konsole weird behavior
Andriy Gapon
avg at FreeBSD.org
Fri Apr 4 12:43:46 BST 2025
I observe some strange and possibly even nefarious behavior from konsole.
I run several konsole instances, each with several tabs, all with idetically
configured zsh. Once in a while, one (only one) of the shells would start to
behave slightly unusually. Typing in that terminal would work normally, but
when I hit Enter there would be an approximately 1 second delay between that and
actually running a command (even something as simple as 'echo').
That's very annoying, of course, but that's just the start of it.
I wanted to see if it's something related to konsole or to zsh, so I ran ktrace
-d -i -p <pid-of-konsole> to collect some info. I just typed "echo<Enter>",
observed the delay and stopped tracing with ktrace -C.
To my surprise, the resulting trace file was very large.
I started looking at it and it has entries like
3647 978339 konsole 0.000018114 CALL access(0x126ff0128c70,0x4<R_OK>)
3647 978339 konsole 0.000020478 NAMI "/home/avg/xrdp-chansrv.log"
3647 978339 konsole 0.000025554 RET access 0
3647 978339 konsole 0.000026705 CALL access(0x126ff0128c70,0x2<W_OK>)
3647 978339 konsole 0.000027980 NAMI "/home/avg/xrdp-chansrv.log"
3647 100746 konsole 0.000031709 CALL access(0x126ff00089d0,0<F_OK>)
3647 100746 konsole 0.000040236 NAMI
"/home/avg/.local/share/mime/application/x-kcachegrind.xml"
3647 978339 konsole 0.000032039 RET access 0
3647 978339 konsole 0.000045287 CALL access(0x126ff0128c70,0x1<X_OK>)
3647 978339 konsole 0.000046466 NAMI "/home/avg/xrdp-chansrv.log"
3647 100746 konsole 0.000049654 RET access -1 errno 2 No such file or
directory
3647 978339 konsole 0.000052204 RET access -1 errno 13 Permission denied
3647 100746 konsole 0.000055305 CALL
openat(AT_FDCWD,0x126ff00089d0,0x100000<O_RDONLY|O_CLOEXEC>)
3647 100746 konsole 0.000057836 NAMI
"/home/avg/.local/share/mime/application/x-kcachegrind.xml"
3647 978339 konsole 0.000059836 CALL
fstatat(AT_FDCWD,0x126ff00a9990,0x8ad8ecca0,0x200<AT_SYMLINK_NOFOLLOW>)
3647 978339 konsole 0.000061885 NAMI "/home/avg/zfs.create"
3647 100746 konsole 0.000065255 RET openat -1 errno 2 No such file or
directory
I grepped for NAMI and my impression was that konsole was basically scanning
files in my home directory.
Just to give you some sample of accessed files:
3647 konsole NAMI "/home/avg/otrust.txt"
3647 konsole NAMI "/home/avg/output.pdf"
3647 konsole NAMI "/home/avg/package-list-20140908.txt"
3647 konsole NAMI "/home/avg/package-list-20140909.refined.txt"
3647 konsole NAMI "/home/avg/package-list-20140909.txt"
3647 konsole NAMI "/home/avg/package-list-reduced-20140908.txt"
3647 konsole NAMI "/home/avg/Pictures"
3647 konsole NAMI "/home/avg/Pictures/.directory"
3647 konsole NAMI "/home/avg/pivotal-through-dialup.png"
3647 konsole NAMI "/home/avg/pkg-bug.tbz"
3647 konsole NAMI "/home/avg/plasma-launcher-empty-favs.png"
I noticed that for sub-directories konsole would usually access only .directory
file.
Some files it would just access and stat.
But other files it would open and read!
E.g.:
3647 100746 konsole 0.021485965 CALL
openat(AT_FDCWD,0x126ff0127540,0x100000<O_RDONLY|O_CLOEXEC>)
3647 100746 konsole 0.021488680 NAMI "/home/avg/scard-screenshot.png"
3647 100746 konsole 0.021500402 RET openat 30/0x1e
3647 100746 konsole 0.021502126 CALL fstat(0x1e,0x820484c80)
3647 100746 konsole 0.021504765 STRU struct stat {dev=3832144223632429794,
ino=30063, mode=0100644, nlink=1, uid=1001, gid=20, rdev=0,
atime=1637675833.672200606, mtime=1637675833.755198904,
ctime=1637675833.755198904, birthtime=1637675833.672200606, size=306191,
blksize=131072, blocks=785, flags=0x800 }
3647 100746 konsole 0.021506453 RET fstat 0
3647 100746 konsole 0.021508007 CALL fstat(0x1e,0x820484ca0)
3647 100746 konsole 0.021509965 STRU struct stat {dev=3832144223632429794,
ino=30063, mode=0100644, nlink=1, uid=1001, gid=20, rdev=0,
atime=1637675833.672200606, mtime=1637675833.755198904,
ctime=1637675833.755198904, birthtime=1637675833.672200606, size=306191,
blksize=131072, blocks=785, flags=0x800 }
3647 100746 konsole 0.021515909 RET fstat 0
3647 100746 konsole 0.021517504 CALL read(0x1e,0x126fefb83a10,0x4000)
3647 100746 konsole 0.021529825 GIO fd 30 read 4096 bytes
...
I attached with gdb, I didn't get a lot of useful info because of missing debug
symbols, but what I got also looks worrying:
(gdb) bt
#0 access () at access.S:4
#1 0x00000008416958fb in ?? () from /usr/local/lib/qt6/libQt6Core.so.6
#2 0x00000008414c3e26 in operator<<(QDebug, QFileInfo const&) () from
/usr/local/lib/qt6/libQt6Core.so.6
#3 0x00000008414bdc2c in QFile::copy(QString const&) () from
/usr/local/lib/qt6/libQt6Core.so.6
#4 0x0000000000000000 in ?? ()
I mean, QFile::copy?
Another potentially interesting thread:
gdb) bt
#0 _umtx_op_err ()
#1 0x000000083fb01c52 in _thr_umtx_timedwait_uint (mtx=0x126fe830c080,
id=id at entry=0, clockid=<optimized out>, abstime=<optimized out>, shared=15,
shared at entry=0)
#2 0x000000083faf8559 in _thr_sleep (curthread=curthread at entry=0x126fe975f800,
clockid=0, abstime=abstime at entry=0x0)
#3 0x000000083faf3b91 in cond_wait_user (cvp=0x126feb93e060, mp=0x126fe82f4e08,
abstime=0x0, cancel=1)
#4 cond_wait_common (cond=<optimized out>, mutex=<optimized out>, abstime=0x0,
cancel=1)
#5 0x00000008416aeb6b in
QUnhandledException::QUnhandledException(std::exception_ptr) () from
/usr/local/lib/qt6/libQt6Core.so.6
#6 0x00000008416ae888 in QWaitCondition::wait(QReadWriteLock*, QDeadlineTimer)
() from /usr/local/lib/qt6/libQt6Core.so.6
#7 0x000000083e9bf792 in QFileInfoGatherer::removePath(QString const&) () from
/usr/local/lib/qt6/libQt6Gui.so.6
#8 0x00000008416a158c in ?? () from /usr/local/lib/qt6/libQt6Core.so.6
#9 0x000000083faf4cd2 in thread_start (curthread=0x8416a1401)
It looks like the scan was interested mostly in dot files and image files.
I cannot imagine why konsole would do those things.
I have a feeling like I have been hacked, but I suspect that it's some silly
thing in konsole code.
Does anyone else see anything like that?
--
Andriy Gapon
More information about the kde-freebsd
mailing list