Ubuntu
gnome-software package

Invalid read in get_changelog()

Bug #1554164 reported by Sebastien Bacher
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-software (Ubuntu)
Fix Released
High
Iain Lane

Bug Description

Using the current xenial version

==23871== Invalid read of size 1
==23871== at 0xA5C0F06: compare_version (gs-plugin-apt.c:122)
==23871== by 0xA5C1267: compare_dpkg_version (gs-plugin-apt.c:194)
==23871== by 0xA5C1293: version_newer (gs-plugin-apt.c:200)
==23871== by 0xA5C1CEE: get_changelog (gs-plugin-apt.c:424)
==23871== by 0xA5C20A5: gs_plugin_refine (gs-plugin-apt.c:499)
==23871== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==23871== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==23871== by 0x808C8DD: gs_plugin_loader_get_updates_thread_cb (gs-plugin-loader.c:726)
==23871== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==23871== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x4F28F89: g_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x5037189: start_thread (pthread_create.c:333)
==23871== by 0x513930D: clone (clone.S:122)
==23871== Address 0x12571a7c is 12 bytes inside a block of size 20 free'd
==23871== at 0x402D378: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==23871== by 0x4F072BF: g_free (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x805CE33: gs_app_set_version (gs-app.c:1156)
==23871== by 0xA5C2018: gs_plugin_refine (gs-plugin-apt.c:484)
==23871== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==23871== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==23871== by 0x808D800: gs_plugin_loader_get_installed_thread_cb (gs-plugin-loader.c:1101)
==23871== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==23871== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x4F28F89: g_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x5037189: start_thread (pthread_create.c:333)
==23871== by 0x513930D: clone (clone.S:122)
==23871== Block was alloc'd at
==23871== at 0x402C19C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==23871== by 0x4F07198: g_malloc (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x4F205FD: g_strdup (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x805CE41: gs_app_set_version (gs-app.c:1157)
==23871== by 0xA5C2018: gs_plugin_refine (gs-plugin-apt.c:484)
==23871== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==23871== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==23871== by 0x808C8DD: gs_plugin_loader_get_updates_thread_cb (gs-plugin-loader.c:726)
==23871== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==23871== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x4F28F89: g_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==23871== by 0x5037189: start_thread (pthread_create.c:333)
==23871== by 0x513930D: clone (clone.S:122)

See original description
Sebastien Bacher (seb128)
Changed in gnome-software (Ubuntu):
importance: Undecided → High
Revision history for this message
Robert Ancell (robert-ancell) wrote :

I've changed quite a bit of the code around where this issue was occurring - are you still getting this issue?

Changed in gnome-software (Ubuntu):
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :
Download full text (3.3 KiB)

Yes, that's still an issue, the warnings changed though. Rebuild gnome-software with DEB_BUILD_OPTIONS="noopt nostrip" and starting under valgrind when some updates are available gives those

==21894== Invalid read of size 1
==21894== at 0xA5C0F06: compare_version (gs-plugin-apt.c:122)
==21894== by 0xA5C1267: compare_dpkg_version (gs-plugin-apt.c:194)
==21894== by 0xA5C1293: version_newer (gs-plugin-apt.c:200)
==21894== by 0xA5C1CEE: get_changelog (gs-plugin-apt.c:424)
==21894== by 0xA5C20A5: gs_plugin_refine (gs-plugin-apt.c:499)
==21894== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==21894== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==21894== by 0x808C8DD: gs_plugin_loader_get_updates_thread_cb (gs-plugin-loader.c:726)
==21894== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==21894== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x4F28F89: g_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x5037189: start_thread (pthread_create.c:333)
==21894== by 0x513930D: clone (clone.S:122)
==21894== Address 0x12571a7c is 12 bytes inside a block of size 20 free'd
==21894== at 0x402D378: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21894== by 0x4F072BF: g_free (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x805CE33: gs_app_set_version (gs-app.c:1156)
==21894== by 0xA5C2018: gs_plugin_refine (gs-plugin-apt.c:484)
==21894== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==21894== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==21894== by 0x808D800: gs_plugin_loader_get_installed_thread_cb (gs-plugin-loader.c:1101)
==21894== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==21894== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x4F28F89: g_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x5037189: start_thread (pthread_create.c:333)
==21894== by 0x513930D: clone (clone.S:122)
==21894== Block was alloc'd at
==21894== at 0x402C19C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21894== by 0x4F07198: g_malloc (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x4F205FD: g_strdup (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x805CE41: gs_app_set_version (gs-app.c:1157)
==21894== by 0xA5C2018: gs_plugin_refine (gs-plugin-apt.c:484)
==21894== by 0x808B76E: gs_plugin_loader_run_refine (gs-plugin-loader.c:231)
==21894== by 0x808BDDA: gs_plugin_loader_run_results (gs-plugin-loader.c:371)
==21894== by 0x808C8DD: gs_plugin_loader_get_updates_thread_cb (gs-plugin-loader.c:726)
==21894== by 0x4D1311C: g_task_thread_pool_thread (in /usr/lib/i386-linux-gnu/libgio-2.0.so.0.4706.0)
==21894== by 0x4F299E3: g_thread_pool_thread_proxy (in /lib/i386-linux-gnu/libglib-2.0.so.0.4706.0)
==21894== by 0x4F28F89: g_th...

Read more...

Changed in gnome-software (Ubuntu):
status: Incomplete → New
description: updated
Revision history for this message
Sebastien Bacher (seb128) wrote :

bug #1565408 seems a similar issue

Revision history for this message
Sebastien Bacher (seb128) wrote :

It looks like Laney might have fixed it with https://git.gnome.org/browse/gnome-software/commit/?h=wip/rancell/apt&id=48db971d839823dad9eeb49b43175d07bd978f5a

Changed in gnome-software (Ubuntu):
assignee: nobody → Iain Lane (laney)
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.20.1+git20160414.1.cc9a0a6.ubuntu-xenial-0ubuntu1

---------------
gnome-software (3.20.1+git20160414.1.cc9a0a6.ubuntu-xenial-0ubuntu1) xenial; urgency=medium

  * New upstream snapshot from the wip/iainl/ubuntu-xenial branch at
    git://git.gnome.org/gnome-software.
    + Uses libapt instead of manual parsing to find out about Debian packages.
    + Runs the background service again for firmware and other updates. (LP:
    #1565865)
    + Fixes use-after-free (LP: #1554164)
    + Should mark software as 'free' correctly. (LP: #1569328, #1568021)
  * All Ubuntu patches are in the orig.tar.xz, so have been dropped from the
    packaging.
  * debian/control: Add libapt-pkg-dev BD - the apt plugin now uses libapt
    directly instead of parsing files itself.
  * debian/README.source: Add info on where the upstream VCS with Ubuntu
    changes is.

 -- Iain Lane <email address hidden> Thu, 14 Apr 2016 14:15:33 +0100

Changed in gnome-software (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.