[kde-freebsd] konqueror crashes on ACL properties

Markus Brueffer markus at freebsd.org
Tue Sep 1 18:49:23 CEST 2009 

On Friday 28 August 2009 19:20:52 Andriy Gapon wrote:
> on 27/08/2009 20:04 Andriy Gapon said the following:
> > [KCrash handler]
> > #6  0x0000000803dad5e0 in acl_dup () from /lib/libc.so.7
> > #7  0x0000000803d7cc87 in acl_to_text_np () from /lib/libc.so.7
> > #8  0x0000000800a3d4af in KACL::asString () from
> > /usr/local/lib/libkio.so.6 #9  0x0000000800ab4f31 in
> > KFilePermissionsPropsPlugin::KFilePermissionsPropsPlugin () from
> > /usr/local/lib/libkio.so.6
> > #10 0x0000000800ab73f0 in KPropertiesDialog::insertPages ()
> >    from /usr/local/lib/libkio.so.6
> > #11 0x0000000800ab751e in KPropertiesDialog::init ()
> >    from /usr/local/lib/libkio.so.6
> > ...
>
> I think that I found a cause and it actually makes me wonder why I got this
> crash only now.
> So constructor of KFilePermissionsPropsPlugin (see
> kio/kfile/kpropertiesdialog.cpp) has the following:
> 1573   d->extendedACL = item->ACL();
> 1574   d->defaultACL = item->defaultACL();
> and these lines are executed unconditionally (regardless of any filesystem
> properties or configuration settings).
> extendedACL and defaultACL variables of KACL type and this is how KACL copy
> constructor looks:
>  99 KACL::KACL( const KACL& rhs )
> 100     : d( new KACLPrivate )
> 101 {
> 102     setACL( rhs.asString() );
> 103 }
>
> asString method tries to convert m_acl member to string.
> Initially m_acl is set to zero, so it's not a valid acl(3) handle.
> Thus, when acl_to_text is called on zero acl_t variable a crash happens in
> libc.
>
> The following small patch helped me:
> --- kio/kio/kacl.cpp.orig       2006-01-19 19:06:10.000000000 +0200
> +++ kio/kio/kacl.cpp    2009-08-28 20:10:02.171081167 +0300
> @@ -606,7 +606,10 @@
>  QString KACL::asString() const
>  {
>  #ifdef USE_POSIX_ACL
> -    return aclAsString( d->m_acl );
> +    if (d->m_acl)
> +       return aclAsString( d->m_acl );
> +    else
> +       return QString::null;
>  #else
>      return QString::null;
>  #endif
>
> The idea is to return QString::null if d->m_acl is not initialized (zero).

The real problem is not the kdelibs3 implementation but a regression in 
FreeBSD introduced with the NFSv4 ACL import (rev 194955).

Before the import, acl_to_text checked if the passed acl_t was a NULL pointer 
and aborted. Although this still happens, the original POSIX.1e function is 
now called through a wrapper (acl_to_text_np) which determines what type of 
ACL is being passed and in the process dereferences the passed acl_t without 
checking if it is a NULL pointer.

The attached patch should fix this (only compile tested). Other acl functions 
may have the same regression concerning POSIX.1e. From a very quick glance, at 
least acl_calc_mask does, maybe others. 

trasz: Can this be fixed in time for 8-RELEASE?

Thanks,

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: acl_to_text.c.diff
Type: text/x-patch
Size: 565 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/kde-freebsd/attachments/20090901/1c66d910/attachment.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: acl_calc_mask.c.diff
Type: text/x-patch
Size: 818 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/kde-freebsd/attachments/20090901/1c66d910/attachment-0001.diff

More information about the kde-freebsd mailing list