[Pkg-utopia-maintainers] Bug#743296: realmd: segfault due to glib max allowed issue with private data before 2.39.1

Alban Browaeys prahal at yahoo.com
Tue Apr 1 14:23:27 UTC 2014 

Package: realmd
Version: 0.15.0-1
Severity: important


Dear Maintainer,
To sum up a rebuild I tested with a rebuild vs  2.38.2-5 from sid (via pdebuild)
and above 2.39.1 (from commit log of the fix ) and rebuild vs glib git
master (native build in mix of of sid,experimenhtal and jhbuild) 
fixes the issue.

To sump up:
# realmd --replace

via gdb with -d :

(realmd:26801): DEBUG: holding daemon: startup
(realmd:26801): DEBUG: starting service
[New Thread 0x7ffff31f3700 (LWP 26808)]
[New Thread 0x7ffff29f2700 (LWP 26809)]
[New Thread 0x7ffff21f1700 (LWP 26810)]
(realmd:26801): DEBUG: connected to bus

Program received signal SIGSEGV, Segmentation fault.
magazine_chain_pop_head (magazine_chunks=0x64b680) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gslice.c:539
539	/build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gslice.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  magazine_chain_pop_head (magazine_chunks=0x64b680) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gslice.c:539
#1  thread_memory_magazine1_alloc (tmem=<optimized out>, ix=5) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gslice.c:842
#2  g_slice_alloc (mem_size=mem_size at entry=88) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gslice.c:998
#3  0x00007ffff73a317e in g_hash_table_new_full (hash_func=hash_func at entry=0x4096e0 <g_str_hash at plt>, key_equal_func=key_equal_func at entry=0x40b240 <g_str_equal at plt>, 
    key_destroy_func=key_destroy_func at entry=0x0, value_destroy_func=value_destroy_func at entry=0x0) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/ghash.c:656
#4  0x00007ffff73a3219 in g_hash_table_new (hash_func=hash_func at entry=0x4096e0 <g_str_hash at plt>, key_equal_func=key_equal_func at entry=0x40b240 <g_str_equal at plt>)
    at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/ghash.c:626
#5  0x00007ffff6eb7bda in g_dbus_interface_info_cache_build (info=0x438160) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gdbusintrospection.c:2105
#6  0x00007ffff6ea726c in g_dbus_connection_register_object (connection=connection at entry=0x65d070, object_path=<optimized out>, interface_info=0x438160, vtable=0x663db0, 
    user_data=user_data at entry=0x660ad0, user_data_free_func=user_data_free_func at entry=0x0, error=error at entry=0x7fffffffe858)
    at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gdbusconnection.c:5203
#7  0x00007ffff6ebbac0 in add_connection_locked (error=0x7fffffffe858, connection=0x65d070, interface_=0x660ad0) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gdbusinterfaceskeleton.c:703
#8  g_dbus_interface_skeleton_export (interface_=0x660ad0, connection=0x65d070, object_path=<optimized out>, error=0x7fffffffe858)
    at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gdbusinterfaceskeleton.c:932
#9  0x000000000040cb2b in ?? ()
#10 0x000000000040e843 in ?? ()
#11 0x000000000040eb1e in ?? ()
#12 0x00007ffff6e4cef7 in g_simple_async_result_complete (simple=0x659440) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gsimpleasyncresult.c:763
#13 0x00007ffff6e4cf59 in complete_in_idle_cb (data=<optimized out>) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./gio/gsimpleasyncresult.c:775
#14 0x00007ffff73b3ce5 in g_main_dispatch (context=0x654f00) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gmain.c:3064
#15 g_main_context_dispatch (context=context at entry=0x654f00) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gmain.c:3663
#16 0x00007ffff73b4048 in g_main_context_iterate (context=0x654f00, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>)
    at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gmain.c:3734
#17 0x00007ffff73b430a in g_main_loop_run (loop=0x65e490) at /build/glib2.0-V5GbKs/glib2.0-2.39.92/./glib/gmain.c:3928
#18 0x000000000040b6fc in ?? ()
#19 0x00007ffff569cb45 in __libc_start_main (main=0x40b3a0, argc=1, argv=0x7fffffffec38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffec28)
    at libc-start.c:287
#20 0x000000000040b8ef in ?? ()





It turns out that :
when glib max version is 2.36 in configure.ac as realmd has, build complains but does not error out. But the binary ends up not allocating the parent_instance private structure. Valgrind complains so at least and switching from GLIB_MAX=GLIB_VERSION_2_36 to GLIB_MAX=GLIB_VERSION_2_38 in configture.ac makes it quiet and also phase out the various segfault and sigill I had (on x86 , x86_64 and armhf) .

Follows the relevant part of the build log, the first valgrind lines of output and an extract of the gdb session that shows the parent_instance GDBusInterfaceSkeleton GMutex internals field __kind with the same address as the object itself - RealmDbusServiceSkeleton -  context field. Then in realm_dbus_service_skeleton_init when context is assigned, the value of the parent_instance lock is corrupted (equals the address of the context instead of 3).


Build:

make[2] : on entre dans le répertoire « /home/prahal/Projects/Devel/Gnome/jhbuild/build/realmd/dbus »
  CC     librealm_dbus_a-realm-dbus-generated.o
realm-dbus-generated.c: In function ‘realm_dbus_provider_proxy_get_type’:
realm-dbus-generated.c:732:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusProviderProxy, realm_dbus_provider_proxy, G_TYPE_DBUS_PROXY,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_provider_skeleton_get_type’:
realm-dbus-generated.c:1363:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusProviderSkeleton, realm_dbus_provider_skeleton, G_TYPE_DBUS_INTERFACE_SKELETON,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_service_proxy_get_type’:
realm-dbus-generated.c:2292:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusServiceProxy, realm_dbus_service_proxy, G_TYPE_DBUS_PROXY,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_service_skeleton_get_type’:
realm-dbus-generated.c:2838:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusServiceSkeleton, realm_dbus_service_skeleton, G_TYPE_DBUS_INTERFACE_SKELETON,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_realm_proxy_get_type’:
realm-dbus-generated.c:4134:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusRealmProxy, realm_dbus_realm_proxy, G_TYPE_DBUS_PROXY,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_realm_skeleton_get_type’:
realm-dbus-generated.c:4879:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusRealmSkeleton, realm_dbus_realm_skeleton, G_TYPE_DBUS_INTERFACE_SKELETON,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_kerberos_proxy_get_type’:
realm-dbus-generated.c:5464:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusKerberosProxy, realm_dbus_kerberos_proxy, G_TYPE_DBUS_PROXY,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_kerberos_skeleton_get_type’:
realm-dbus-generated.c:6079:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusKerberosSkeleton, realm_dbus_kerberos_skeleton, G_TYPE_DBUS_INTERFACE_SKELETON,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_kerberos_membership_proxy_get_type’:
realm-dbus-generated.c:7035:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusKerberosMembershipProxy, realm_dbus_kerberos_membership_proxy, G_TYPE_DBUS_PROXY,
 ^
realm-dbus-generated.c: In function ‘realm_dbus_kerberos_membership_skeleton_get_type’:
realm-dbus-generated.c:7662:1: attention : ‘g_type_add_instance_private’ is deprecated (declared at /opt/gnome/include/glib-2.0/gobject/gtype.h:1286): Not available before 2.38 [-Wdeprecated-declarations]
 G_DEFINE_TYPE_WITH_CODE (RealmDbusKerberosMembershipSkeleton, realm_dbus_kerberos_membership_skeleton, G_TYPE_DBUS_INTERFACE_SKELETON,
 ^
  AR     librealm-dbus.a




valgrind :
==29821== Invalid write of size 8
==29821==    at 0x564FA6F: g_mutex_init (gthread-posix.c:168)
==29821==    by 0x432D2F: realm_dbus_service_skeleton_init (realm-dbus-generated.c:2878)
==29821==    by 0x50C7C0A: g_type_create_instance (gtype.c:1868)
==29821==    by 0x50AD5DD: g_object_new_internal (gobject.c:1724)
==29821==    by 0x50ADAB7: g_object_newv (gobject.c:1868)
==29821==    by 0x50AD1BC: g_object_new (gobject.c:1568)
==29821==    by 0x432FE0: realm_dbus_service_skeleton_new (realm-dbus-generated.c:2928)
==29821==    by 0x41A60C: realm_invocation_initialize (realm-invocation.c:401)
==29821==    by 0x40F647: initialize_service (realm-daemon.c:174)
==29821==    by 0x40F930: on_bus_get_connection (realm-daemon.c:243)
==29821==    by 0x5BAAF83: g_simple_async_result_complete (gsimpleasyncresult.c:763)
==29821==    by 0x5BAAFCF: complete_in_idle_cb (gsimpleasyncresult.c:775)
==29821==  Address 0x9b2aa48 is not stack'd, malloc'd or (recently) free'd

realm-dbus-generated.c:
I  added:
GDBusInterfaceSkeleton *interface = &skeleton->parent_instance;
in static void
realm_dbus_service_skeleton_init (RealmDbusServiceSkeleton *skeleton)
for ease of debugging. In this function context assignment overwrites the
parent_instance->priv->lock->p->__data->__kind (ie the pthread_mutex_t items that made up the GMutex.

(gdb) p &((pthread_mutex_t*)interface->priv->lock->p)->__data->__kind
$10 = (int *) 0x666800
(gdb) p skeleton->priv->context
$11 = (GMainContext *) 0x3
(gdb) p &skeleton->priv->context
$12 = (GMainContext **) 0x666800

Later on various issues appears : mostly sigill and segfaults



as seen on my upstream report against realmd at
https://bugs.freedesktop.org/show_bug.cgi?id=76799

which turns out to be a duplicate of the other upstream report
against glib:
https://bugzilla.gnome.org/show_bug.cgi?id=710133
Fixed before 2.39.1 from glib git log.

Thanks
Alban




-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages realmd depends on:
ii  libc6                   2.18-4
ii  libcomerr2              1.42.9-3
ii  libglib2.0-0            2.39.92-2
ii  libk5crypto3            1.12.1+dfsg-1
ii  libkrb5-3               1.12.1+dfsg-1
ii  libldap-2.4-2           2.4.39-1
ii  libpackagekit-glib2-16  0.8.17-1
ii  libpolkit-gobject-1-0   0.112-2
ii  libsqlite3-0            3.8.4.1-1
ii  libsystemd-id128-0      204-8
ii  libsystemd-journal0     204-8

realmd recommends no packages.

realmd suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list