Bug 356352 - use-after-free on closing kdf having right-clicked on a device
Summary: use-after-free on closing kdf having right-clicked on a device
Status: REPORTED
Alias: None
Product: kdf
Classification: Applications
Component: general (show other bugs)
Version: v0.15
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: Unassigned bugs mailing-list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-07 05:25 UTC by Santhiar
Modified: 2021-03-09 23:43 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Santhiar 2015-12-07 05:25:56 UTC 
Opening kdf, and closing it while the menu displayed on right-clicking on a device is still open results in a use-after-free bug

Reproducible: Always

Steps to Reproduce:
1. Open kdf
2. Issue "sleep 5; qdbus `qdbus | grep kdf` /kdf/MainWindow_1/actions/file_quit trigger" from a terminal
3. Switch back to kdf immediately, and right click on a device, causing a menu to be displayed

Actual Results:  
Application closes smoothly

Expected Results:  
Use-after-free bug

To exhibit this bug, a version of kdf built using address sanitizer is required
(http://clang.llvm.org/docs/AddressSanitizer.html)

AddressSanitizer reports the following stack:
=================================================================
==27385==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000cb8 at pc 0x48c15c bp 0x7fff75a28d00 sp 0x7fff75a28cf8
WRITE of size 1 at 0x610000000cb8 thread T0
    #0 0x48c15b in DiskList::setUpdatesDisabled(bool) (KDE/install-asan/bin/kdf+0x48c15b)
    #1 0x46637d in KDFWidget::contextMenuRequested(QPoint const&) (KDE/install-asan/bin/kdf+0x46637d)
    #2 0x468bf1 in KDFWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/kdf+0x468bf1)
    #3 0x7fb9c9064336 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255336)
    #4 0x7fb9c7e434be in QWidget::customContextMenuRequested(QPoint const&) (qt4/lib/libQtGui.so.4+0x2c04be)
    #5 0x7fb9c7e4213c in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2bf13c)
    #6 0x7fb9c84386fc in QFrame::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8b56fc)
    #7 0x7fb9c850f6fb in QAbstractScrollArea::viewportEvent(QEvent*) (qt4/lib/libQtGui.so.4+0x98c6fb)
    #8 0x7fb9c85f1c98 in QAbstractItemView::viewportEvent(QEvent*) (qt4/lib/libQtGui.so.4+0xa6ec98)
    #9 0x7fb9c86580b0 in QTreeView::viewportEvent(QEvent*) (qt4/lib/libQtGui.so.4+0xad50b0)
    #10 0x7fb9c8510e6e in QAbstractScrollAreaPrivate::viewportEvent(QEvent*) (qt4/lib/libQtGui.so.4+0x98de6e)
    #11 0x7fb9c8510ce4 in QAbstractScrollAreaFilter::eventFilter(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x98dce4)
    #12 0x7fb9c903cf2c in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22df2c)
    #13 0x7fb9c7db8274 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x235274)
    #14 0x7fb9c7dbc191 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x239191)
    #15 0x7fb9cb79b340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #16 0x7fb9c903cb15 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22db15)
    #17 0x7fb9c7dc2e3e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fe3e)
    #18 0x7fb9c7e8a475 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x307475)
    #19 0x7fb9c7e85e05 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302e05)
    #20 0x7fb9c7ed0265 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d265)
    #21 0x7fb9c9037edb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228edb)
    #22 0x7fb9c90381ed in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2291ed)
    #23 0x7fb9c903d316 in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e316)
    #24 0x7fb9c7dba335 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237335)
    #25 0x4551db in main (KDE/install-asan/bin/kdf+0x4551db)
    #26 0x7fb9c634f76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #27 0x45305c in _start (KDE/install-asan/bin/kdf+0x45305c)
0x610000000cb8 is located 120 bytes inside of 192-byte region [0x610000000c40,0x610000000d00)
freed by thread T0 here:
    #0 0x43e67a in operator delete(void*) (KDE/install-asan/bin/kdf+0x43e67a)
    #1 0x45eef6 in KDFWidget::~KDFWidget() (KDE/install-asan/bin/kdf+0x45eef6)
    #2 0x7fb9c905cb03 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24db03)
    #3 0x7fb9c7e2bf22 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8f22)
    #4 0x7fb9c84623f4 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df3f4)
    #5 0x7fb9cbaafb5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473
    #6 0x7fb9cbbc0ee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122
    #7 0x4559b3 in KDFTopLevel::~KDFTopLevel() (KDE/install-asan/bin/kdf+0x4559b3)
    #8 0x7fb9c905db6d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24eb6d)
    #9 0x7fb9c905d6d7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e6d7)
    #10 0x7fb9c7e43155 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0155)
    #11 0x7fb9c8464d82 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1d82)
    #12 0x7fb9cbabb133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #13 0x7fb9cbbc10b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #14 0x7fb9c7db829e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23529e)
    #15 0x7fb9c7dbe13b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b13b)
    #16 0x7fb9cb79b340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #17 0x7fb9c903cb15 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22db15)
    #18 0x7fb9c9041279 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232279)
    #19 0x7fb9c903e123 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f123)
    #20 0x7fb9c903d087 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22e087)
    #21 0x7fb9c7ebf957 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtGui.so.4+0x33c957)
    #22 0x7fb9c7ecfe91 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ce91)
    #23 0x7fb9c9037edb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228edb)
    #24 0x7fb9c90381ed in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2291ed)
    #25 0x7fb9c84a2dcb in QMenu::exec(QPoint const&, QAction*) (qt4/lib/libQtGui.so.4+0x91fdcb)
    #26 0x465b92 in KDFWidget::contextMenuRequested(QPoint const&) (KDE/install-asan/bin/kdf+0x465b92)
    #27 0x468bf1 in KDFWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/kdf+0x468bf1)
    #28 0x7fb9c9064336 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255336)
    #29 0x7fb9c7e434be in QWidget::customContextMenuRequested(QPoint const&) (qt4/lib/libQtGui.so.4+0x2c04be)
previously allocated by thread T0 here:
    #0 0x43e3fa in operator new(unsigned long) (KDE/install-asan/bin/kdf+0x43e3fa)
    #1 0x453525 in KDFTopLevel::KDFTopLevel(QWidget*) (KDE/install-asan/bin/kdf+0x453525)
    #2 0x455190 in main (KDE/install-asan/bin/kdf+0x455190)
    #3 0x7fb9c634f76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 DiskList::setUpdatesDisabled(bool)
Shadow bytes around the buggy address:
  0x0c207fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff8180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff8190: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff81e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==27385==ABORTING

Right-clicking on the menu spins a nested event loop, and closing the application causes a free in the nested context, and this memory is used subsequently.
Comment 1 Santhiar 2016-01-30 05:01:35 UTC 
I shall be happy to supply any more information that the developers require...
Comment 2 Justin Zobel 2021-03-09 23:43:38 UTC 
Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.