797230 – Use after free in

Bug 797230 - Use after free in

Summary: Use after free in

Status:	RESOLVED FIXED

Alias:	None

Product:	GnuCash
Classification:	Unclassified
Component:	User Interface General (show other bugs)
Version:	3.5
Hardware:	PC Other

Importance:	Normal normal
Target Milestone:	---
Assignee:	ui
QA Contact:	ui

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-05-07 06:34 EDT by Christopher Zimmermann
Modified:	2019-05-09 20:24 EDT (History)
CC List:	5 users (show)

See Also:

Attachments
GDB backtrace (7.88 KB, text/plain) 2019-05-07 06:34 EDT, Christopher Zimmermann	no flags	Details
Valgrind memcheck report (1.22 MB, text/plain) 2019-05-07 16:26 EDT, Christopher Zimmermann	no flags	Details
fix use-after-free (581 bytes, patch) 2019-05-09 03:14 EDT, Christopher Zimmermann	no flags	Details
GDB backtrace of bogus pointer free (2.02 KB, text/plain) 2019-05-09 03:20 EDT, Christopher Zimmermann	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Christopher Zimmermann 2019-05-07 06:34:53 EDT

Created attachment 373271 [details]
GDB backtrace

I'm running gnucash 3.5 on OpenBSD.
Closing any tab in gnucash will trigger the OpenBSD use-after-free detection and abort the process. gdb backtrace is attached.

Comment 1 Christopher Zimmermann 2019-05-07 16:26:43 EDT

Created attachment 373272 [details]
Valgrind memcheck report

I tried to reproduce the bug on Debian stretch with gnucash 3.5.
Setting MALLOC_CHECK_ and MALLOC_PERTURB_ were not enough to trigger the use-after-free. Seems like OpenBSD malloc is more thorough here.
Anyway, valgrind memcheck did find the invalid write. Just search for "Invalid write" in the attached valgrind log.

Comment 2 John Ralls 2019-05-07 21:58:57 EDT

Looks like we free the two style hash tables twice. Can you try removing or commenting out lines 770 and 771 in gnucash/register/register_gnome/gnucash-sheet.c and recompiling?

Comment 3 Christopher Zimmermann 2019-05-09 03:14:33 EDT

Created attachment 373273 [details]
fix use-after-free

Removing lines 770 and 771 in gnucash/register/register_gnome/gnucash-sheet.c didn't help.
Careful inspection of the valgrind output suggested swapping the function calls in line 712 and 714 in gnucash/register/register-gnome/gnucash-style.c.
This fixed the use-after-free bug.
But gnucash still crashes. Now it crashes due to a double-free at program exit - in atexit().
Also including the change suggested by John Ralls helped neither the use-after-free nor the double-free.

Comment 4 Christopher Zimmermann 2019-05-09 03:20:36 EDT

Created attachment 373274 [details]
GDB backtrace of bogus pointer free

Comment 5 John Ralls 2019-05-09 08:43:46 EDT

Comment on attachment 373274 [details]
GDB backtrace of bogus pointer free

Do you have sources installed or just symbols? If sources, what is being freed at /usr/src/lib/libc/stdlib/atexit.c:177? Otherwise, what exact version of libc do you have?

Comment 6 Christopher Zimmermann 2019-05-09 10:12:16 EDT

I tried again after installing gnucash as package with my fix in gnucash-style.c. Now I don't see any crashes anymore.
I only reproduce the crash in atexit() if running the unstripped gnucash binary from the build directory. I have no idea why.

Comment 7 Christopher Zimmermann 2019-05-09 10:16:53 EDT

So does this still need investigation or is the fix in gnucash-style.c enough?

Comment 8 John Ralls 2019-05-09 10:24:25 EDT

That's up to you since you're the only one who can work it. If it's "good enough" for you you're under no obligation to keep digging.

Do you want to submit a PR for gnucash-style.c?

Comment 9 Christopher Zimmermann 2019-05-09 10:53:20 EDT

The fix in gnucash-style.c is for fixing exactly the problem I reported in this PR. The other crash seems to be unrelated. So will you merge my patch?

Comment 10 John Ralls 2019-05-09 20:24:39 EDT

Sorry, PR means a Github pull request, not "Problem Report".

I've applied, committed, and pushed your patch. "Merge" is something that's done with pull request branches, not patches.

Note You need to log in before you can comment on or make changes to this bug.