[kdf] [Bug 356352] New: use-after-free on closing kdf having right-clicked on a device
Santhiar via KDE Bugzilla
bugzilla_noreply at kde.org
Mon Dec 7 05:25:56 GMT 2015
https://bugs.kde.org/show_bug.cgi?id=356352
Bug ID: 356352
Summary: use-after-free on closing kdf having right-clicked on
a device
Product: kdf
Version: v0.15
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: unassigned-bugs at kde.org
Reporter: santhiar.anirudh at gmail.com
Opening kdf, and closing it while the menu displayed on right-clicking on a
device is still open results in a use-after-free bug
Reproducible: Always
Steps to Reproduce:
1. Open kdf
2. Issue "sleep 5; qdbus `qdbus | grep kdf` /kdf/MainWindow_1/actions/file_quit
trigger" from a terminal
3. Switch back to kdf immediately, and right click on a device, causing a menu
to be displayed
Actual Results:
Application closes smoothly
Expected Results:
Use-after-free bug
To exhibit this bug, a version of kdf built using address sanitizer is required
(http://clang.llvm.org/docs/AddressSanitizer.html)
AddressSanitizer reports the following stack:
=================================================================
==27385==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000cb8
at pc 0x48c15c bp 0x7fff75a28d00 sp 0x7fff75a28cf8
WRITE of size 1 at 0x610000000cb8 thread T0
#0 0x48c15b in DiskList::setUpdatesDisabled(bool)
(KDE/install-asan/bin/kdf+0x48c15b)
#1 0x46637d in KDFWidget::contextMenuRequested(QPoint const&)
(KDE/install-asan/bin/kdf+0x46637d)
#2 0x468bf1 in KDFWidget::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**) (KDE/install-asan/bin/kdf+0x468bf1)
#3 0x7fb9c9064336 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255336)
#4 0x7fb9c7e434be in QWidget::customContextMenuRequested(QPoint const&)
(qt4/lib/libQtGui.so.4+0x2c04be)
#5 0x7fb9c7e4213c in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2bf13c)
#6 0x7fb9c84386fc in QFrame::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8b56fc)
#7 0x7fb9c850f6fb in QAbstractScrollArea::viewportEvent(QEvent*)
(qt4/lib/libQtGui.so.4+0x98c6fb)
#8 0x7fb9c85f1c98 in QAbstractItemView::viewportEvent(QEvent*)
(qt4/lib/libQtGui.so.4+0xa6ec98)
#9 0x7fb9c86580b0 in QTreeView::viewportEvent(QEvent*)
(qt4/lib/libQtGui.so.4+0xad50b0)
#10 0x7fb9c8510e6e in QAbstractScrollAreaPrivate::viewportEvent(QEvent*)
(qt4/lib/libQtGui.so.4+0x98de6e)
#11 0x7fb9c8510ce4 in QAbstractScrollAreaFilter::eventFilter(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x98dce4)
#12 0x7fb9c903cf2c in
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22df2c)
#13 0x7fb9c7db8274 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x235274)
#14 0x7fb9c7dbc191 in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x239191)
#15 0x7fb9cb79b340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#16 0x7fb9c903cb15 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22db15)
#17 0x7fb9c7dc2e3e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x23fe3e)
#18 0x7fb9c7e8a475 in QETWidget::translateMouseEvent(_XEvent const*)
(qt4/lib/libQtGui.so.4+0x307475)
#19 0x7fb9c7e85e05 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x302e05)
#20 0x7fb9c7ed0265 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d265)
#21 0x7fb9c9037edb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228edb)
#22 0x7fb9c90381ed in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2291ed)
#23 0x7fb9c903d316 in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22e316)
#24 0x7fb9c7dba335 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237335)
#25 0x4551db in main (KDE/install-asan/bin/kdf+0x4551db)
#26 0x7fb9c634f76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#27 0x45305c in _start (KDE/install-asan/bin/kdf+0x45305c)
0x610000000cb8 is located 120 bytes inside of 192-byte region
[0x610000000c40,0x610000000d00)
freed by thread T0 here:
#0 0x43e67a in operator delete(void*) (KDE/install-asan/bin/kdf+0x43e67a)
#1 0x45eef6 in KDFWidget::~KDFWidget() (KDE/install-asan/bin/kdf+0x45eef6)
#2 0x7fb9c905cb03 in QObjectPrivate::deleteChildren()
(qt4/lib/libQtCore.so.4+0x24db03)
#3 0x7fb9c7e2bf22 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8f22)
#4 0x7fb9c84623f4 in QMainWindow::~QMainWindow()
(qt4/lib/libQtGui.so.4+0x8df3f4)
#5 0x7fb9cbaafb5e in KMainWindow::~KMainWindow()
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
#6 0x7fb9cbbc0ee1 in KXmlGuiWindow::~KXmlGuiWindow()
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
#7 0x4559b3 in KDFTopLevel::~KDFTopLevel()
(KDE/install-asan/bin/kdf+0x4559b3)
#8 0x7fb9c905db6d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24eb6d)
#9 0x7fb9c905d6d7 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24e6d7)
#10 0x7fb9c7e43155 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0155)
#11 0x7fb9c8464d82 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1d82)
#12 0x7fb9cbabb133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
#13 0x7fb9cbbc10b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
#14 0x7fb9c7db829e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23529e)
#15 0x7fb9c7dbe13b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b13b)
#16 0x7fb9cb79b340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#17 0x7fb9c903cb15 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22db15)
#18 0x7fb9c9041279 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x232279)
#19 0x7fb9c903e123 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f123)
#20 0x7fb9c903d087 in QCoreApplication::sendPostedEvents(QObject*, int)
(qt4/lib/libQtCore.so.4+0x22e087)
#21 0x7fb9c7ebf957 in QCoreApplication::sendPostedEvents()
(qt4/lib/libQtGui.so.4+0x33c957)
#22 0x7fb9c7ecfe91 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34ce91)
#23 0x7fb9c9037edb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228edb)
#24 0x7fb9c90381ed in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2291ed)
#25 0x7fb9c84a2dcb in QMenu::exec(QPoint const&, QAction*)
(qt4/lib/libQtGui.so.4+0x91fdcb)
#26 0x465b92 in KDFWidget::contextMenuRequested(QPoint const&)
(KDE/install-asan/bin/kdf+0x465b92)
#27 0x468bf1 in KDFWidget::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**) (KDE/install-asan/bin/kdf+0x468bf1)
#28 0x7fb9c9064336 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255336)
#29 0x7fb9c7e434be in QWidget::customContextMenuRequested(QPoint const&)
(qt4/lib/libQtGui.so.4+0x2c04be)
previously allocated by thread T0 here:
#0 0x43e3fa in operator new(unsigned long)
(KDE/install-asan/bin/kdf+0x43e3fa)
#1 0x453525 in KDFTopLevel::KDFTopLevel(QWidget*)
(KDE/install-asan/bin/kdf+0x453525)
#2 0x455190 in main (KDE/install-asan/bin/kdf+0x455190)
#3 0x7fb9c634f76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0
DiskList::setUpdatesDisabled(bool)
Shadow bytes around the buggy address:
0x0c207fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff8180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff8190: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff81e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==27385==ABORTING
Right-clicking on the menu spins a nested event loop, and closing the
application causes a free in the nested context, and this memory is used
subsequently.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Unassigned-bugs
mailing list