From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 64FBA6DE22FC for ; Tue, 21 Feb 2017 17:44:33 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.005 X-Spam-Level: X-Spam-Status: No, score=-0.005 tagged_above=-999 required=5 tests=[AWL=0.006, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeDbanXobJZh for ; Tue, 21 Feb 2017 17:44:32 -0800 (PST) Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197]) by arlo.cworth.org (Postfix) with ESMTPS id 8D2E56DE22F7 for ; Tue, 21 Feb 2017 17:44:32 -0800 (PST) Received: from remotemail by fethera.tethera.net with local (Exim 4.84_2) (envelope-from ) id 1cgLyE-000291-BZ; Tue, 21 Feb 2017 20:43:54 -0500 Received: (nullmailer pid 6007 invoked by uid 1000); Wed, 22 Feb 2017 01:44:29 -0000 From: David Bremner To: Tomi Ollila , notmuch@notmuchmail.org Subject: Re: read after free in notmuch new In-Reply-To: <87shn73uhj.fsf@tethera.net> References: <87efyu6zdg.fsf@tethera.net> <87bmty6vwu.fsf@tethera.net> <87d1ec5ki4.fsf@tethera.net> <87shn73uhj.fsf@tethera.net> Date: Tue, 21 Feb 2017 21:44:29 -0400 Message-ID: <87lgsz3soy.fsf@tethera.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 01:44:33 -0000 David Bremner writes: > Tomi Ollila writes: > >> To me it looks like replacing g_hash_table_insert() with >> g_hash_table_replace() would do the trick. >> >> (or even g_hash_table_add()!) >> >> One has to read the documentation a bit (and compare the docstrings of >> these 2 functions to guess the missing pieces) to get some understanding to >> this... >> > > Hi Tomi; > > Thanks for the suggestion. Unfortunately in my experiments it just > shifts the invalid memory access to a different piece of memory. I think > the problem is that a pointer to the previous copy of that key also > leaked a reference via last_ref, so when we kill that via > g_hash_table_replace it causes the same problem. > Thinking a bit more about it, at least in this case the pointer that was just inserted remains valid after insertion, and can be talloc_strdup'ed, i.e. diff --git a/lib/database.cc b/lib/database.cc index f0bfe566..eddb780c 100644 --- a/lib/database.cc +++ b/lib/database.cc @@ -652,7 +652,7 @@ parse_references (void *ctx, ref = _parse_message_id (ctx, refs, &refs); if (ref && strcmp (ref, message_id)) { - g_hash_table_insert (hash, ref, NULL); + g_hash_table_add (hash, ref); last_ref = ref; } } @@ -661,7 +661,7 @@ parse_references (void *ctx, * reference to the database. We should avoid making a message * its own parent, thus the above check. */ - return last_ref; + return talloc_strdup(ctx, last_ref); } notmuch_status_t I'll let valgrind chew on that for a bit and see what it says.