gvfsd-http crashed with SIGSEGV in create_reply()

Bug #1065082 reported by Bruce Pieterse on 2012-10-10
56
This bug affects 7 people
Affects Status Importance Assigned to Milestone
gvfs
Fix Released
Medium
gvfs (Ubuntu)
High
Canonical Desktop Team
Raring
High
Canonical Desktop Team

Bug Description

Ejected iPod device within Rhythmbox while it was syncing to drvice. Crash occured shortly afterwards.

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: gvfs-backends 1.14.0-0ubuntu6
ProcVersionSignature: Ubuntu 3.5.0-17.27-generic 3.5.5
Uname: Linux 3.5.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.6.1-0ubuntu2
Architecture: amd64
Date: Wed Oct 10 16:39:11 2012
ExecutablePath: /usr/lib/gvfs/gvfsd-http
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1)
ProcCmdline: /usr/lib/gvfs/gvfsd-http --spawner :1.7 /org/gtk/gvfs/exec_spaw/4
ProcEnviron:
 SHELL=/usr/bin/zsh
 XDG_RUNTIME_DIR=<set>
 PATH=(custom, no user)
 LANGUAGE=en_ZA:en
 LANG=en_ZA.UTF-8
SegvAnalysis:
 Segfault happened at: 0x413d8d: mov (%rdx),%edi
 PC (0x00413d8d) ok
 source "(%rdx)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%edi" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: gvfs
StacktraceTop:
 ?? ()
 ?? ()
 ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
 g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
 g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
Title: gvfsd-http crashed with SIGSEGV in g_signal_emit_valist()
UpgradeStatus: Upgraded to quantal on 2012-10-05 (4 days ago)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Bruce Pieterse (octoquad) wrote :

StacktraceTop:
 create_reply (job=0x7f2c8c0221f0, object=0x2f2f370, invocation=0x2f2e4c0) at gvfsjobopenforread.c:183
 send_reply (job=0x7f2c8c0221f0) at gvfsjobdbus.c:160
 _g_closure_invoke_va (closure=0x1211f90, return_value=0x0, instance=0x7f2c8c0221f0, args=0x7fffce2b9348, n_params=0, param_types=0x0) at /build/buildd/glib2.0-2.34.0/./gobject/gclosure.c:840
 g_signal_emit_valist (instance=0x7f2c8c0221f0, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffce2b9348) at /build/buildd/glib2.0-2.34.0/./gobject/gsignal.c:3211
 g_signal_emit (instance=instance@entry=0x7f2c8c0221f0, signal_id=<optimized out>, detail=detail@entry=0) at /build/buildd/glib2.0-2.34.0/./gobject/gsignal.c:3356

Changed in gvfs (Ubuntu):
importance: Undecided → Medium
summary: - gvfsd-http crashed with SIGSEGV in g_signal_emit_valist()
+ gvfsd-http crashed with SIGSEGV in create_reply()
tags: removed: need-amd64-retrace
tags: added: raring
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gvfs (Ubuntu):
status: New → Confirmed
information type: Private → Public
Changed in gvfs (Ubuntu):
status: Confirmed → Triaged
importance: Medium → High
Changed in gvfs (Ubuntu Raring):
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
Changed in gvfs:
importance: Unknown → Medium
status: Unknown → New
Stephen M. Webb (bregma) wrote :

Here's a proposed patch for the problem. There's a bad code path when socketpair() fails that results in a NULL pointer dereference during the subsequent error reporting.

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.16.0-1ubuntu3

---------------
gvfs (1.16.0-1ubuntu3) raring; urgency=low

  * debian/patches/gvfsd_http_handle_socketpair_error.patch: don't segfault
    if socketpair() fails, thanks Stephen M. Webb (lp: #1065082)
 -- Sebastien Bacher <email address hidden> Wed, 27 Mar 2013 21:21:17 +0100

Changed in gvfs (Ubuntu Raring):
status: Triaged → Fix Released
Changed in gvfs:
status: New → Confirmed
Changed in gvfs:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.