[Pkg-utopia-maintainers] Bug#923015: udisks2: segfault in udisksd when unmounting usb stick
Bernhard Übelacker
bernhardu at mailbox.org
Sat Feb 23 00:02:18 GMT 2019
Package: udisks2
Version: 2.8.1-3
Severity: normal
Dear Maintainer,
I received a crash of udevd by doing an unmount of a ntfs partition
of an usb stick via the plasma systray icon.
As far as I see in this case in function udisks_linux_drive_object_get_block
is a call to udisks_linux_block_object_get_device which that returned
a null pointer that get unconditionally dereferenced.
This was just a one time crash and I could not reproduce
it with the same usb stick.
I have systemd-coredump installed but unfortunately
no crash dump was collected.
More details in attached file.
Kind regards,
Bernhard
Feb 21 10:08:52 rechner udisksd[886]: g_object_ref: assertion 'object->ref_count > 0' failed
Feb 21 10:08:52 rechner kernel: pool[15388]: segfault at 18 ip 000055822b5966e2 sp 00007f458d8aa590 error 4 in udisksd[55822b579000+3c000]
Feb 21 10:08:52 rechner kernel: Code: c0 74 05 4c 39 20 74 0f 4c 89 e6 48 89 df e8 a5 49 fe ff 85 c0 74 c7 4c 89 e6 48 89 df e8 a6 4d fe ff 48 89 c7 e8 ce c7 fe ff <48> 8b 78 18 49 89 c7 e8 82 3b fe ff 4c 89 f6 48 89 c7 e8 47 31 fe
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages udisks2 depends on:
ii dbus 1.12.12-1
ii libacl1 2.2.52-3+b1
ii libatasmart4 0.19-5
ii libblockdev-fs2 2.20-6
ii libblockdev-loop2 2.20-6
ii libblockdev-part2 2.20-6
ii libblockdev-swap2 2.20-6
ii libblockdev-utils2 2.20-6
ii libblockdev2 2.20-6
ii libc6 2.28-7
ii libglib2.0-0 2.58.3-1
ii libgudev-1.0-0 232-2
ii libmount1 2.33.1-0.1
ii libpam-systemd 240-5
ii libpolkit-agent-1-0 0.105-25
ii libpolkit-gobject-1-0 0.105-25
ii libsystemd0 240-5
ii libudisks2-0 2.8.1-3
ii parted 3.2-24
ii udev 240-5
Versions of packages udisks2 recommends:
ii dosfstools 4.1-2
ii e2fsprogs 1.44.5-1
ii eject 2.1.5+deb1+cvs20081104-13.2
ii exfat-utils 1.3.0-1
pn libblockdev-crypto2 <none>
ii ntfs-3g 1:2017.3.23AR.3-2
ii policykit-1 0.105-25
Versions of packages udisks2 suggests:
ii btrfs-progs 4.20.1-2
ii f2fs-tools 1.11.0-1.1
pn libblockdev-mdraid2 <none>
ii mdadm 4.1-1
pn nilfs-tools <none>
ii reiserfsprogs 1:3.6.27-3
pn udftools <none>
pn udisks2-bcache <none>
pn udisks2-btrfs <none>
pn udisks2-lvm2 <none>
pn udisks2-vdo <none>
pn udisks2-zram <none>
ii xfsprogs 4.15.1-1
-- no debconf information
-------------- next part --------------
Feb 21 10:08:52 rechner udisksd[886]: Cleaning up mount point /media/bernhard/CCCOMA_X64FRE_DE-DE_DV9 (device 8:33 is not mounted)
Feb 21 10:08:52 rechner systemd[1138]: media-bernhard-CCCOMA_X64FRE_DE\x2dDE_DV9.mount: Succeeded.
Feb 21 10:08:52 rechner systemd[1]: media-bernhard-CCCOMA_X64FRE_DE\x2dDE_DV9.mount: Succeeded.
Feb 21 10:08:52 rechner systemd[1]: Stopping Clean the /media/bernhard/CCCOMA_X64FRE_DE-DE_DV9 mount point...
Feb 21 10:08:52 rechner systemd[1]: clean-mount-point at media-bernhard-CCCOMA_X64FRE_DE\x2dDE_DV9.service: Succeeded.
Feb 21 10:08:52 rechner systemd[1]: Stopped Clean the /media/bernhard/CCCOMA_X64FRE_DE-DE_DV9 mount point.
Feb 21 10:08:52 rechner ntfs-3g[15088]: Unmounting /dev/sdc1 (CCCOMA_X64FRE_DE-DE_DV9)
Feb 21 10:08:52 rechner udisksd[886]: Unmounted /dev/sdc1 on behalf of uid 1000
Feb 21 10:08:52 rechner udisksd[886]: g_object_ref: assertion 'object->ref_count > 0' failed
Feb 21 10:08:52 rechner kernel: pool[15388]: segfault at 18 ip 000055822b5966e2 sp 00007f458d8aa590 error 4 in udisksd[55822b579000+3c000]
Feb 21 10:08:52 rechner kernel: Code: c0 74 05 4c 39 20 74 0f 4c 89 e6 48 89 df e8 a5 49 fe ff 85 c0 74 c7 4c 89 e6 48 89 df e8 a6 4d fe ff 48 89 c7 e8 ce c7 fe ff <48> 8b 78 18 49 89 c7 e8 82 3b fe ff 4c 89 f6 48 89 c7 e8 47 31 fe
Feb 21 10:08:52 rechner systemd[1]: udisks2.service: Main process exited, code=killed, status=11/SEGV
Feb 21 10:08:52 rechner systemd[1]: udisks2.service: Failed with result 'signal'.
Feb 21 10:08:52 rechner dbus-daemon[852]: [system] Activating via systemd: service name='org.freedesktop.UDisks2' unit='udisks2.service' requested by ':1.79' (uid=1000 pid=1296 comm="/usr/bin/plasmashell ")
Feb 21 10:08:52 rechner systemd[1]: Starting Disk Manager...
Feb 21 10:08:52 rechner udisksd[15395]: udisks daemon version 2.8.1 starting
Feb 21 10:08:52 rechner udisksd[15395]: failed to load module crypto: libbd_crypto.so.2: cannot open shared object file: No such file or directory
Feb 21 10:08:52 rechner udisksd[15395]: failed to load module mdraid: libbd_mdraid.so.2: cannot open shared object file: No such file or directory
Feb 21 10:08:52 rechner udisksd[15395]: Failed to load the 'mdraid' libblockdev plugin
Feb 21 10:08:52 rechner udisksd[15395]: Failed to load the 'crypto' libblockdev plugin
Feb 21 10:08:52 rechner dbus-daemon[852]: [system] Successfully activated service 'org.freedesktop.UDisks2'
Feb 21 10:08:52 rechner systemd[1]: Started Disk Manager.
Feb 21 10:08:52 rechner udisksd[15395]: Acquired the name org.freedesktop.UDisks2 on the system message bus
Feb 21 10:08:59 rechner kernel: usb 6-4: USB disconnect, device number 2
- EFI bootable USB Stick with FAT32 and NTFS partition
- Cleanly unmounted via Plasma eject
# dpkg -S /usr/lib/udisks2/udisksd
udisks2: /usr/lib/udisks2/udisksd
export PKG="udisks2-dbgsym binutils"; apt install $PKG; apt-mark auto $PKG
# ip 000055822b5966e2
# - udisksd[55822b579000
# = 0x1D6E2
# addr2line -e /usr/lib/udisks2/udisksd 0x1D6E2
./src/udisksdaemon.c:1060
mkdir /tmp/source/udisks2/orig -p
cd /tmp/source/udisks2/orig
apt source udisks2
cd
----------
cd /tmp/source/udisks2/orig/udisks2-2.8.1
mc -e src/udisksdaemon.c:1060
./src/udisksdaemon.c-1047-gboolean
./src/udisksdaemon.c:1048:udisks_daemon_launch_spawned_job_sync (UDisksDaemon *daemon,
...
./src/udisksdaemon.c-1060-{
./src/udisksdaemon.c-1061- va_list var_args;
What ???
----------
root at rechner:~# objdump --disassemble /usr/lib/udisks2/udisksd | grep -E "6e2:.*48 8b 78" -A5 -B90
355a9: c3 retq
355aa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
355b0: 31 db xor %ebx,%ebx
355b2: 48 83 c4 08 add $0x8,%rsp
355b6: 48 89 d8 mov %rbx,%rax
355b9: 5b pop %rbx
355ba: 5d pop %rbp
355bb: c3 retq
355bc: 0f 1f 40 00 nopl 0x0(%rax)
00000000000355c0 <udisks_linux_drive_object_get_block@@Base>:
355c0: 41 57 push %r15
355c2: 41 56 push %r14
355c4: 41 55 push %r13
355c6: 41 54 push %r12
355c8: 55 push %rbp
355c9: 53 push %rbx
355ca: 48 83 ec 28 sub $0x28,%rsp
355ce: 48 89 7c 24 08 mov %rdi,0x8(%rsp)
355d3: 48 8b 7f 28 mov 0x28(%rdi),%rdi
355d7: 89 74 24 14 mov %esi,0x14(%rsp)
355db: e8 a0 76 fe ff callq 1cc80 <udisks_daemon_get_object_manager@@Base>
355e0: 48 89 c3 mov %rax,%rbx
355e3: e8 48 42 fe ff callq 19830 <g_dbus_object_manager_get_type at plt>
355e8: 48 89 df mov %rbx,%rdi
355eb: 48 89 c6 mov %rax,%rsi
355ee: e8 8d 4e fe ff callq 1a480 <g_type_check_instance_cast at plt>
355f3: 48 89 c7 mov %rax,%rdi
355f6: e8 35 56 fe ff callq 1ac30 <g_dbus_object_manager_get_objects at plt>
355fb: 48 89 44 24 18 mov %rax,0x18(%rsp)
35600: 48 85 c0 test %rax,%rax
35603: 0f 84 09 01 00 00 je 35712 <udisks_linux_drive_object_get_block@@Base+0x152>
35609: e8 12 2b fe ff callq 18120 <g_dbus_object_skeleton_get_type at plt>
3560e: 4c 8d 35 59 34 02 00 lea 0x23459(%rip),%r14 # 58a6e <_IO_stdin_used@@Base+0x4a6e>
35615: 49 89 c5 mov %rax,%r13
35618: e8 d3 be fe ff callq 214f0 <udisks_linux_block_object_get_type@@Base>
3561d: 48 8b 6c 24 18 mov 0x18(%rsp),%rbp
35622: 49 89 c4 mov %rax,%r12
35625: eb 78 jmp 3569f <udisks_linux_drive_object_get_block@@Base+0xdf>
35627: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
3562e: 00 00
35630: 8b 44 24 14 mov 0x14(%rsp),%eax
35634: 85 c0 test %eax,%eax
35636: 0f 85 04 01 00 00 jne 35740 <udisks_linux_drive_object_get_block@@Base+0x180>
3563c: e8 07 5f fe ff callq 1b548 <g_object_unref at plt>
35641: e8 2a 42 fe ff callq 19870 <udisks_object_get_type at plt>
35646: 48 89 df mov %rbx,%rdi
35649: 48 89 c6 mov %rax,%rsi
3564c: e8 2f 4e fe ff callq 1a480 <g_type_check_instance_cast at plt>
35651: 48 89 c7 mov %rax,%rdi
35654: e8 37 5d fe ff callq 1b390 <udisks_object_peek_block at plt>
35659: 49 89 c7 mov %rax,%r15
3565c: e8 9f 2d fe ff callq 18400 <g_dbus_object_get_type at plt>
35661: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
35666: 48 89 c6 mov %rax,%rsi
35669: e8 12 4e fe ff callq 1a480 <g_type_check_instance_cast at plt>
3566e: 48 89 c7 mov %rax,%rdi
35671: e8 4a 47 fe ff callq 19dc0 <g_dbus_object_get_object_path at plt>
35676: 4c 89 ff mov %r15,%rdi
35679: 48 89 04 24 mov %rax,(%rsp)
3567d: e8 5e 3e fe ff callq 194e0 <udisks_block_get_drive at plt>
35682: 48 8b 34 24 mov (%rsp),%rsi
35686: 48 89 c7 mov %rax,%rdi
35689: e8 b2 31 fe ff callq 18840 <g_strcmp0 at plt>
3568e: 85 c0 test %eax,%eax
35690: 0f 84 ca 00 00 00 je 35760 <udisks_linux_drive_object_get_block@@Base+0x1a0>
35696: 48 8b 6d 08 mov 0x8(%rbp),%rbp
3569a: 48 85 ed test %rbp,%rbp
3569d: 74 73 je 35712 <udisks_linux_drive_object_get_block@@Base+0x152>
3569f: 48 8b 7d 00 mov 0x0(%rbp),%rdi
356a3: 4c 89 ee mov %r13,%rsi
356a6: e8 d5 4d fe ff callq 1a480 <g_type_check_instance_cast at plt>
356ab: 48 89 c3 mov %rax,%rbx
356ae: 48 85 c0 test %rax,%rax
356b1: 74 e3 je 35696 <udisks_linux_drive_object_get_block@@Base+0xd6>
356b3: 48 8b 00 mov (%rax),%rax
356b6: 48 85 c0 test %rax,%rax
356b9: 74 05 je 356c0 <udisks_linux_drive_object_get_block@@Base+0x100>
356bb: 4c 39 20 cmp %r12,(%rax)
356be: 74 0f je 356cf <udisks_linux_drive_object_get_block@@Base+0x10f>
356c0: 4c 89 e6 mov %r12,%rsi
356c3: 48 89 df mov %rbx,%rdi
356c6: e8 a5 49 fe ff callq 1a070 <g_type_check_instance_is_a at plt>
356cb: 85 c0 test %eax,%eax
356cd: 74 c7 je 35696 <udisks_linux_drive_object_get_block@@Base+0xd6>
356cf: 4c 89 e6 mov %r12,%rsi
356d2: 48 89 df mov %rbx,%rdi
356d5: e8 a6 4d fe ff callq 1a480 <g_type_check_instance_cast at plt>
356da: 48 89 c7 mov %rax,%rdi
356dd: e8 ce c7 fe ff callq 21eb0 <udisks_linux_block_object_get_device@@Base>
356e2: 48 8b 78 18 mov 0x18(%rax),%rdi <<<<<<<<<<<<
356e6: 49 89 c7 mov %rax,%r15
356e9: e8 82 3b fe ff callq 19270 <g_udev_device_get_devtype at plt>
356ee: 4c 89 f6 mov %r14,%rsi
356f1: 48 89 c7 mov %rax,%rdi
356f4: e8 47 31 fe ff callq 18840 <g_strcmp0 at plt>
Code: c0
74 05
4c 39 20
74 0f
4c 89 e6
48 89 df
e8 a5 49 fe ff
85 c0
74 c7
4c 89 e6
48 89 df
e8 a6 4d fe ff
48 89 c7
e8 ce c7 fe ff
<48> 8b 78 18
49 89 c7
e8 82 3b fe ff
------------
bernhard at rechner:~$ gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'disassemble udisks_linux_drive_object_get_block' -ex quit /usr/lib/udisks2/udisksd
Reading symbols from /usr/lib/udisks2/udisksd...Reading symbols from /usr/lib/debug/.build-id/94/c214ab88acb075f247890534158563a2b07b56.debug...done.
done.
Dump of assembler code for function udisks_linux_drive_object_get_block:
0x00000000000355c0 <+0>: push %r15
0x00000000000355c2 <+2>: push %r14
0x00000000000355c4 <+4>: push %r13
0x00000000000355c6 <+6>: push %r12
0x00000000000355c8 <+8>: push %rbp
0x00000000000355c9 <+9>: push %rbx
0x00000000000355ca <+10>: sub $0x28,%rsp
0x00000000000355ce <+14>: mov %rdi,0x8(%rsp)
0x00000000000355d3 <+19>: mov 0x28(%rdi),%rdi
0x00000000000355d7 <+23>: mov %esi,0x14(%rsp)
0x00000000000355db <+27>: callq 0x1cc80 <udisks_daemon_get_object_manager>
0x00000000000355e0 <+32>: mov %rax,%rbx
0x00000000000355e3 <+35>: callq 0x19830 <g_dbus_object_manager_get_type at plt>
0x00000000000355e8 <+40>: mov %rbx,%rdi
0x00000000000355eb <+43>: mov %rax,%rsi
0x00000000000355ee <+46>: callq 0x1a480 <g_type_check_instance_cast at plt>
0x00000000000355f3 <+51>: mov %rax,%rdi
0x00000000000355f6 <+54>: callq 0x1ac30 <g_dbus_object_manager_get_objects at plt>
0x00000000000355fb <+59>: mov %rax,0x18(%rsp)
0x0000000000035600 <+64>: test %rax,%rax
0x0000000000035603 <+67>: je 0x35712 <udisks_linux_drive_object_get_block+338>
0x0000000000035609 <+73>: callq 0x18120 <g_dbus_object_skeleton_get_type at plt>
0x000000000003560e <+78>: lea 0x23459(%rip),%r14 # 0x58a6e
0x0000000000035615 <+85>: mov %rax,%r13
0x0000000000035618 <+88>: callq 0x214f0 <udisks_linux_block_object_get_type>
0x000000000003561d <+93>: mov 0x18(%rsp),%rbp
0x0000000000035622 <+98>: mov %rax,%r12
0x0000000000035625 <+101>: jmp 0x3569f <udisks_linux_drive_object_get_block+223>
0x0000000000035627 <+103>: nopw 0x0(%rax,%rax,1)
0x0000000000035630 <+112>: mov 0x14(%rsp),%eax
0x0000000000035634 <+116>: test %eax,%eax
0x0000000000035636 <+118>: jne 0x35740 <udisks_linux_drive_object_get_block+384>
0x000000000003563c <+124>: callq 0x1b548 <g_object_unref at plt>
0x0000000000035641 <+129>: callq 0x19870 <udisks_object_get_type at plt>
0x0000000000035646 <+134>: mov %rbx,%rdi
0x0000000000035649 <+137>: mov %rax,%rsi
0x000000000003564c <+140>: callq 0x1a480 <g_type_check_instance_cast at plt>
0x0000000000035651 <+145>: mov %rax,%rdi
0x0000000000035654 <+148>: callq 0x1b390 <udisks_object_peek_block at plt>
0x0000000000035659 <+153>: mov %rax,%r15
0x000000000003565c <+156>: callq 0x18400 <g_dbus_object_get_type at plt>
0x0000000000035661 <+161>: mov 0x8(%rsp),%rdi
0x0000000000035666 <+166>: mov %rax,%rsi
0x0000000000035669 <+169>: callq 0x1a480 <g_type_check_instance_cast at plt>
0x000000000003566e <+174>: mov %rax,%rdi
0x0000000000035671 <+177>: callq 0x19dc0 <g_dbus_object_get_object_path at plt>
0x0000000000035676 <+182>: mov %r15,%rdi
0x0000000000035679 <+185>: mov %rax,(%rsp)
0x000000000003567d <+189>: callq 0x194e0 <udisks_block_get_drive at plt>
0x0000000000035682 <+194>: mov (%rsp),%rsi
0x0000000000035686 <+198>: mov %rax,%rdi
0x0000000000035689 <+201>: callq 0x18840 <g_strcmp0 at plt>
0x000000000003568e <+206>: test %eax,%eax
0x0000000000035690 <+208>: je 0x35760 <udisks_linux_drive_object_get_block+416>
0x0000000000035696 <+214>: mov 0x8(%rbp),%rbp
0x000000000003569a <+218>: test %rbp,%rbp
0x000000000003569d <+221>: je 0x35712 <udisks_linux_drive_object_get_block+338>
0x000000000003569f <+223>: mov 0x0(%rbp),%rdi
0x00000000000356a3 <+227>: mov %r13,%rsi
0x00000000000356a6 <+230>: callq 0x1a480 <g_type_check_instance_cast at plt>
0x00000000000356ab <+235>: mov %rax,%rbx
0x00000000000356ae <+238>: test %rax,%rax
0x00000000000356b1 <+241>: je 0x35696 <udisks_linux_drive_object_get_block+214>
0x00000000000356b3 <+243>: mov (%rax),%rax
0x00000000000356b6 <+246>: test %rax,%rax
0x00000000000356b9 <+249>: je 0x356c0 <udisks_linux_drive_object_get_block+256>
0x00000000000356bb <+251>: cmp %r12,(%rax)
0x00000000000356be <+254>: je 0x356cf <udisks_linux_drive_object_get_block+271>
0x00000000000356c0 <+256>: mov %r12,%rsi
0x00000000000356c3 <+259>: mov %rbx,%rdi
0x00000000000356c6 <+262>: callq 0x1a070 <g_type_check_instance_is_a at plt>
0x00000000000356cb <+267>: test %eax,%eax
0x00000000000356cd <+269>: je 0x35696 <udisks_linux_drive_object_get_block+214>
0x00000000000356cf <+271>: mov %r12,%rsi
0x00000000000356d2 <+274>: mov %rbx,%rdi
0x00000000000356d5 <+277>: callq 0x1a480 <g_type_check_instance_cast at plt>
0x00000000000356da <+282>: mov %rax,%rdi
0x00000000000356dd <+285>: callq 0x21eb0 <udisks_linux_block_object_get_device>
0x00000000000356e2 <+290>: mov 0x18(%rax),%rdi
0x00000000000356e6 <+294>: mov %rax,%r15
0x00000000000356e9 <+297>: callq 0x19270 <g_udev_device_get_devtype at plt>
...
End of assembler dump.
bernhard at rechner:~$ gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'directory /tmp/source/udisks2/orig/udisks2-2.8.1/src' /usr/lib/udisks2/udisksd
Reading symbols from /usr/lib/udisks2/udisksd...Reading symbols from /usr/lib/debug/.build-id/94/c214ab88acb075f247890534158563a2b07b56.debug...done.
done.
Source directories searched: /tmp/source/udisks2/orig/udisks2-2.8.1/src:$cdir:$cwd
(gdb) print udisks_linux_drive_object_get_block
$1 = {UDisksLinuxBlockObject *(UDisksLinuxDriveObject *, gboolean)} 0x355c0 <udisks_linux_drive_object_get_block>
(gdb) b *($1 + 290)
Breakpoint 1 at 0x356e2: file udiskslinuxdriveobject.c, line 473.
(gdb) info b
Num Type Disp Enb Address What
1 breakpoint keep y 0x00000000000356e2 in udisks_linux_drive_object_get_block at udiskslinuxdriveobject.c:473
(gdb) list udiskslinuxdriveobject.c:473
468 gboolean skip;
469
470 if (!UDISKS_IS_LINUX_BLOCK_OBJECT (iter_object))
471 continue;
472
473 device = udisks_linux_block_object_get_device (UDISKS_LINUX_BLOCK_OBJECT (iter_object));
474 skip = (g_strcmp0 (g_udev_device_get_devtype (device->udev_device), "disk") != 0
475 || (get_hw && is_dm_multipath (device)));
476 g_object_unref (device);
477
(gdb) list udisks_linux_block_object_get_device
350 * Returns: A #UDisksLinuxDevice. Free with g_object_unref().
351 */
352 UDisksLinuxDevice *
353 udisks_linux_block_object_get_device (UDisksLinuxBlockObject *object)
354 {
355 g_return_val_if_fail (UDISKS_IS_LINUX_BLOCK_OBJECT (object), NULL);
356 return g_object_ref (object->device);
357 }
358
359 /**
More information about the Pkg-utopia-maintainers
mailing list