[Okular-devel] [okular] [Bug 355172] Crash if I quit Okular when the properties dialog is being displayed

Santhiar via KDE Bugzilla bugzilla_noreply at kde.org
Mon Nov 16 06:31:13 UTC 2015 

https://bugs.kde.org/show_bug.cgi?id=355172

--- Comment #1 from Santhiar <santhiar.anirudh at gmail.com> ---
On further investigation, this is a use-after-free bug.
I built okular with ASAN [http://clang.llvm.org/docs/AddressSanitizer.html] 
and here is the report from ASAN on triggering the steps to repro.

==4455==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004d300
at pc 0x7f5079e3e5bc bp 0x7fff0630a230 sp 0x7fff0630a228
READ of size 8 at 0x60300004d300 thread T0
    #0 0x7f5079e3e5bb in Okular::Document::stopFontReading()
KDE/kde/kdegraphics/okular/core/document.cpp:2815:11
    #1 0x7f507a51a7ae in ~PropertiesDialog
KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:178
    #2 0x7f507a51a7ae in PropertiesDialog::~PropertiesDialog()
KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:177
    #3 0x7f50890e5ec3 in QObjectPrivate::deleteChildren()
(qt4/lib/libQtCore.so.4+0x24cec3)
    #4 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #5 0x7f507a52f7e8 in Sidebar::~Sidebar()
KDE/kde/kdegraphics/okular/ui/sidebar.cpp:514
    #6 0x7f507a52f65e in Sidebar::~Sidebar()
KDE/kde/kdegraphics/okular/ui/sidebar.cpp:512
    #7 0x7f508db5cf0b in KParts::Part::~Part()
KDE/kde/kdelibs/kparts/part.cpp:209:38
    #8 0x7f508db66132 in ~ReadOnlyPart KDE/kde/kdelibs/kparts/part.cpp:463
    #9 0x7f508db66132 in KParts::ReadWritePart::~ReadWritePart()
KDE/kde/kdelibs/kparts/part.cpp:780
    #10 0x7f507a2e23f8 in Okular::Part::~Part()
KDE/kde/kdegraphics/okular/part.cpp:891
    #11 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857
    #12 0x7f507a2e14c5 in Okular::Part::~Part()
KDE/kde/kdegraphics/okular/part.cpp:857
    #13 0x7f50890e5ec3 in QObjectPrivate::deleteChildren()
(qt4/lib/libQtCore.so.4+0x24cec3)
    #14 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #15 0x7f508aa0a314 in QMainWindow::~QMainWindow()
(qt4/lib/libQtGui.so.4+0x8df314)
    #16 0x7f508bf36b5e in KMainWindow::~KMainWindow()
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #17 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow()
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #18 0x7f508db8bd2c in KParts::MainWindow::~MainWindow()
KDE/kde/kdelibs/kparts/mainwindow.cpp:79
    #19 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93)
    #20 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3)
    #21 0x7f50890e6f2d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24df2d)
    #22 0x7f50890e6a97 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24da97)
    #23 0x7f508a3eb095 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0095)
    #24 0x7f508aa0cca2 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1ca2)
    #25 0x7f508bf42133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #26 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #27 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x2351de)
    #28 0x7f508a36607b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b07b)
    #29 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #30 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22d135)
    #31 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x231639)
    #32 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e)
    #33 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int)
(qt4/lib/libQtCore.so.4+0x22d6a7)
    #34 0x7f5089114f07 in QCoreApplication::sendPostedEvents()
(qt4/lib/libQtCore.so.4+0x27bf07)
    #35 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*),
void*) (qt4/lib/libQtCore.so.4+0x27ae1a)
    #36 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
    #37 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f)
    #38 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123)
    #39 0x7f5089112d81 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x279d81)
    #40 0x7f508a476a43 in
QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34ba43)
    #41 0x7f50890c13fb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2283fb)
    #42 0x7f50890c174d in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x22874d)
    #43 0x7f508ab149ba in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e99ba)
    #44 0x7f507a30f36a in Okular::Part::slotShowProperties()
KDE/kde/kdegraphics/okular/part.cpp:2528
    #45 0x7f507a30f36a in Okular::Part::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
KDE/build-asan/kde/kdegraphics/okular/part.moc:234
    #46 0x7f50890ed6f6 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x2546f6)
    #47 0x7f508a35016c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22516c)
    #48 0x7f508a34ff81 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x224f81)
    #49 0x7f508aa47446 in
QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*,
QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c446)
    #50 0x7f508aa45305 in QMenuPrivate::activateAction(QAction*,
QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a305)
    #51 0x7f508aa4c731 in QMenu::mouseReleaseEvent(QMouseEvent*)
(qt4/lib/libQtGui.so.4+0x921731)
    #52 0x7f508bf4bf3e in KMenu::mouseReleaseEvent(QMouseEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464
    #53 0x7f508a3e96cd in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2be6cd)
    #54 0x7f508aa4d079 in QMenu::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x922079)
    #55 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x2351de)
    #56 0x7f508a3635e2 in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x2385e2)
    #57 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #58 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22d135)
    #59 0x7f508a36ad7e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x23fd7e)
    #60 0x7f508a361280 in QApplicationPrivate::sendMouseEvent(QWidget*,
QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool)
(qt4/lib/libQtGui.so.4+0x236280)
    #61 0x7f508a431f78 in QETWidget::translateMouseEvent(_XEvent const*)
(qt4/lib/libQtGui.so.4+0x306f78)
    #62 0x7f508a42dd45 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x302d45)
    #63 0x7f508a476f7f in x11EventSourceDispatch(_GSource*, int (*)(void*),
void*) (qt4/lib/libQtGui.so.4+0x34bf7f)
    #64 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
    #65 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f)
    #66 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123)
    #67 0x7f5089112d81 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x279d81)
    #68 0x7f508a476a43 in
QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34ba43)
    #69 0x7f50890c13fb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2283fb)
    #70 0x7f50890c174d in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x22874d)
    #71 0x7f50890c690e in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22d90e)
    #72 0x7f508a362275 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237275)
    #73 0x45100b in main (KDE/install-asan/bin/okular+0x45100b)
    #74 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #75 0x44f01c in _start (KDE/install-asan/bin/okular+0x44f01c)
0x60300004d300 is located 16 bytes inside of 24-byte region
[0x60300004d2f0,0x60300004d308)
freed by thread T0 here:
    #0 0x43a63a in operator delete(void*)
(KDE/install-asan/bin/okular+0x43a63a)
    #1 0x7f5079e2d9a6 in Okular::Document::~Document()
KDE/kde/kdegraphics/okular/core/document.cpp:2202
    #2 0x7f507a2e1ee2 in Okular::Part::~Part()
KDE/kde/kdegraphics/okular/part.cpp:880
    #3 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857
    #4 0x7f507a2e14c5 in Okular::Part::~Part()
KDE/kde/kdegraphics/okular/part.cpp:857
    #5 0x7f50890e5ec3 in QObjectPrivate::deleteChildren()
(qt4/lib/libQtCore.so.4+0x24cec3)
    #6 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62)
    #7 0x7f508aa0a314 in QMainWindow::~QMainWindow()
(qt4/lib/libQtGui.so.4+0x8df314)
    #8 0x7f508bf36b5e in KMainWindow::~KMainWindow()
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #9 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow()
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #10 0x7f508db8bd2c in KParts::MainWindow::~MainWindow()
KDE/kde/kdelibs/kparts/mainwindow.cpp:79
    #11 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93)
    #12 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3)
    #13 0x7f50890e6f2d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24df2d)
    #14 0x7f50890e6a97 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24da97)
    #15 0x7f508a3eb095 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0095)
    #16 0x7f508aa0cca2 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1ca2)
    #17 0x7f508bf42133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #18 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #19 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x2351de)
    #20 0x7f508a36607b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b07b)
    #21 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #22 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22d135)
    #23 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x231639)
    #24 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e)
    #25 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int)
(qt4/lib/libQtCore.so.4+0x22d6a7)
    #26 0x7f5089114f07 in QCoreApplication::sendPostedEvents()
(qt4/lib/libQtCore.so.4+0x27bf07)
    #27 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*),
void*) (qt4/lib/libQtCore.so.4+0x27ae1a)
    #28 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12)
previously allocated by thread T0 here:
    #0 0x43a3ba in operator new(unsigned long)
(KDE/install-asan/bin/okular+0x43a3ba)
    #1 0x7f507a2c4975 in Okular::Part::Part(QWidget*, QObject*, QList<QVariant>
const&, KComponentData) KDE/kde/kdegraphics/okular/part.cpp:355
    #2 0x7f507a2c36dc in Okular::PartFactory::create(char const*, QWidget*,
QObject*, QList<QVariant> const&, QString const&)
KDE/kde/kdegraphics/okular/part.cpp:171
    #3 0x472c94 in KParts::ReadWritePart*
KPluginFactory::create<KParts::ReadWritePart>(QObject*, QList<QVariant> const&)
(KDE/install-asan/bin/okular+0x472c94)
    #4 0x45f135 in Shell::Shell(QString const&)
(KDE/install-asan/bin/okular+0x45f135)
    #5 0x45ab67 in Okular::main(QStringList const&, QString const&)
(KDE/install-asan/bin/okular+0x45ab67)
    #6 0x4513f5 in main (KDE/install-asan/bin/okular+0x4513f5)
    #7 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free
KDE/kde/kdegraphics/okular/core/document.cpp:2815
Okular::Document::stopFontReading()
Shadow bytes around the buggy address:
  0x0c0680001a10: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c0680001a20: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fd fd
  0x0c0680001a30: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
  0x0c0680001a40: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c0680001a50: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
=>0x0c0680001a60:[fd]fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680001a70: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680001a80: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c0680001a90: fd fd fa fa fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0680001aa0: fd fd fd fd fa fa fd fd fd fa fa fa fa fa fa fa
  0x0c0680001ab0: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4455==ABORTING

The properties dialog spins a nested event loop, and the close event destroys
the property dialog that is subsequently accessed by the handler still on
stack.
I shall be happy to supply any other information to help fix this UAF
vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Okular-devel mailing list