Bug 284818 - Part 1 of the MASTERCRASH created by ToBeFree
Summary: Part 1 of the MASTERCRASH created by ToBeFree
Status: RESOLVED DUPLICATE of bug 271889
Alias: None
Product: kscreensaver
Classification: Miscellaneous
Component: locker (show other bugs)
Version: 2.0
Platform: Ubuntu Linux
: NOR crash
Target Milestone: ---
Assignee: kscreensaver bugs tracking
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-23 21:41 UTC by Unknown
Modified: 2011-10-25 02:46 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Unknown 2011-10-23 21:41:27 UTC
Application: kscreenlocker (2.0)
KDE Platform Version: 4.7.2 (4.7.2)
Qt Version: 4.7.4
Operating System: Linux 3.0.0-13-generic x86_64
Distribution: Ubuntu 11.10

-- Information about the crash:
And it is not even hard.

You just have to run BleachBit (bleachbit-cli on another session WILL work) with all options (because I do not know which option is the one that kills everything).
Every program you start after the cleanup and every program running at the moment will CRASH. This also works if you are another, evil, user running bleachbit-cli on ssh to kill the KDE-screenlock of another user using the KDE desktop environment.

How to reconstruct the bug:
1. Lock the screen
2. Press Ctrl+Alt+F1 (or whatever).
3. login as any user
4. run bleachbit-cli with all options
5. return to Ctrl+Alt+F7 and move your mouse
6. The screen lock and every program protecting the session CRASHES!

I could not believe that it works, but it does. And it also works on another computers I use to test this.
You do not have to  run bleachbit as root. I am sure that it will also work if you login per ssh. Try it! O.O

This is the first program which crashed. To report the other ones, I need the debug symbols - and apt-get keeps crashing. xD

-- END OF PART 1 --

The crash can be reproduced every time.

-- Backtrace:
Application: KDE-Bildschirmsperre (kscreenlocker), signal: Bus error
[Current thread is 1 (Thread 0x7f937c88a7c0 (LWP 2099))]

Thread 2 (Thread 0x7f9360337700 (LWP 2102)):
#0  0x00007f9379545773 in __GI___poll (fds=<optimized out>, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f9374516f68 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f9374517429 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f937a98cf3e in QEventDispatcherGlib::processEvents (this=0x97d3c0, flags=<optimized out>) at kernel/qeventdispatcher_glib.cpp:424
#4  0x00007f937a960cf2 in QEventLoop::processEvents (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:149
#5  0x00007f937a960ef7 in QEventLoop::exec (this=0x7f9360336cd0, flags=...) at kernel/qeventloop.cpp:201
#6  0x00007f937a87827f in QThread::exec (this=<optimized out>) at thread/qthread.cpp:498
#7  0x00007f937a943cbf in QInotifyFileSystemWatcherEngine::run (this=0xb8fd70) at io/qfilesystemwatcher_inotify.cpp:248
#8  0x00007f937a87ad05 in QThreadPrivate::start (arg=0xb8fd70) at thread/qthread_unix.cpp:331
#9  0x00007f937b48056c in ?? () from /usr/lib/nvidia-current/libGL.so.1
#10 0x00007f9375031efc in start_thread (arg=0x7f9360337700) at pthread_create.c:304
#11 0x00007f937955189d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f937c88a7c0 (LWP 2099)):
[KCrash Handler]
#6  0x00007f937b1486f7 in lock (this=0x867450) at ../../kdecore/util/kshareddatacache.cpp:1123
#7  KSharedDataCache::Private::CacheLocker::cautiousLock (this=0x7fffaca77b30) at ../../kdecore/util/kshareddatacache.cpp:1146
#8  0x00007f937b144959 in CacheLocker (_d=<optimized out>, this=0x7fffaca77b30) at ../../kdecore/util/kshareddatacache.cpp:1170
#9  KSharedDataCache::find (this=0x83d3f0, key=..., destination=0x7fffaca77c00) at ../../kdecore/util/kshareddatacache.cpp:1492
#10 0x00007f937c01ddd9 in KIconLoaderPrivate::findCachedPixmapWithPath (this=0x845f80, key=..., data=..., path=...) at ../../kdeui/icons/kiconloader.cpp:860
#11 0x00007f937c01e0f1 in KIconLoader::loadIcon (this=0x82d2b0, _name=<optimized out>, group=KIconLoader::Desktop, size=16, state=1, overlays=..., path_store=0x0, canReturnNull=false) at ../../kdeui/icons/kiconloader.cpp:1222
#12 0x00007f937c01599f in KIconEngine::pixmap (this=<optimized out>, size=..., mode=<optimized out>, state=<optimized out>) at ../../kdeui/icons/kiconengine.cpp:104
#13 0x00007f9379dbc0a5 in QIcon::pixmap (this=<optimized out>, size=<optimized out>, mode=<optimized out>, state=<optimized out>) at image/qicon.cpp:676
#14 0x00007f936f792f45 in Oxygen::Style::drawPushButtonLabelControl (this=0x7a84c0, option=0x7fffaca78510, painter=0x7fffaca78e70) at ../../../kstyles/oxygen/oxygenstyle.cpp:5073
#15 0x00007f936f77c624 in Oxygen::Style::drawControl (this=0x7a84c0, element=QStyle::CE_PushButtonLabel, option=0x7fffaca78510, painter=0x7fffaca78e70, widget=0x9777a0) at ../../../kstyles/oxygen/oxygenstyle.cpp:1119
#16 0x00007f937a01eeaa in QCommonStyle::drawControl (this=0x7a84c0, element=QStyle::CE_PushButton, opt=0x7fffaca78e10, p=0x7fffaca78e70, widget=0x9777a0) at styles/qcommonstyle.cpp:1211
#17 0x00007f936f77c5b5 in Oxygen::Style::drawControl (this=0x7a84c0, element=QStyle::CE_PushButton, option=0x7fffaca78e10, painter=0x7fffaca78e70, widget=0x9777a0) at ../../../kstyles/oxygen/oxygenstyle.cpp:1120
#18 0x00007f937c13d302 in drawControl (opt=..., ce=QStyle::CE_PushButton, this=0x7fffaca78e70) at /usr/include/qt4/QtGui/qstylepainter.h:89
#19 KPushButton::paintEvent (this=0x9777a0) at ../../kdeui/widgets/kpushbutton.cpp:382
#20 0x00007f9379d62c4c in QWidget::event (this=0x9777a0, event=0x7fffaca79490) at kernel/qwidget.cpp:8441
#21 0x00007f9379d12424 in notify_helper (e=0x7fffaca79490, receiver=0x9777a0, this=0x762da0) at kernel/qapplication.cpp:4486
#22 QApplicationPrivate::notify_helper (this=0x762da0, receiver=0x9777a0, e=0x7fffaca79490) at kernel/qapplication.cpp:4458
#23 0x00007f9379d17291 in QApplication::notify (this=0x7fffaca7d370, receiver=0x9777a0, e=0x7fffaca79490) at kernel/qapplication.cpp:4365
#24 0x00007f937c06f126 in KApplication::notify (this=0x7fffaca7d370, receiver=0x9777a0, event=0x7fffaca79490) at ../../kdeui/kernel/kapplication.cpp:311
#25 0x00007f937a961afc in QCoreApplication::notifyInternal (this=0x7fffaca7d370, receiver=0x9777a0, event=0x7fffaca79490) at kernel/qcoreapplication.cpp:787
#26 0x00007f9379d5fb84 in sendSpontaneousEvent (event=0x7fffaca79490, receiver=0x9777a0) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#27 QWidgetPrivate::drawWidget (this=0xc92880, pdev=0x9746f0, rgn=..., offset=..., flags=4, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5528
#28 0x00007f9379d60760 in QWidgetPrivate::paintSiblingsRecursive (this=0x98bef0, pdev=0x9746f0, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=4, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5735
#29 0x00007f9379d60640 in QWidgetPrivate::paintSiblingsRecursive (this=0x98bef0, pdev=0x9746f0, siblings=..., index=6, rgn=..., offset=..., flags=4, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5722
#30 0x00007f9379d5f8dc in QWidgetPrivate::drawWidget (this=0x98bef0, pdev=0x9746f0, rgn=..., offset=..., flags=<optimized out>, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5581
#31 0x00007f9379d60760 in QWidgetPrivate::paintSiblingsRecursive (this=0x9a3f00, pdev=0x9746f0, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=4, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5735
#32 0x00007f9379d5f8dc in QWidgetPrivate::drawWidget (this=0x9a3f00, pdev=0x9746f0, rgn=..., offset=..., flags=<optimized out>, sharedPainter=0x0, backingStore=0xcce130) at kernel/qwidget.cpp:5581
#33 0x00007f9379f231b3 in QWidgetBackingStore::sync (this=0xcce130) at painting/qbackingstore.cpp:1338
#34 0x00007f9379d56360 in QWidgetPrivate::syncBackingStore (this=0x9a3f00) at kernel/qwidget.cpp:1862
#35 0x00007f9379d6315c in QWidget::event (this=0x7fffaca7bf10, event=0x7fffaca7a9a0) at kernel/qwidget.cpp:8588
#36 0x00007f9379d12424 in notify_helper (e=0x7fffaca7a9a0, receiver=0x7fffaca7bf10, this=0x762da0) at kernel/qapplication.cpp:4486
#37 QApplicationPrivate::notify_helper (this=0x762da0, receiver=0x7fffaca7bf10, e=0x7fffaca7a9a0) at kernel/qapplication.cpp:4458
#38 0x00007f9379d17291 in QApplication::notify (this=0x7fffaca7d370, receiver=0x7fffaca7bf10, e=0x7fffaca7a9a0) at kernel/qapplication.cpp:4365
#39 0x00007f937c06f126 in KApplication::notify (this=0x7fffaca7d370, receiver=0x7fffaca7bf10, event=0x7fffaca7a9a0) at ../../kdeui/kernel/kapplication.cpp:311
#40 0x00007f937a961afc in QCoreApplication::notifyInternal (this=0x7fffaca7d370, receiver=0x7fffaca7bf10, event=0x7fffaca7a9a0) at kernel/qcoreapplication.cpp:787
#41 0x00007f9379f1fb38 in sendEvent (event=0x7fffaca7a9a0, receiver=0x7fffaca7bf10) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#42 sendUpdateRequest (updateImmediately=true, widget=0x7fffaca7bf10) at painting/qbackingstore.cpp:507
#43 QWidgetBackingStore::markDirty (this=0xcce130, rect=<optimized out>, widget=<optimized out>, updateImmediately=true, invalidateBuffer=false) at painting/qbackingstore.cpp:695
#44 0x00007f9379d55af8 in repaint (rect=..., this=0x9777a0) at kernel/qwidget.cpp:10361
#45 QWidget::repaint (this=0x9777a0, rect=...) at kernel/qwidget.cpp:10345
#46 0x00007f9379d55bb3 in QWidget::repaint (this=<optimized out>) at kernel/qwidget.cpp:10317
#47 0x00007f937a0c9bff in QAbstractButton::mousePressEvent (this=0x9777a0, e=0x7fffaca7b1c0) at widgets/qabstractbutton.cpp:1094
#48 0x00007f9379d62f79 in QWidget::event (this=0x9777a0, event=0x7fffaca7b1c0) at kernel/qwidget.cpp:8291
#49 0x00007f9379d12424 in notify_helper (e=0x7fffaca7b1c0, receiver=0x9777a0, this=0x762da0) at kernel/qapplication.cpp:4486
#50 QApplicationPrivate::notify_helper (this=0x762da0, receiver=0x9777a0, e=0x7fffaca7b1c0) at kernel/qapplication.cpp:4458
#51 0x00007f9379d17c6b in QApplication::notify (this=<optimized out>, receiver=0x9777a0, e=0x7fffaca7b1c0) at kernel/qapplication.cpp:4047
#52 0x00007f937c06f126 in KApplication::notify (this=0x7fffaca7d370, receiver=0x9777a0, event=0x7fffaca7b1c0) at ../../kdeui/kernel/kapplication.cpp:311
#53 0x00007f937a961afc in QCoreApplication::notifyInternal (this=0x7fffaca7d370, receiver=0x9777a0, event=0x7fffaca7b1c0) at kernel/qcoreapplication.cpp:787
#54 0x00007f9379d133f2 in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#55 QApplicationPrivate::sendMouseEvent (receiver=0x9777a0, event=0x7fffaca7b1c0, alienWidget=0x9777a0, nativeWidget=0x7fffaca7bf10, buttonDown=0x9777a0, lastMouseReceiver=..., spontaneous=true) at kernel/qapplication.cpp:3146
#56 0x00007f9379d92945 in QETWidget::translateMouseEvent (this=0x7fffaca7bf10, event=<optimized out>) at kernel/qapplication_x11.cpp:4568
#57 0x00007f9379d918be in QApplication::x11ProcessEvent (this=0x7fffaca7d370, event=0x7fffaca7b9e0) at kernel/qapplication_x11.cpp:3690
#58 0x00007f9379dba412 in x11EventSourceDispatch (s=0x761630, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#59 0x00007f9374516a5d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#60 0x00007f9374517258 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#61 0x00007f9374517429 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#62 0x00007f937a98ced6 in QEventDispatcherGlib::processEvents (this=0x723cd0, flags=<optimized out>) at kernel/qeventdispatcher_glib.cpp:422
#63 0x00007f9379dba07e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=<optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#64 0x00007f937a960cf2 in QEventLoop::processEvents (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:149
#65 0x00007f937a960ef7 in QEventLoop::exec (this=0x7fffaca7bdb0, flags=...) at kernel/qeventloop.cpp:201
#66 0x00007f937a1c9216 in QDialog::exec (this=0x7fffaca7bf10) at dialogs/qdialog.cpp:552
#67 0x0000000000414758 in LockProcess::execDialog (this=0x7fffaca7d1c0, dlg=0x7fffaca7bf10) at ../../../krunner/lock/lockprocess.cc:1290
#68 0x0000000000415d1f in LockProcess::checkPass (this=0x7fffaca7d1c0) at ../../../krunner/lock/lockprocess.cc:1178
#69 0x0000000000417912 in LockProcess::x11Event (this=0x7fffaca7d1c0, event=0x7fffaca7cd80) at ../../../krunner/lock/lockprocess.cc:1387
#70 0x00007f937c0716d6 in publicx11Event (e=0x7fffaca7cd80, this=<optimized out>) at ../../kdeui/kernel/kapplication.cpp:918
#71 KApplication::x11EventFilter (this=<optimized out>, _event=0x7fffaca7cd80) at ../../kdeui/kernel/kapplication.cpp:930
#72 0x00007f9379d81a55 in qt_x11EventFilter (ev=0x7fffaca7cd80) at kernel/qapplication_x11.cpp:440
#73 qt_x11EventFilter (ev=0x7fffaca7cd80) at kernel/qapplication_x11.cpp:428
#74 0x00007f9379d90c90 in QApplication::x11ProcessEvent (this=0x7fffaca7d370, event=0x7fffaca7cd80) at kernel/qapplication_x11.cpp:3402
#75 0x00007f9379dba412 in x11EventSourceDispatch (s=0x761630, callback=0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#76 0x00007f9374516a5d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#77 0x00007f9374517258 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#78 0x00007f9374517429 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#79 0x00007f937a98ced6 in QEventDispatcherGlib::processEvents (this=0x723cd0, flags=<optimized out>) at kernel/qeventdispatcher_glib.cpp:422
#80 0x00007f9379dba07e in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=<optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#81 0x00007f937a960cf2 in QEventLoop::processEvents (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:149
#82 0x00007f937a960ef7 in QEventLoop::exec (this=0x7fffaca7d150, flags=...) at kernel/qeventloop.cpp:201
#83 0x00007f937a965789 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1064
#84 0x000000000040eee4 in main (argc=<optimized out>, argv=0x7fffaca7d858) at ../../../krunner/lock/main.cc:198

Possible duplicates by query: bug 284770.

Reported using DrKonqi
Comment 1 Unknown 2011-10-24 06:33:56 UTC
I found out which option causes the bug. It is:

bleachbit -d kde.cache
Comment 2 Unknown 2011-10-24 06:35:29 UTC
I found out which option causes the bug. It is:

bleachbit -d kde.cache
Comment 3 Oswald Buddenhagen 2011-10-24 07:50:03 UTC
it would seem that KSharedDataCache shares a bit too much ... like, with other users. :}
alternatively, the problem could be also in a higher layer, like KIconLoader. though that would be bizarre. "where full" instead of "bt" in the debugger could help with that.
or you found a kernel bug.
are you *sure* the files of the two users weren't (sym-)linked in any way?
did you isolate which option made apt-get crash?

as ths is a security-sensitive matter, i would expect a bit more discretion next time. please inform yourself about responsible disclosure.
Comment 4 Unknown 2011-10-24 08:52:44 UTC
"as ths is a security-sensitive matter, i would expect a bit more discretion
next time. please inform yourself about responsible disclosure." <-- I'm sorry, but I created the report using the KDE bug reporting tool - and there was no option to make this report secret or something like this. :/

I am not sure if there were symlinks.

When I found the bug, I used another session (Ctrl+Alt+F1) and entered the command. When I came back to the F7 KDE session, everything crashed. Also, if I run the bleachbit-gui in that session, lock the screen and return after some time, everything including the screen lock crashes.
I was absolutely sure that it also works with every other user running the command because I tested it in another session and on other computers multiple times. Now I created another user and did the same thing. Whatever caused the bug/crash before - I was pretty surprised that it did not work again. O.O

I am no longer sure that it works using another user. Maybe this makes the bug security-irrelevant, but it exists and it is at least VERY annoying.

I hope that I did not waste your time with this supposedly security-sensitive bug. Nevertheless, this bug _exists_, even if it does not work as another user. A bug that crashes _every_ program I currently use is always bad.

By the way, should I mark the other parts of this bug as duplicates of this one?
Comment 5 Oswald Buddenhagen 2011-10-24 09:05:50 UTC
(In reply to comment #4)
> there was no option to make this report secret or something like this. :/
> 
well, yeah. but maybe that means that bugzilla simply isn't the right address to report security problems? we have security@kde.org for that. maybe the bug reporting page should make that clearer.

> I am no longer sure that it works using another user.
>
ok, please triple-check.

> it exists and it is at least VERY annoying.
> 
well, one can argue that using bleachbit on running applications is the bug here. you are essentially destroying their data structures under their feet. mmap is known to be fragile, so this is no big surprise. we could catch sigbus and handle errors resulting from accesses to our maps, but this is going to be ugly, in particular because signal handling in library code is not particularly popular (qprocess has the same problem).

> By the way, should I mark the other parts of this bug as duplicates of this
> one?
>
yes, it's all the same problem. "invalid - multiple submissions" would be even better in this case.
Comment 6 Thomas Lübking 2011-10-24 19:00:47 UTC
FTR: find . -perm /022 in ~/.kde/cache-localhost or ~/.kde/tmp-localhost returns two files with write permissions on the user group (ie, owner group, NOT "users") - non for others and the dirs are drwx------ - no sticky bit "solution".

It's likely either a (local/distro?) config issue or "i can 'Clear the memory and swap on Linux'" snake... "bleachbit" raises privileges - try "stat `which bleachbit`" and check whether the first acces line has sort of a (4755/-rwsr-xr-x) part (important are the leading 4 and the "s" in the first rwx block)
Comment 7 Oswald Buddenhagen 2011-10-24 19:04:58 UTC
bleachbit is a python script and thus so totally not setuid.
Comment 8 Michael Pyne 2011-10-25 02:44:55 UTC
BleachBit after version 0.8.7 whitelists /var/tmp/kdecache-* to avoid overwriting/"shredding" the file data before deleting it.

A better "MASTERCRASH" is to send SIGABRT to a given process, since we're assuming we can already run arbitrary commands...

*** This bug has been marked as a duplicate of bug 271889 ***
Comment 9 Michael Pyne 2011-10-25 02:46:29 UTC
As an aside be sure to unlink (*not* shred) the *.kcache files under /var/tmp/kdecache-$USER before starting KDE next time to clear out your corrupted caches.