Bug 226449

Summary: Security problem - repeatedly pressing the 'return' key when the screen is locked will unlock without needing a password, or will hang kscreenlocker
Product: kscreensaver Reporter: Steven Gilberd <steve>
Component: generalAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED DUPLICATE    
Severity: crash CC: akurei, esigra, mitchell, mpyne, ossi, plasma-bugs, security
Priority: HI    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:

Description Steven Gilberd 2010-02-12 04:19:34 UTC
Version:            (using KDE 4.4.0)
Compiler:          gcc (Gentoo 4.4.3 p1.0) 4.4.3, x86_64 Compiler was compiled by gcc-4.4.3, with -O2 -march=native for Intel C2D E8400. KDE was also compiled as -O2 -march=native, for the same CPU.
OS:                Linux
Installed from:    Compiled From Sources

Problem:
Repeatedly pressing the 'return' key at the lock screen will either unlock the system and allow full access (security problem), or will cause kscreenlocker to hang with a blank dialog box containing no content and no buttons.

Pressing approx twice per second unlocks the screen.
Pressing very quickly (many times per second) results in a hang.

Expected behavior:
Pressing return should present an 'unlocking failed' message; pressing return repeatedly should continue to display the message until the user stops harassing it.

Steps to reproduce the unlock:
1. Lock the screen
2. Slowly press the 'return' key a couple of times per second - the screen will unlock after 5-8 presses.

Steps to reproduce the hang:
1. Lock the screen
2. Hammer the return key very quickly, many times per second. Kscreenlocker will hang after a few seconds.
Comment 1 Michael Pyne 2010-02-12 04:44:51 UTC
I can confirm that kscreenlocker can crash and release its lock on the screen, but I had to hold down the Return key. Backtrace follows (current trunk):

Application: KDE Screen Locker (kscreenlocker), signal: Segmentation fault
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib64/libgobject-2.0.so.0.2200.4-gdb.py", line 9, in <module>
    from gobject import register
  File "/usr/share/glib-2.0/gdb/gobject.py", line 3, in <module>
    import gdb.backtrace
ImportError: No module named backtrace
The current source language is "auto; currently asm".
[KCrash Handler]
#5  0x00007f5d2da33756 in QSocketNotifier::setEnabled (this=0x23bfb50, enable=false) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qsocketnotifier.cpp:293
#6  0x000000000041e184 in PasswordDlg::reapVerify (this=0x7fff621893f0) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/lockdlg.cc:318
#7  0x000000000041e6c5 in PasswordDlg::handleVerify (this=0x7fff621893f0) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/lockdlg.cc:393
#8  0x000000000041fed4 in PasswordDlg::qt_metacall (this=0x7fff621893f0, _c=QMetaObject::InvokeMetaMethod, _id=5, _a=0x7fff62188640)
    at /home/kde-svn/kde4/build/kdebase/workspace/krunner/lock/lockdlg.moc:86
#9  0x00007f5d2da14641 in QMetaObject::metacall (object=0x7fff621893f0, cl=QMetaObject::InvokeMetaMethod, idx=78, argv=0x7fff62188640)
    at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qmetaobject.cpp:237
#10 0x00007f5d2da2a9c5 in QMetaObject::activate (sender=0x23a73b0, m=0x7f5d2dd89b00, local_signal_index=0, argv=0x7fff62188640) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qobject.cpp:3275
#11 0x00007f5d2da91c36 in QSocketNotifier::activated (this=0x23a73b0, _t1=14) at .moc/debug-shared/moc_qsocketnotifier.cpp:89
#12 0x00007f5d2da33a67 in QSocketNotifier::event (this=0x23a73b0, e=0x7fff62188f20) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qsocketnotifier.cpp:317
#13 0x00007f5d2e6b36ee in QApplicationPrivate::notify_helper (this=0x20b0350, receiver=0x23a73b0, e=0x7fff62188f20) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qapplication.cpp:4298
#14 0x00007f5d2e6b0b94 in QApplication::notify (this=0x7fff6218a8a0, receiver=0x23a73b0, e=0x7fff62188f20) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qapplication.cpp:3702
#15 0x00007f5d2f6ff316 in KApplication::notify (this=0x7fff6218a8a0, receiver=0x23a73b0, event=0x7fff62188f20) at /home/kde-svn/kde4/kdelibs/kdeui/kernel/kapplication.cpp:302
#16 0x00007f5d2da0c616 in QCoreApplication::notifyInternal (this=0x7fff6218a8a0, receiver=0x23a73b0, event=0x7fff62188f20) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qcoreapplication.cpp:704
#17 0x00007f5d2da10587 in QCoreApplication::sendEvent (receiver=0x23a73b0, event=0x7fff62188f20) at ../../include/QtCore/../../../../qt-copy/src/corelib/kernel/qcoreapplication.h:215
#18 0x00007f5d2da47c20 in socketNotifierSourceDispatch (source=0x20b40f0) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:110
#19 0x000000375cc3a21e in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
#20 0x000000375cc3a40e in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#21 0x000000375cc3c8d7 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#22 0x000000375cc3c9fb in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#23 0x00007f5d2da49387 in QEventDispatcherGlib::processEvents (this=0x2098400, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:412
#24 0x00007f5d2e799f00 in QGuiEventDispatcherGlib::processEvents (this=0x2098400, flags=...) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:204
#25 0x00007f5d2da0961c in QEventLoop::processEvents (this=0x7fff62189280, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventloop.cpp:149
#26 0x00007f5d2da09771 in QEventLoop::exec (this=0x7fff62189280, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventloop.cpp:201
#27 0x00007f5d2ed0e291 in QDialog::exec (this=0x7fff621893f0) at /home/kde-svn/kde4/qt-copy/src/gui/dialogs/qdialog.cpp:530
#28 0x0000000000415902 in LockProcess::execDialog (this=0x7fff6218a730, dlg=0x7fff621893f0) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/lockprocess.cc:1239
#29 0x000000000041506c in LockProcess::checkPass (this=0x7fff6218a730) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/lockprocess.cc:1127
#30 0x0000000000415cfa in LockProcess::x11Event (this=0x7fff6218a730, event=0x7fff6218a2b0) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/lockprocess.cc:1309
#31 0x00007f5d2f6feb56 in KAppX11HackWidget::publicx11Event (this=<value optimized out>, _event=0x7fff6218a2b0) at /home/kde-svn/kde4/kdelibs/kdeui/kernel/kapplication.cpp:903
#32 KApplication::x11EventFilter (this=<value optimized out>, _event=0x7fff6218a2b0) at /home/kde-svn/kde4/kdelibs/kdeui/kernel/kapplication.cpp:953
#33 0x000000000042253e in MyApp::x11EventFilter (this=0x7fff6218a8a0, ev=0x7fff6218a2b0) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/main.cc:53
#34 0x00007f5d2e74dd71 in qt_x11EventFilter (ev=0x7fff6218a2b0) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qapplication_x11.cpp:399
#35 0x00007f5d2e75dc74 in QApplication::x11ProcessEvent (this=0x7fff6218a8a0, event=0x7fff6218a2b0) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qapplication_x11.cpp:3231
#36 0x00007f5d2e7997f7 in x11EventSourceDispatch (s=0x20b42b0, callback=0, user_data=0x0) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:146
#37 0x000000375cc3a21e in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
#38 0x000000375cc3a40e in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#39 0x000000375cc3c8d7 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#40 0x000000375cc3c9fb in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#41 0x00007f5d2da49387 in QEventDispatcherGlib::processEvents (this=0x2098400, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:412
#42 0x00007f5d2e799f00 in QGuiEventDispatcherGlib::processEvents (this=0x2098400, flags=...) at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:204
#43 0x00007f5d2da0961c in QEventLoop::processEvents (this=0x7fff6218a6b0, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventloop.cpp:149
#44 0x00007f5d2da09771 in QEventLoop::exec (this=0x7fff6218a6b0, flags=...) at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qeventloop.cpp:201
#45 0x00007f5d2da0cd12 in QCoreApplication::exec () at /home/kde-svn/kde4/qt-copy/src/corelib/kernel/qcoreapplication.cpp:981
#46 0x00007f5d2e6b0706 in QApplication::exec () at /home/kde-svn/kde4/qt-copy/src/gui/kernel/qapplication.cpp:3577
#47 0x0000000000423205 in main (argc=2, argv=0x7fff6218ad08) at /home/kde-svn/kde4/kdebase/workspace/krunner/lock/main.cc:173
Comment 2 Michael Pyne 2010-02-12 04:48:46 UTC
Adding a CC: for Oswald's expertise.
Comment 3 Jeff Mitchell 2010-02-12 05:48:40 UTC
I've verified this too. I took a quick look at the code. If you hold down the Enter key at the prompt, you'll see the "hang" described, but if you then check the list of processes you'll see many kcheckpass processes. It seems possible that there is a race condition between when the socket notifier sNot is created and deleted. The many Enter key presses cause the gplugStart function to be run many times, forking off new kcheckpass processes and changing the value of sNot such that only the last process created is communicated with. Then the rest are left in a parentless state, creating the "hang". If I'm right about this, something similar could be going on that causes the crash, depending on the timing of the sNot deletion and re-initialization.
Comment 4 Oswald Buddenhagen 2010-02-12 09:24:19 UTC
now, that makes some sense :)

*** This bug has been marked as a duplicate of bug 217882 ***
Comment 5 Michael Düll 2010-02-12 17:16:15 UTC
This is not a duplicate of bug 217882. It also happens, if one did not return from suspend.
Comment 6 Michael Düll 2010-02-12 17:19:35 UTC
(In reply to comment #5)
> This is not a duplicate of bug 217882. It also happens, if one did not return
> from suspend.

Please reopen bug... This bug makes it impossible to leave the laptop for a while.
Comment 7 Jeff Mitchell 2010-02-12 17:48:22 UTC
It's the same stack trace. He's just getting the error a slightly different way.