0, error=error at entry=0x71c23b7fda18)
    at ../../../gio/ginputstream.c:391
#4  0x000071c244eae4ba in soup_filter_input_stream_skip (stream=<optimized out>, count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/soup-filter-input-stream.c:131
#5  0x000071c244eaa2af in soup_client_input_stream_skip (stream=0x71c2284c4f20 [SoupClientInputStream], count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/soup-client-input-stream.c:140
#6  0x000071c24510a271 in g_input_stream_skip (stream=0x71c2284c4f20 [SoupClientInputStream], count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../../../gio/ginputstream.c:391
#7  0x00005f895ff43818 in  ()
#8  0x000071c2452ea34a in g_vfs_job_run (job=0x5f89614de2b0 [GVfsJobMount]) at ../daemon/gvfsjob.c:195
#9  0x000071c2452e81df in job_handler_callback (data=<optimized out>, user_data=<optimized out>) at ../daemon/gvfsdaemon.c:203
#10 0x000071c244f72e94 in g_thread_pool_thread_proxy (data=<optimized out>) at ../../../glib/gthreadpool.c:354
#11 0x000071c244f7259d in g_thread_proxy (data=0x5f89614d4760) at ../../../glib/gthread.c:827
#12 0x000071c2446efd80 in start_thread (arg=0x71c23b7fe640) at pthread_create.c:481
#13 0x000071c244ba676f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) bt full
#0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
#1  0x000071c244e9441e in soup_body_input_stream_read_chunked
    (error=0x71c23b7fda18, cancellable=0x0, blocking=1, count=4096, buffer=0x0, bistream=0x71c22835ec90 [SoupBodyInputStream])
    at ../libsoup/http1/soup-body-input-stream.c:234
        priv = 0x71c22835ec40
        fstream = 0x71c228046670 [SoupFilterInputStream]
        metabuf = "0\r\n\000\000\000\000\000\030\332\177;\302q\000\000\000\020", '\000' <repeats 14 times>, " OL(\302q\000\000\277\246\005E\302q\000\000\030\000\000\000\060\000\000\000\020\331\177;\302q\000\000P\330\177;\302q\000\000\000n\372\213\200Xn\370\020r\000(\302q\000\000\264)\263D\302q\000\000\020r\000(\302q\000\000\366", '\000' <repeats 15 times>, "\220\354\065(\302q\000"
        nread = 2
        got_line = 1
        bistream = 0x71c22835ec90 [SoupBodyInputStream]
        priv = 0x71c22835ec40
        nread = <optimized out>
        __func__ = "read_internal"
#2  read_internal (stream=<optimized out>, buffer=0x0, count=4096, blocking=1, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/http1/soup-body-input-stream.c:267
        bistream = 0x71c22835ec90 [SoupBodyInputStream]
        priv = 0x71c22835ec40
        nread = <optimized out>
        __func__ = "read_internal"
#3  0x000071c24510a271 in g_input_stream_skip
    (stream=0x71c22835ec90 [SoupBodyInputStream], count=count at entry=4096, cancellable=cancellable at entry=0x0, error=error at entry=0x71c23b7fda18)
    at ../../../gio/ginputstream.c:391
        class = 0x71c228360840
        res = <optimized out>
        __func__ = "g_input_stream_skip"
#4  0x000071c244eae4ba in soup_filter_input_stream_skip (stream=<optimized out>, count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/soup-filter-input-stream.c:131
        fstream = 0x71c2284c4f20 [SoupClientInputStream]
        priv = 0x71c2284c4ef0
        bytes_skipped = <optimized out>
#5  0x000071c244eaa2af in soup_client_input_stream_skip (stream=0x71c2284c4f20 [SoupClientInputStream], count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../libsoup/soup-client-input-stream.c:140
        priv = 0x71c2284c4ee0
        nread = <optimized out>
#6  0x000071c24510a271 in g_input_stream_skip (stream=0x71c2284c4f20 [SoupClientInputStream], count=4096, cancellable=0x0, error=0x71c23b7fda18)
    at ../../../gio/ginputstream.c:391
        class = 0x71c228361550
        res = <optimized out>
        __func__ = "g_input_stream_skip"
#7  0x00005f895ff43818 in  ()
--Type <RET> for more, q to quit, c to continue without paging--
#8  0x000071c2452ea34a in g_vfs_job_run (job=0x5f89614de2b0 [GVfsJobMount]) at ../daemon/gvfsjob.c:195
        class = 0x5f89614ee1c0
#9  0x000071c2452e81df in job_handler_callback (data=<optimized out>, user_data=<optimized out>) at ../daemon/gvfsdaemon.c:203
        job = 0x5f89614de2b0 [GVfsJobMount]
#10 0x000071c244f72e94 in g_thread_pool_thread_proxy (data=<optimized out>) at ../../../glib/gthreadpool.c:354
        task = 0x5f89614de2b0
        pool = <optimized out>
#11 0x000071c244f7259d in g_thread_proxy (data=0x5f89614d4760) at ../../../glib/gthread.c:827
        thread = 0x5f89614d4760
        __func__ = "g_thread_proxy"
#12 0x000071c2446efd80 in start_thread (arg=0x71c23b7fe640) at pthread_create.c:481
        ret = <optimized out>
        pd = 0x71c23b7fe640
        unwind_buf =
              {cancel_jmp_buf = {{jmp_buf = {125079035831872, -3908132707509501404, 140733515511774, 140733515511775, 0, 125079035831872, 3046668644706648612, 3046420027103740452}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#13 0x000071c244ba676f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-6-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gvfs-backends depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-3
ii  gvfs                                         1.50.0-1
ii  gvfs-common                                  1.50.0-1
ii  gvfs-daemons                                 1.50.0-1
ii  gvfs-libs                                    1.50.0-1
ii  libarchive13                                 3.6.0-1
ii  libavahi-client3                             0.8-5
ii  libavahi-common3                             0.8-5
ii  libavahi-glib1                               0.8-5
ii  libc6                                        2.33-7
ii  libcdio-cdda2                                10.2+2.0.0-1+b2
ii  libcdio-paranoia2                            10.2+2.0.0-1+b2
ii  libcdio19                                    2.1.0-3
ii  libgcrypt20                                  1.10.1-2
ii  libgdata22                                   0.18.1-2
ii  libglib2.0-0                                 2.72.1-1
ii  libgoa-1.0-0b                                3.44.0-1
ii  libgphoto2-6                                 2.5.27-1
ii  libgphoto2-port12                            2.5.27-1
ii  libgudev-1.0-0                               237-2
ii  libimobiledevice6                            1.3.0-6+b1
ii  libmtp9                                      1.1.19-1
ii  libnfs13                                     4.0.0-1
ii  libplist3                                    2.2.0-6+b1
ii  libpolkit-gobject-1-0                        0.120-6
ii  libsmbclient                                 2:4.16.0+dfsg-7
ii  libsoup-3.0-0                                3.0.6-1
ii  libusb-1.0-0                                 2:1.0.26-1
ii  libxml2                                      2.9.13+dfsg-1+b1
ii  psmisc                                       23.4-2

Versions of packages gvfs-backends recommends:
ii  gnome-keyring  40.0-3

Versions of packages gvfs-backends suggests:
ii  bluez-obexd   5.64-2
ii  samba-common  2:4.16.0+dfsg-7

-- no debconf information



More information about the pkg-gnome-maintainers mailing list