Bug 3610

Summary: Heap use after free in privacy_mimeinfo_check_signature()
Product: Claws Mail (GTK 2) Reporter: Hanno Boeck <hanno>
Component: OtherAssignee: users
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: other   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
asan error / stack trace for use after free in privacy_mimeinfo_check_signature none

Description Hanno Boeck 2016-02-04 21:44:00 UTC 
Created attachment 1628 [details]
asan error / stack trace for use after free in privacy_mimeinfo_check_signature

I discovered a use after free error with address sanitizer. It seems similar to bug #3598.

A reliable way to reproduce it:
* Have the pgp plugins enabled.
* Open a pgp-signed mail in one folder.
* Go to another folder, don't open a mail.
* Press "c" (which is "check signature, but should do nothing as no mail is open).

If claws-mail was compiled with address sanitizer enabled it will terminate and show a use after free error. I have attached the asan log.

I think there is a problem with the variable mimeinfo that is similar to the problem with msginfo in bug #3598.

Right before the uaf I see there is this code:
	cm_return_val_if_fail(mimeinfo != NULL, -1);

That is the code assumes that if mimeinfo is not null it contains valid data. For this to be true at every place it gets freed it would have to be set to zero, which is not happening.
Comment 1 users 2016-02-08 18:29:03 UTC 
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2016-02-08 18:29:03.217084203 +0100
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=f25a8348285c071e33d15627d427f9f410c02c14
Merge: b31a0f6 cd7f85f
Author: Colin Leroy <colin@colino.net>
Date:   Mon Feb 8 18:29:02 2016 +0100

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=cd7f85f7eb6db97e86a8830e28116d26223d4e26
Author: Andrej Kacian <ticho@claws-mail.org>
Date:   Mon Feb 8 18:26:26 2016 +0100

    Real fix for #3598. We were zeroing out wrong pointer.

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=14b55b5122349d18fa15f3b10c1067f19657ca10
Author: Andrej Kacian <ticho@claws-mail.org>
Date:   Mon Feb 8 18:26:49 2016 +0100

    Make procmime_mimeinfo_free_all() zero the passed pointer.
    
    The function's argument type changes from MimeInfo* to MimeInfo**,
    so that we can zero out the pointer.
    
    This closes bug #3610, reported by Hanno Boeck.
Comment 2 Andrej Kacian 2016-02-08 18:41:01 UTC 
Fixed in git, thanks. I fear that there will be a few more such issues throughout the code.