[Bug 257342] New: kded4 is aborted by glibc for a double free in AuthInfo.

Erik Zeek zeekec at mad.scientist.com
Fri Nov 19 17:16:10 GMT 2010 

https://bugs.kde.org/show_bug.cgi?id=257342

           Summary: kded4 is aborted by glibc for a double free in
                    AuthInfo.
           Product: kde
           Version: 4.5
          Platform: Unlisted Binaries
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: unassigned-bugs at kde.org
        ReportedBy: zeekec at mad.scientist.com


Version:           4.5 (using KDE 4.5.3) 
OS:                Linux

Checking rss feeds in Akregator causes a double free in AuthInfo.  I have some
local feeds that are password protected (all on the same server, all with the
same password) that appear to be triggering this error.

A quick look at AuthInfo shows that it's failing when freeing the PIMPL.  A
possible cause of this is that the PIMPL *pointer* value is being copied in the
assignment operator, not the contents of the pointer (I didn't look at the copy
constructor).  This will lead to multiple objects with the same PIMPL, and
multiple free attempts.  Perhaps the bare pointer can be replaced with a
reference counted one?

Reproducible: Sometimes


Actual Results:  
Application: KDE Daemon (kded4), signal: Aborted
82 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
[KCrash Handler]
#6  0x0000003a560329a5 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#7  0x0000003a56034185 in abort () at abort.c:92
#8  0x0000003a5606fd5b in __libc_message (do_abort=2, fmt=0x3a561438f8 "***
glibc detected *** %s: %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:186
#9  0x0000003a56075676 in malloc_printerr (action=3, str=0x3a56143c80 "double
free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:6283
#10 0x0000003c532ba55d in KIO::AuthInfo::~AuthInfo (this=0x2368440,
__in_chrg=<value optimized out>) at
/usr/src/debug/kdelibs-4.5.2/kio/kio/authinfo.cpp:128
#11 0x00007f08f93f3fa4 in ~AuthInfoContainer (this=<value optimized out>,
key=<value optimized out>, info=...) at
/usr/src/debug/kdebase-runtime-4.5.2/kpasswdserver/kpasswdserver.h:81
#12 KPasswdServer::findAuthInfoItem (this=<value optimized out>, key=<value
optimized out>, info=...) at
/usr/src/debug/kdebase-runtime-4.5.2/kpasswdserver/kpasswdserver.cpp:749
#13 0x00007f08f93f8454 in KPasswdServer::checkAuthInfoAsync (this=0x259edb0,
info=..., windowId=0, usertime=<value optimized out>)
    at /usr/src/debug/kdebase-runtime-4.5.2/kpasswdserver/kpasswdserver.cpp:306
#14 0x00007f08f93fa122 in KPasswdServerAdaptor::checkAuthInfoAsync
(this=0x2596f20, info=<value optimized out>, windowId=0, usertime=494612290)
    at
/usr/src/debug/kdebase-runtime-4.5.2/x86_64-redhat-linux-gnu/kpasswdserver/kpasswdserveradaptor.cpp:57
#15 0x00007f08f93fa443 in KPasswdServerAdaptor::qt_metacall (this=0x2596f20,
_c=<value optimized out>, _id=5, _a=0x7fffba7993c0)
    at
/usr/src/debug/kdebase-runtime-4.5.2/x86_64-redhat-linux-gnu/kpasswdserver/kpasswdserveradaptor.moc:151
#16 0x0000003a69021eb6 in QDBusConnectionPrivate::deliverCall (this=0x1fa6960,
object=0x2596f20, msg=..., metaTypes=..., slotIdx=9) at qdbusintegrator.cpp:904
#17 0x0000003a6902312b in QDBusConnectionPrivate::activateCall (this=0x1fa6960,
object=0x2596f20, flags=497, msg=...) at qdbusintegrator.cpp:816
#18 0x0000003a69023b9d in QDBusConnectionPrivate::activateObject
(this=0x1fa6960, node=..., msg=..., pathStartPos=<value optimized out>) at
qdbusintegrator.cpp:1364
#19 0x0000003a69023e38 in QDBusActivateObjectEvent::placeMetaCall
(this=0x25b1d10) at qdbusintegrator.cpp:1477
#20 0x0000003a60962f31 in QObject::event (this=0x259edb0, e=0x25b1d10) at
kernel/qobject.cpp:1248
#21 0x0000003a617ab39c in QApplicationPrivate::notify_helper (this=0x1fba510,
receiver=0x259edb0, e=0x25b1d10) at kernel/qapplication.cpp:4306
#22 0x0000003a617b165b in QApplication::notify (this=<value optimized out>,
receiver=0x259edb0, e=0x25b1d10) at kernel/qapplication.cpp:4189
#23 0x0000003c51c1d126 in KApplication::notify (this=0x7fffba79a130,
receiver=0x259edb0, event=0x25b1d10) at
/usr/src/debug/kdelibs-4.5.2/kdeui/kernel/kapplication.cpp:310
#24 0x0000003a60953ddc in QCoreApplication::notifyInternal
(this=0x7fffba79a130, receiver=0x259edb0, event=0x25b1d10) at
kernel/qcoreapplication.cpp:726
#25 0x0000003a60955ed4 in sendEvent (receiver=0x0, event_type=0,
data=0x1f83540) at kernel/qcoreapplication.h:215
#26 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0,
data=0x1f83540) at kernel/qcoreapplication.cpp:1367
#27 0x0000003a60979d23 in sendPostedEvents (s=<value optimized out>) at
kernel/qcoreapplication.h:220
#28 postEventSourceDispatch (s=<value optimized out>) at
kernel/qeventdispatcher_glib.cpp:276
#29 0x0000003a5a03bd02 in g_main_dispatch (context=0x1fbd120) at gmain.c:1960
#30 IA__g_main_context_dispatch (context=0x1fbd120) at gmain.c:2513
#31 0x0000003a5a03fae8 in g_main_context_iterate (context=0x1fbd120, block=1,
dispatch=1, self=<value optimized out>) at gmain.c:2591
#32 0x0000003a5a03fc9c in IA__g_main_context_iteration (context=0x1fbd120,
may_block=1) at gmain.c:2654
#33 0x0000003a60979863 in QEventDispatcherGlib::processEvents (this=0x1f82c60,
flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:412
#34 0x0000003a6184a84e in QGuiEventDispatcherGlib::processEvents (this=<value
optimized out>, flags=<value optimized out>) at
kernel/qguieventdispatcher_glib.cpp:204
#35 0x0000003a60952822 in QEventLoop::processEvents (this=<value optimized
out>, flags=...) at kernel/qeventloop.cpp:149
#36 0x0000003a60952aec in QEventLoop::exec (this=0x7fffba79a080, flags=...) at
kernel/qeventloop.cpp:201
#37 0x0000003a609561bb in QCoreApplication::exec () at
kernel/qcoreapplication.cpp:1003
#38 0x0000003c5380ae97 in kdemain (argc=1, argv=0x7fffba79a4f8) at
/usr/src/debug/kdelibs-4.5.2/kded/kded.cpp:894
#39 0x0000003a5601ec5d in __libc_start_main (main=0x400800 <main(int, char**)>,
argc=1, ubp_av=0x7fffba79a4f8, init=<value optimized out>, fini=<value
optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffba79a4e8) at
libc-start.c:226
#40 0x0000000000400739 in _start ()

Expected Results:  
No crash.

I've reported this on Fedora's Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=651476

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list