Ticket #3700 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

Segfault on switching left panel to Info

Reported by: frost Owned by: andrew_b
Priority: major Milestone: 4.8.19
Component: mc-core Version: 4.8.18
Keywords: Cc: egmont
Blocked By: Blocking:
Branch state: merged Votes for changeset: committed-master

Description

Ever since I updated to 4.8.18, I've noticed it segfaults if the very first thing I do on the left panel is switch it to Info mode from File View mode. If I switch the left panel to some other mode, then to Info, it does not segfault.

I'm running on Arch linux, using mc in an xterm. Both the mc packaged by Arch and one built myself exhibit this behaviour. My root filesystem is btrfs.

Attached are the various outputs suggested in the 'how to report'. If you want a core dump I can add that too.

Attachments

mc_output.txt (1.5 KB) - added by frost 7 years ago.

Change History

Changed 7 years ago by frost

comment:1 Changed 7 years ago by zaytsev-work

It seems to be a use after free in some vfs* function, but I can't reliably reproduce it to get a proper backtrace. Are you able to crash it with 100% probability, if yes, what is the exact sequence of actions that leads to the crash?

comment:2 follow-up: ↓ 3 Changed 7 years ago by frost

Run mc in an xterm, then immediately select the Left menu with the mouse, then Info from that menu. It reliably segfaults for me with that exact sequence of actions.

comment:3 in reply to: ↑ 2 Changed 7 years ago by andrew_b

  • Status changed from new to accepted
  • Owner set to andrew_b
  • Milestone changed from Future Releases to 4.8.19

Replying to frost:

Run mc in an xterm, then immediately select the Left menu with the mouse, then Info from that menu. It reliably segfaults for me with that exact sequence of actions.

Confirm.

comment:4 Changed 7 years ago by zaytsev-work

Strangely enough, I could only reproduce it with a brand new user in xterm... but anyways, here is the backtrace:

No protocol specified
=================================================================
==31744==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300001a450 at pc 0x00000059bf2f bp 0x7ffc81920e10 sp 0x7ffc81920e08
READ of size 8 at 0x60300001a450 thread T0
    #0 0x59bf2e in vfs_path_as_str (/home/zaytsev/src/opt/mc/bin/mc+0x59bf2e)
    #1 0x59c6d1 in info_show_info (/home/zaytsev/src/opt/mc/bin/mc+0x59c6d1)
    #2 0x59dd8e in info_hook (/home/zaytsev/src/opt/mc/bin/mc+0x59dd8e)
    #3 0x59de44 in info_callback (/home/zaytsev/src/opt/mc/bin/mc+0x59de44)
    #4 0x4cb36d in widget_redraw (/home/zaytsev/src/opt/mc/bin/mc+0x4cb36d)
    #5 0x4cb6a8 in widget_replace (/home/zaytsev/src/opt/mc/bin/mc+0x4cb6a8)
    #6 0x46465b in set_display_type (/home/zaytsev/src/opt/mc/bin/mc+0x46465b)
    #7 0x58197c in info_cmd (/home/zaytsev/src/opt/mc/bin/mc+0x58197c)
    #8 0x470995 in midnight_execute_cmd (/home/zaytsev/src/opt/mc/bin/mc+0x470995)
    #9 0x471b75 in midnight_callback (/home/zaytsev/src/opt/mc/bin/mc+0x471b75)
    #10 0x4fb7e0 in send_message (/home/zaytsev/src/opt/mc/bin/mc+0x4fb7e0)
    #11 0x4fdac7 in menubar_execute (/home/zaytsev/src/opt/mc/bin/mc+0x4fdac7)
    #12 0x4ffbd0 in menubar_mouse_callback (/home/zaytsev/src/opt/mc/bin/mc+0x4ffbd0)
    #13 0x46be39 in mouse_process_event (/home/zaytsev/src/opt/mc/bin/mc+0x46be39)
    #14 0x428007 in dlg_mouse_translator (/home/zaytsev/src/opt/mc/bin/mc+0x428007)
    #15 0x4282db in dlg_mouse_event (/home/zaytsev/src/opt/mc/bin/mc+0x4282db)
    #16 0x42c244 in dlg_process_event (/home/zaytsev/src/opt/mc/bin/mc+0x42c244)
    #17 0x428bb6 in frontend_dlg_run (/home/zaytsev/src/opt/mc/bin/mc+0x428bb6)
    #18 0x42c399 in dlg_run (/home/zaytsev/src/opt/mc/bin/mc+0x42c399)
    #19 0x46feeb in create_panels_and_run_mc (/home/zaytsev/src/opt/mc/bin/mc+0x46feeb)
    #20 0x472aee in do_nc (/home/zaytsev/src/opt/mc/bin/mc+0x472aee)
    #21 0x40c3a6 in main (/home/zaytsev/src/opt/mc/bin/mc+0x40c3a6)
    #22 0x7f520bf88f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #23 0x40b328  (/home/zaytsev/src/opt/mc/bin/mc+0x40b328)

0x60300001a450 is located 16 bytes inside of 24-byte region [0x60300001a440,0x60300001a458)
freed by thread T0 here:
    #0 0x7f520d2a9222 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x94222)
    #1 0x490e3b in vfs_path_free (/home/zaytsev/src/opt/mc/bin/mc+0x490e3b)
    #2 0x479242 in panel_destroy (/home/zaytsev/src/opt/mc/bin/mc+0x479242)
    #3 0x4832d1 in panel_callback (/home/zaytsev/src/opt/mc/bin/mc+0x4832d1)
    #4 0x4c9b25 in send_message (/home/zaytsev/src/opt/mc/bin/mc+0x4c9b25)
    #5 0x4cb654 in widget_replace (/home/zaytsev/src/opt/mc/bin/mc+0x4cb654)
    #6 0x46465b in set_display_type (/home/zaytsev/src/opt/mc/bin/mc+0x46465b)
    #7 0x58197c in info_cmd (/home/zaytsev/src/opt/mc/bin/mc+0x58197c)
    #8 0x470995 in midnight_execute_cmd (/home/zaytsev/src/opt/mc/bin/mc+0x470995)
    #9 0x471b75 in midnight_callback (/home/zaytsev/src/opt/mc/bin/mc+0x471b75)
    #10 0x4fb7e0 in send_message (/home/zaytsev/src/opt/mc/bin/mc+0x4fb7e0)
    #11 0x4fdac7 in menubar_execute (/home/zaytsev/src/opt/mc/bin/mc+0x4fdac7)
    #12 0x4ffbd0 in menubar_mouse_callback (/home/zaytsev/src/opt/mc/bin/mc+0x4ffbd0)
    #13 0x46be39 in mouse_process_event (/home/zaytsev/src/opt/mc/bin/mc+0x46be39)
    #14 0x428007 in dlg_mouse_translator (/home/zaytsev/src/opt/mc/bin/mc+0x428007)
    #15 0x4282db in dlg_mouse_event (/home/zaytsev/src/opt/mc/bin/mc+0x4282db)
    #16 0x42c244 in dlg_process_event (/home/zaytsev/src/opt/mc/bin/mc+0x42c244)
    #17 0x428bb6 in frontend_dlg_run (/home/zaytsev/src/opt/mc/bin/mc+0x428bb6)
    #18 0x42c399 in dlg_run (/home/zaytsev/src/opt/mc/bin/mc+0x42c399)
    #19 0x46feeb in create_panels_and_run_mc (/home/zaytsev/src/opt/mc/bin/mc+0x46feeb)
    #20 0x472aee in do_nc (/home/zaytsev/src/opt/mc/bin/mc+0x472aee)
    #21 0x40c3a6 in main (/home/zaytsev/src/opt/mc/bin/mc+0x40c3a6)
    #22 0x7f520bf88f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

previously allocated by thread T0 here:
    #0 0x7f520d2a9682 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x94682)
    #1 0x7f520c598668 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e668)
    #2 0x490b8b in vfs_path_clone (/home/zaytsev/src/opt/mc/bin/mc+0x490b8b)
    #3 0x48593c in panel_new_with_dir (/home/zaytsev/src/opt/mc/bin/mc+0x48593c)
    #4 0x4602d6 in panel_new (/home/zaytsev/src/opt/mc/bin/mc+0x4602d6)
    #5 0x46248d in restore_into_right_dir_panel (/home/zaytsev/src/opt/mc/bin/mc+0x46248d)
    #6 0x4642ca in set_display_type (/home/zaytsev/src/opt/mc/bin/mc+0x4642ca)
    #7 0x46ead7 in create_panels (/home/zaytsev/src/opt/mc/bin/mc+0x46ead7)
    #8 0x46fc9f in create_panels_and_run_mc (/home/zaytsev/src/opt/mc/bin/mc+0x46fc9f)
    #9 0x472aee in do_nc (/home/zaytsev/src/opt/mc/bin/mc+0x472aee)
    #10 0x40c3a6 in main (/home/zaytsev/src/opt/mc/bin/mc+0x40c3a6)
    #11 0x7f520bf88f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 vfs_path_as_str
Shadow bytes around the buggy address:
  0x0c067fffb430: fd fd fa fa fd fd fd fd fa fa 00 00 00 05 fa fa
  0x0c067fffb440: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 05
  0x0c067fffb450: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fffb460: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffb470: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
=>0x0c067fffb480: fa fa fd fd fd fa fa fa fd fd[fd]fa fa fa fd fd
  0x0c067fffb490: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fffb4a0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffb4b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c067fffb4c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffb4d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==31744==ABORTING

comment:5 Changed 7 years ago by egmont

  • Cc egmont added

Segfaults for me as my regular user, in gnome-terminal.

git bisect says:
240350db958dd20f5676ee2e3228eda783d03675 is the first bad commit

comment:6 Changed 7 years ago by zaytsev

Nice, I was suspecting that it was the widget refactoring, as from ASan trace you can see that the segfault occurs because the panel is destroyed and its current_panel->cwd_vpath is freed before it is used in info_show_info() [passed to vfs_path_as_str()]. Unfortunately, I'm not deep enough into the dark widget magic, so all the hope is on Andrew...

comment:7 Changed 7 years ago by andrew_b

Branch: 3700_segfault_left_info_panel
changeset:4dae968d07f0e644ffa7051127e59f453d4fd032

comment:8 Changed 7 years ago by andrew_b

  • Votes for changeset set to andrew_b
  • Branch state changed from no branch to approved

comment:9 Changed 7 years ago by andrew_b

  • Status changed from accepted to testing
  • Votes for changeset changed from andrew_b to committed-master
  • Resolution set to fixed
  • Branch state changed from approved to merged

comment:10 Changed 7 years ago by andrew_b

  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.