[Pkg-rust-maintainers] Bug#1084084: Reproducers for the evolution crash

Justus Winter justus at sequoia-pgp.org
Thu Jan 23 17:10:50 GMT 2025 

reassign 1084084 src:evolution
affects 1084084 gpg-sq
thx

I played around with Evolution.  I found two ways of crashing Evolution
when using the Chameleon.  Both seem to involve a memory corruption of
some kind, and I strongly suspect the status-fd parsing implemented in
libcamel, which contains custom code interfacing with GnuPG.

To reproduce, install gpg-from-sq anad follow either recipe:

### Crash verifying a signed message

I suspect this is similar to the original bug report.  To reproduce, I
rapidly selected and de-selected a signed message:

```
double free or corruption (out)

Thread 106 "pool-org.gnome." received signal SIGABRT, Aborted.
[Switching to Thread 0x7fff397fa6c0 (LWP 1009800)]
Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007ffff189ddef in __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:78
#2  0x00007ffff1849d02 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff18324f0 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007ffff183332d in __libc_message_impl (fmt=fmt at entry=0x7ffff19b5303 "%s\n") at ../sysdeps/posix/libc_fatal.c:132
#5  0x00007ffff18a7925 in malloc_printerr (str=str at entry=0x7ffff19b85a0 "double free or corruption (out)") at ./malloc/malloc.c:5772
#6  0x00007ffff18a9960 in _int_free_merge_chunk (av=av at entry=0x7ffff19f1ac0 <main_arena>, p=0x7fff1800a800, size=2319407822428712992) at ./malloc/malloc.c:4676
#7  0x00007ffff18a9c79 in _int_free (av=0x7ffff19f1ac0 <main_arena>, p=<optimized out>, have_lock=<optimized out>, have_lock at entry=0) at ./malloc/malloc.c:4646
#8  0x00007ffff18ac3ff in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3398
#9  0x00007ffff7d06ca9 in g_free (mem=<optimized out>) at ../../../glib/gmem.c:208
#10 0x00007ffff7e63a3e in gpg_ctx_free (gpg=gpg at entry=0x7fff18014db0) at ./src/camel/camel-gpg-context.c:699
#11 0x00007ffff7e684f0 in gpg_verify_sync (context=0x7fff1801a9f0 [CamelGpgContext], ipart=<optimized out>, cancellable=<optimized out>, error=0x7fff397f9368) at ./src/camel/camel-gpg-context.c:2898
#12 0x00007ffff7e37682 in camel_cipher_context_verify_sync
    (context=context at entry=0x7fff1801a9f0 [CamelGpgContext], ipart=ipart at entry=0x7fff180140d0 [CamelMimeMessage], cancellable=cancellable at entry=0x5555561f49a0 [CamelOperation], error=error at entry=0x7fff397f9368)
    at ./src/camel/camel-cipher-context.c:489
#13 0x00007fffdb044dba in empe_mp_signed_parse
    (extension=<optimized out>, parser=0x7fff18019260 [EMailParser], part=0x7fff180140d0 [CamelMimeMessage], part_id=0x7fff18016fe0, cancellable=0x5555561f49a0 [CamelOperation], out_mail_parts=0x7fff397f9420)
    at ./src/em-format/e-mail-parser-multipart-signed.c:157
#14 0x00007fffdb03fc2c in e_mail_parser_parse_part_as
    (parser=parser at entry=0x7fff18019260 [EMailParser], part=part at entry=0x7fff180140d0 [CamelMimeMessage], part_id=part_id at entry=0x7fff18016fe0, mime_type=mime_type at entry=0x7fff1800a380 "multipart/signed", cancellable=cancellable at entry=0x5555561f49a0 [CamelOperation], out_mail_parts=out_mail_parts at entry=0x7fff397f9420) at ./src/em-format/e-mail-parser.c:773
#15 0x00007fffdb041769 in empe_message_parse
    (extension=<optimized out>, parser=0x7fff18019260 [EMailParser], part=0x7fff180140d0 [CamelMimeMessage], part_id=0x7fff18016fe0, cancellable=0x5555561f49a0 [CamelOperation], out_mail_parts=0x7fff397f9500)
    at ./src/em-format/e-mail-parser-message.c:83
#16 0x00007fffdb03ef75 in mail_parser_run
    (parser=parser at entry=0x7fff18019260 [EMailParser], part_list=part_list at entry=0x7fff18018540 [EMailPartList], cancellable=cancellable at entry=0x5555561f49a0 [CamelOperation])
    at ./src/em-format/e-mail-parser.c:277
#17 0x00007fffdb03f5dd in e_mail_parser_parse_sync
    (parser=parser at entry=0x7fff18019260 [EMailParser], folder=0x7fff18004980 [CamelIMAPXFolder], message_uid=0x555555d34d40 "1", message=0x7fff180140d0 [CamelMimeMessage], cancellable=cancellable at entry=0x5555561f49a0 [CamelOperation]) at ./src/em-format/e-mail-parser.c:525
#18 0x00007fffdadee49b in mail_reader_parse_message_run (simple=0x555555f51b80 [GSimpleAsyncResult], object=<optimized out>, cancellable=0x5555561f49a0 [CamelOperation]) at ./src/mail/e-mail-reader-utils.c:3542
#19 0x00007ffff71c3a88 in run_in_thread (job=<optimized out>, c=0x5555561f49a0 [CamelOperation], _data=0x55555621d6c0) at ../../../gio/gsimpleasyncresult.c:899
#20 0x00007ffff71a619a in io_job_thread (task=<optimized out>, source_object=<optimized out>, task_data=0x555556182bb0, cancellable=<optimized out>) at ../../../gio/gioscheduler.c:75
#21 0x00007ffff71d9211 in g_task_thread_pool_thread (thread_data=0x555556190d50, pool_data=<optimized out>) at ../../../gio/gtask.c:1583
#22 0x00007ffff7d308b2 in g_thread_pool_thread_proxy (data=<optimized out>) at ../../../glib/gthreadpool.c:336
#23 0x00007ffff7d302e1 in g_thread_proxy (data=0x7fffcc0029a0) at ../../../glib/gthread.c:892
#24 0x00007ffff189c043 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
#25 0x00007ffff191a778 in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
```

### Crash composing a signed+encrypted message

To reproduce, compose a signed+encrypted message to a recipient whose OpenPGP certificate cannot be authenticated ("is not trusted").  Click send, this will fail, keep clicking on send until it crashes:

```
#0  0x00007ffff18ac3f5 in arena_for_chunk (ptr=0x555555e5f7d0) at ./malloc/arena.c:153
#1  arena_for_chunk (ptr=0x555555e5f7d0) at ./malloc/arena.c:151
#2  __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3397
#3  0x00007ffff7d06ca9 in g_free (mem=<optimized out>) at ../../../glib/gmem.c:208
#4  0x00007ffff7e63a3e in gpg_ctx_free (gpg=gpg at entry=0x7ffef400c790) at ./src/camel/camel-gpg-context.c:699
#5  0x00007ffff7e67a10 in gpg_sign_sync
    (context=<optimized out>, userid=<optimized out>, hash=<optimized out>, ipart=<optimized out>, opart=0x7ffef400c1e0 [CamelMimePart], cancellable=<optimized out>, error=0x7fff3d7f75f0)
    at ./src/camel/camel-gpg-context.c:2680
#6  0x00007ffff7e372be in camel_cipher_context_sign_sync
    (context=context at entry=0x7ffef400cbd0 [CamelGpgContext], userid=0x5555562cf9d0 "F8A2F8CF2957E34FDD4BAE33D08CFCD5986763ED", hash=CAMEL_CIPHER_HASH_DEFAULT, ipart=ipart at entry=0x7ffef400c120 [CamelMimePart], opart=opart at entry=0x7ffef400c1e0 [CamelMimePart], cancellable=cancellable at entry=0x555556f655d0 [CamelOperation], error=0x7fff3d7f75f0) at ./src/camel/camel-cipher-context.c:356
#7  0x00007fffdb08108e in composer_build_message_pgp (context=0x555556f1d620, cancellable=0x555556f655d0 [CamelOperation], error=0x7fff3d7f75f0) at ./src/composer/e-msg-composer.c:1072
#8  composer_build_message_thread (task=<optimized out>, source_object=<optimized out>, task_data=0x555556f1d620, cancellable=0x555556f655d0 [CamelOperation]) at ./src/composer/e-msg-composer.c:1346
#9  0x00007ffff71d9211 in g_task_thread_pool_thread (thread_data=0x555556eda690, pool_data=<optimized out>) at ../../../gio/gtask.c:1583
#10 0x00007ffff7d308b2 in g_thread_pool_thread_proxy (data=<optimized out>) at ../../../glib/gthreadpool.c:336
#11 0x00007ffff7d302e1 in g_thread_proxy (data=0x7fffcc0018d0) at ../../../glib/gthread.c:892
#12 0x00007ffff189c043 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
#13 0x00007ffff191a778 in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
```

You'll note the common line in the stack traces:

```
#4  0x00007ffff7e63a3e in gpg_ctx_free (gpg=gpg at entry=0x7ffef400c790) at ./src/camel/camel-gpg-context.c:699
```

Which is:

```c
	g_free (gpg->statusbuf);
```

There is a lot of overly clever manual buffer management going on for
that buffer, e.g. `/* recycle our statusbuf by moving inptr to the
beginning of statusbuf */` and `status_backup`, and I strongly suspect
that there is a bug there somewhere.

I haven't been able to reproduce it with the stock GnuPG, but I'd
maintain that being able to cause this kind of corruption in Evolution
by simply emitting slightly different status messages is a bug in
Evolution rather than in the Chameleon.

Best,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20250123/fbb9a7c8/attachment.sig>

More information about the Pkg-rust-maintainers mailing list