Bug#332539: Use-after-free
On 2019-06-21, at 08:41:47 +0100, Jeremy Sowden wrote: > Running wmail under valgrind reveals the following when deleting an > unread message: > > ==917== Invalid read of size 8 > ==917==at 0x10C778: ??? (in /usr/bin/wmail) > ==917==by 0x10D9B4: ??? (in /usr/bin/wmail) > ==917==by 0x10D9F6: ??? (in /usr/bin/wmail) > ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) > ==917==by 0x4AA77E3: poll (poll.c:29) > ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x4FAE919: xcb_wait_for_event (in > /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x48BBC67: _XReadEvents (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x48AAD4F: XNextEvent (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x487150A: DAEventLoopForWindow (in > /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) > ==917==by 0x10B05B: ??? (in /usr/bin/wmail) > ==917==by 0x49DD09A: (below main) (libc-start.c:308) > ==917== Address 0x5546570 is 0 bytes inside a block of size 32 free'd > ==917==at 0x48369AB: free (vg_replace_malloc.c:530) > ==917==by 0x10D47D: ??? (in /usr/bin/wmail) > ==917==by 0x10D61E: ??? (in /usr/bin/wmail) > ==917==by 0x10DA65: ??? (in /usr/bin/wmail) > ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) > ==917==by 0x4AA77E3: poll (poll.c:29) > ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x4FAE919: xcb_wait_for_event (in > /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x48BBC67: _XReadEvents (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x48AAD4F: XNextEvent (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x487150A: DAEventLoopForWindow (in > /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) > ==917==by 0x10B05B: ??? (in /usr/bin/wmail) > ==917== Block was alloc'd at > ==917==at 0x483577F: malloc (vg_replace_malloc.c:299) > ==917==by 0x10BEE2: ??? (in /usr/bin/wmail) > ==917==by 0x10C03D: ??? (in /usr/bin/wmail) > ==917==by 0x10D6AA: ??? (in /usr/bin/wmail) > ==917==by 0x10DA65: ??? (in /usr/bin/wmail) > ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) > ==917==by 0x4AA77E3: poll (poll.c:29) > ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x4FAE919: xcb_wait_for_event (in > /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) > ==917==by 0x48BBC67: _XReadEvents (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x48AAD4F: XNextEvent (in > /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) > ==917==by 0x487150A: DAEventLoopForWindow (in > /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) > [...] When the list of sender names is updated by re-reading the messages in the mail-box, a flag is supposed to be set to inform the code that draws the ticker to restart. However, the code that frees the sender names for deleted mails did not set it. This meant that if the ticker was displaying the sender of a mail which had been deleted it would continue doing so after the name had been freed. J. signature.asc Description: PGP signature
Bug#332539: Use-after-free
Running wmail under valgrind reveals the following when deleting an unread message: ==917== Invalid read of size 8 ==917==at 0x10C778: ??? (in /usr/bin/wmail) ==917==by 0x10D9B4: ??? (in /usr/bin/wmail) ==917==by 0x10D9F6: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x48BBC67: _XReadEvents (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x48AAD4F: XNextEvent (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x487150A: DAEventLoopForWindow (in /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) ==917==by 0x10B05B: ??? (in /usr/bin/wmail) ==917==by 0x49DD09A: (below main) (libc-start.c:308) ==917== Address 0x5546570 is 0 bytes inside a block of size 32 free'd ==917==at 0x48369AB: free (vg_replace_malloc.c:530) ==917==by 0x10D47D: ??? (in /usr/bin/wmail) ==917==by 0x10D61E: ??? (in /usr/bin/wmail) ==917==by 0x10DA65: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x48BBC67: _XReadEvents (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x48AAD4F: XNextEvent (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x487150A: DAEventLoopForWindow (in /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) ==917==by 0x10B05B: ??? (in /usr/bin/wmail) ==917== Block was alloc'd at ==917==at 0x483577F: malloc (vg_replace_malloc.c:299) ==917==by 0x10BEE2: ??? (in /usr/bin/wmail) ==917==by 0x10C03D: ??? (in /usr/bin/wmail) ==917==by 0x10D6AA: ??? (in /usr/bin/wmail) ==917==by 0x10DA65: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x48BBC67: _XReadEvents (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x48AAD4F: XNextEvent (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x487150A: DAEventLoopForWindow (in /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) ==917== ==917== Invalid read of size 8 ==917==at 0x10C828: ??? (in /usr/bin/wmail) ==917==by 0x10D9B4: ??? (in /usr/bin/wmail) ==917==by 0x10D9F6: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x48BBC67: _XReadEvents (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x48AAD4F: XNextEvent (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x487150A: DAEventLoopForWindow (in /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) ==917==by 0x10B05B: ??? (in /usr/bin/wmail) ==917==by 0x49DD09A: (below main) (libc-start.c:308) ==917== Address 0x5546570 is 0 bytes inside a block of size 32 free'd ==917==at 0x48369AB: free (vg_replace_malloc.c:530) ==917==by 0x10D47D: ??? (in /usr/bin/wmail) ==917==by 0x10D61E: ??? (in /usr/bin/wmail) ==917==by 0x10DA65: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x48BBC67: _XReadEvents (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x48AAD4F: XNextEvent (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==917==by 0x487150A: DAEventLoopForWindow (in /usr/lib/x86_64-linux-gnu/libdockapp.so.3.0.0) ==917==by 0x10B05B: ??? (in /usr/bin/wmail) ==917== Block was alloc'd at ==917==at 0x483577F: malloc (vg_replace_malloc.c:299) ==917==by 0x10BEE2: ??? (in /usr/bin/wmail) ==917==by 0x10C03D: ??? (in /usr/bin/wmail) ==917==by 0x10D6AA: ??? (in /usr/bin/wmail) ==917==by 0x10DA65: ??? (in /usr/bin/wmail) ==917==by 0x49F083F: ??? (in /lib/x86_64-linux-gnu/libc-2.28.so) ==917==by 0x4AA77E3: poll (poll.c:29) ==917==by 0x4FACCF6: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==917==by 0x4FAE919: xcb_wait_for_event (in
