glib apps using GSubprocess communicate might crash on g_subprocess_communicate_cancelled

Bug #1789476 reported by Marco Trevisan (Treviño) on 2018-08-28
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glib2.0 (Ubuntu)
Medium
Marco Trevisan (Treviño)
Bionic
Undecided
Iain Lane

Bug Description

[ Impact ]

Glib apps using subprocess communicate and cancellable is cancelled crashes

[ Test case ]

Run the attached example with
 gjs subprocess-cancelled.js

Should not crash, or running:
 valgrind gjs subprocess-cancelled.js

should not return any read error (as the one mentioned below)

[ Regression potential ]

Really low, the only thing that could happen is that the subprocess isn't really cancelled.

---

Fixed upstream in https://gitlab.gnome.org/GNOME/glib/merge_requests/266

#0 g_cancellable_cancel (cancellable=0x6) at ../../glib/gio/gcancellable.c:486
#1 0x00007ffff7ab8d1d in g_subprocess_communicate_cancelled (user_data=<optimized out>) at ../../glib/gio/gsubprocess.c:1535

--

==25871== Memcheck, a memory error detector
==25871== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==25871== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==25871== Command: gjs /tmp/subprocess-cancelled.js
==25871==
==25871== Warning: set address range perms: large range [0x377ee1e21000, 0x377f21e21000) (noaccess)
==25871== Invalid read of size 8
==25871== at 0x4EC5604: g_subprocess_communicate_cancelled (gsubprocess.c:1535)
==25871== by 0x547A0F4: g_main_dispatch (gmain.c:3177)
==25871== by 0x547A0F4: g_main_context_dispatch (gmain.c:3830)
==25871== by 0x547A4BF: g_main_context_iterate.isra.26 (gmain.c:3903)
==25871== by 0x547A54B: g_main_context_iteration (gmain.c:3964)
==25871== by 0x6C4EDAD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==25871== by 0x6C4E71E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==25871== by 0x5775607: ??? (in /usr/lib/libgjs.so.0.0.0)
==25871== by 0x5776F53: ??? (in /usr/lib/libgjs.so.0.0.0)
==25871== by 0x8A3FF6B: CallJSNative (jscntxtinlines.h:239)
==25871== by 0x8A3FF6B: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:447)

Related branches

CVE References

Added test case

description: updated
Iain Lane (laney) wrote :

I'm uploading 2.56.3 now

Changed in glib2.0 (Ubuntu):
status: In Progress → Fix Released
Changed in glib2.0 (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Iain Lane (laney)
Iain Lane (laney) wrote :

in the q

Hello Marco, or anyone else affected,

Accepted glib2.0 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.56.3-0ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic

Test case works as expected.

marco@tricky:/tmp:✓ $ apt-cache policy libglib2.0-0
libglib2.0-0:
  Installato: 2.56.3-0ubuntu0.18.04.1
  Candidato: 2.56.3-0ubuntu0.18.04.1
  Tabella versione:
 *** 2.56.3-0ubuntu0.18.04.1 100
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
     2.56.2-0ubuntu0.18.04.2 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2.56.1-2ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

marco@tricky:/tmp:✓ $ gjs /tmp/subprocess-cancelled.js

(gjs:8606): Gjs-WARNING **: 22:08:37.297: JS ERROR: Gio.IOErrorEnum: L'operazione è stata annullata
@/tmp/subprocess-cancelled.js:10:5
@/tmp/subprocess-cancelled.js:16:5

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic

The verification of the Stable Release Update for glib2.0 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glib2.0 - 2.56.3-0ubuntu0.18.04.1

---------------
glib2.0 (2.56.3-0ubuntu0.18.04.1) bionic; urgency=medium

  * New upstream release (LP: #1794544)
    + The documentation for G_GNUC_MALLOC has changed to be more restrictive
      to avoid miscompilations; you should check whether any uses of it in
      your code are appropriate
    + Fix cancellation of g_subprocess_communicate_async() calls
    + Bug fixes:
      + /network-monitor/create-in-thread fails in (LXC) containers on glib-2-56
      + GBookmarkFile: nullptr access in current_element
      + GBookmarkFile: heap-buffer-overflow in g_utf8_get_char
      + Backport g_subprocess_communicate() cancellation fixes from !266 to
        glib-2-56 (LP: #1789476)
      + Many uses of G_GNUC_MALLOC are incorrect
      + Test for BROKEN_IP_MREQ_SOURCE_STRUCT is broken on Windows / Mingw
      + Fix persistent CI failure on glib-2-56
  * debian/watch: Only find 2.56 versions.
  * Drop CVE-2018-16428.patch and CVE-2018-16429.patch: applied in this release

 -- Iain Lane <email address hidden> Wed, 26 Sep 2018 17:35:59 +0100

Changed in glib2.0 (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers