[kio-extras] [Bug 343153] New: kio_sftp crashes if sftp_write(...) fails (double-free in sftpProtocol::sftpPut)

Kevin Funk kfunk at kde.org
Thu Jan 22 13:04:36 UTC 2015 

https://bugs.kde.org/show_bug.cgi?id=343153

            Bug ID: 343153
           Summary: kio_sftp crashes if sftp_write(...) fails (double-free
                    in sftpProtocol::sftpPut)
           Product: kio-extras
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: crash
          Priority: NOR
         Component: default
          Assignee: plasma-devel at kde.org
          Reporter: kfunk at kde.org

Situation: Disk on remote server is full. In that case, when saving the file,
sftp_write inside kio_sftp.cpp will fail. This leads to a crash later on.

Error in `kio_sftp.so [kdeinit5] sftp
local:/run/user/1000/klauncherXM8394.1.slave-socket
local:/run/user/1000/katewZ9343.3.slave-socket': free(): invalid pointer:
0x0000000000a54770 ***

Tested with Kate 5.x when working on a file opened via sftp protocol.

Valgrind report:
(...)
==10659== Invalid read of size 8
==10659==    at 0xF79E62E: sftp_attributes_free (sftp.c:1542)
==10659==    by 0xF56807B: sftpProtocol::sftpPut(KUrl const&, int,
QFlags<KIO::JobFlag>, int&, int) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString
const&, int, QFlags<KIO::JobFlag>, int&) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int,
QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in
/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659==  Address 0x17f8f188 is 40 bytes inside a block of size 144 free'd
==10659==    at 0x4C2C2E0: operator delete(void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF568073: sftpProtocol::sftpPut(KUrl const&, int,
QFlags<KIO::JobFlag>, int&, int) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString
const&, int, QFlags<KIO::JobFlag>, int&) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int,
QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in
/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659== 
==10659== Invalid free() / delete / delete[] / realloc()
==10659==    at 0x4C2BE10: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF56807B: sftpProtocol::sftpPut(KUrl const&, int,
QFlags<KIO::JobFlag>, int&, int) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString
const&, int, QFlags<KIO::JobFlag>, int&) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int,
QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in
/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659==  Address 0x17f8f160 is 0 bytes inside a block of size 144 free'd
==10659==    at 0x4C2C2E0: operator delete(void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF568073: sftpProtocol::sftpPut(KUrl const&, int,
QFlags<KIO::JobFlag>, int&, int) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString
const&, int, QFlags<KIO::JobFlag>, int&) (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int,
QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in
/usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in
/usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in
/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)

(Sorry for the missing line numbers, Kubuntu's debug packages are a bit messed
up atm)

Reproducible: Always

Steps to Reproduce:
1. Open file via sftp protocol in Kate
2. Try to save
3. kio_sftp crashes

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Plasma-devel mailing list