Bug 491726 - Konsole use-after-free when dropping URLs, at least in some environments (e.g. GNOME)
Summary: Konsole use-after-free when dropping URLs, at least in some environments (e.g...
Status: RESOLVED FIXED
Alias: None
Product: konsole
Classification: Applications
Component: general (show other bugs)
Version: 24.05.2
Platform: Other Linux
: NOR crash
Target Milestone: ---
Assignee: Konsole Developer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-08-14 19:21 UTC by triallax
Modified: 2024-12-05 22:29 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description triallax 2024-08-14 19:21:43 UTC
***
If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
Konsole can with a use-after-free when dropping a URL into it. I can reproduce this on GNOME Wayland consistently.

STEPS TO REPRODUCE
1. Open Konsole
2. Drag a URL from e.g. Firefox and drop it into the terminal window

OBSERVED RESULT
Konsole segfaults with this backtrace:
* thread #1, name = 'konsole', stop reason = signal SIGSEGV: invalid address
  * frame #0: 0x000079db70e778f8 libkonsoleprivate.so.24.05.2`Konsole::TerminalDisplay::dropEvent(this=0x000079db70494600, event=0x00007fff5febf150) at TerminalDisplay.cpp:3066:19
    frame #1: 0x000079db6c39b61c libQt6Widgets.so.6`QWidget::event(this=<unavailable>, event=<unavailable>) at qwidget.cpp:9232:9
    frame #2: 0x000079db6c345371 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x000079db6c942800, receiver=0x000079db70494600, e=0x00007fff5febf150) at qapplication.cpp:3287:26
    frame #3: 0x000079db6c347c33 libQt6Widgets.so.6`QApplication::notify(this=0x000079db6c890800, receiver=0x000079db70494600, e=0x00007fff5febf150) at qapplication.cpp:3049:22
    frame #4: 0x000079db6b5a8de0 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x000079db70494600, event=0x00007fff5febf150) at qcoreapplication.cpp:1142:18
    frame #5: 0x000079db6c3b5c8a libQt6Widgets.so.6`QWidgetWindow::handleDropEvent(this=<unavailable>, event=0x00007fff5febf5f0) at qwidgetwindow.cpp:996:5
    frame #6: 0x000079db6c3b2777 libQt6Widgets.so.6`QWidgetWindow::event(this=<unavailable>, event=<unavailable>) at qwidgetwindow.cpp:305:9
    frame #7: 0x000079db6c345371 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x000079db6c942800, receiver=0x000079db700a8c40, e=0x00007fff5febf5f0) at qapplication.cpp:3287:26
    frame #8: 0x000079db6c34643c libQt6Widgets.so.6`QApplication::notify(this=<unavailable>, receiver=0x000079db700a8c40, e=0x00007fff5febf5f0) at qapplication.cpp:0
    frame #9: 0x000079db6b5a8de0 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x000079db700a8c40, event=0x00007fff5febf5f0) at qcoreapplication.cpp:1142:18
    frame #10: 0x000079db6bb7c685 libQt6Gui.so.6`QGuiApplicationPrivate::processDrop(w=0x000079db700a8c40, dropData=0x000079db70667300, p=<unavailable>, supportedActions=(i = 1), buttons=(i = 0), modifiers=(i = 0)) at qguiapplication.cpp:3397:5
    frame #11: 0x000079db6bbda605 libQt6Gui.so.6`QWindowSystemInterface::handleDrop(window=0x000079db700a8c40, dropData=0x000079db70667300, p=0x000079db6c8117c8, supportedActions=(i = 1), buttons=(i = 0), modifiers=(i = 0)) at qwindowsysteminterface.cpp:858:12
    frame #12: 0x000079db680e571b libQt6WaylandClient.so.6`QtWaylandClient::QWaylandDataDevice::data_device_drop(this=0x000079db6c811780) at qwaylanddatadevice.cpp:194:40
    frame #13: 0x000079db66deb41a libffi.so.8`ffi_call_unix64 at unix64.S:104
    frame #14: 0x000079db66defe95 libffi.so.8`ffi_call_int(cif=0x00007fff5febf880, fn=(libQt6WaylandClient.so.6`QtWayland::wl_data_device::handle_drop(void*, wl_data_device*) at qwayland-wayland.cpp:977), rvalue=0x0000000000000000, avalue=0x00007fff5febf8b0, closure=<unavailable>) at ffi64.c:673:3
    frame #15: 0x000079db66def9ec libffi.so.8`ffi_call(cif=0x00007fff5febf880, fn=(libQt6WaylandClient.so.6`QtWayland::wl_data_device::handle_drop(void*, wl_data_device*) at qwayland-wayland.cpp:977), rvalue=0x0000000000000000, avalue=0x00007fff5febf8b0) at ffi64.c:710:3
    frame #16: 0x000079db68005b43 libwayland-client.so.0`wl_closure_invoke(closure=0x000079db600c3760, flags=<unavailable>, target=<unavailable>, opcode=4, data=<unavailable>) at connection.c:1228:2
    frame #17: 0x000079db68003bb8 libwayland-client.so.0`dispatch_event(display=<unavailable>, queue=<unavailable>) at wayland-client.c:1670:3
    frame #18: 0x000079db68003381 libwayland-client.so.0`wl_display_dispatch_queue_pending [inlined] dispatch_queue(display=0x000079db6c8f08c0, queue=<unavailable>) at wayland-client.c:1816:3
    frame #19: 0x000079db6800332b libwayland-client.so.0`wl_display_dispatch_queue_pending(display=0x000079db6c8f08c0, queue=0x000079db6c8f09b8) at wayland-client.c:2058:8
    frame #20: 0x000079db6800346c libwayland-client.so.0`wl_display_dispatch_pending(display=<unavailable>) at wayland-client.c:2121:9 [artificial]
    frame #21: 0x000079db6809a855 libQt6WaylandClient.so.6`QtWaylandClient::EventThread::readAndDispatchEvents() [inlined] QtWaylandClient::EventThread::dispatchQueuePending(this=0x000079db6ccd2ff0) at qwaylanddisplay.cpp:227:20
    frame #22: 0x000079db6809a844 libQt6WaylandClient.so.6`QtWaylandClient::EventThread::readAndDispatchEvents(this=0x000079db6ccd2ff0) at qwaylanddisplay.cpp:109:17
    frame #23: 0x000079db6b5f7447 libQt6Core.so.6`QObject::event(this=0x000079db6ca00c00, e=0x000079db5f890380) at qobject.cpp:1452:18
    frame #24: 0x000079db6c345371 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x000079db6c942800, receiver=0x000079db6ca00c00, e=0x000079db5f890380) at qapplication.cpp:3287:26
    frame #25: 0x000079db6c34643c libQt6Widgets.so.6`QApplication::notify(this=<unavailable>, receiver=0x000079db6ca00c00, e=0x000079db5f890380) at qapplication.cpp:0
    frame #26: 0x000079db6b5a8de0 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x000079db6ca00c00, event=0x000079db5f890380) at qcoreapplication.cpp:1142:18
    frame #27: 0x000079db6b5aa175 libQt6Core.so.6`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) [inlined] QCoreApplication::sendEvent(receiver=0x000079db6ca00c00, event=0x000079db5f890380) at qcoreapplication.cpp:1583:12
    frame #28: 0x000079db6b5aa165 libQt6Core.so.6`QCoreApplicationPrivate::sendPostedEvents(receiver=0x0000000000000000, event_type=0, data=0x000079db6c8d0100) at qcoreapplication.cpp:1940:9
    frame #29: 0x000079db6b86fe35 libQt6Core.so.6`postEventSourceDispatch(_GSource*, int (*)(void*), void*) [inlined] QCoreApplication::sendPostedEvents(receiver=0x0000000000000000, event_type=0) at qcoreapplication.cpp:1797:5
    frame #30: 0x000079db6b86fe1f libQt6Core.so.6`postEventSourceDispatch(s=0x000079db6c8cd9a0, (null)=<unavailable>, (null)=<unavailable>) at qeventdispatcher_glib.cpp:244:5
    frame #31: 0x000079db68b8970b libglib-2.0.so.0`g_main_context_dispatch_unlocked [inlined] g_main_dispatch(context=0x000079db6d020500) at gmain.c:3344:27
    frame #32: 0x000079db68b895bf libglib-2.0.so.0`g_main_context_dispatch_unlocked(context=0x000079db6d020500) at gmain.c:4152:7
    frame #33: 0x000079db68b89c63 libglib-2.0.so.0`g_main_context_iterate_unlocked(context=0x000079db6d020500, block=<unavailable>, dispatch=1, self=<unavailable>) at gmain.c:4217:5
    frame #34: 0x000079db68b89e24 libglib-2.0.so.0`g_main_context_iteration(context=0x000079db6d020500, may_block=1) at gmain.c:4282:12
    frame #35: 0x000079db6b86f4d1 libQt6Core.so.6`QEventDispatcherGlib::processEvents(this=0x000079db6cc48060, flags=(i = 164)) at qeventdispatcher_glib.cpp:394:19
    frame #36: 0x000079db6b5b3a9a libQt6Core.so.6`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QEventLoop::processEvents(this=0x00007fff5fec0060, flags=(i = 164)) at qeventloop.cpp:100:55
    frame #37: 0x000079db6b5b3a7c libQt6Core.so.6`QEventLoop::exec(this=0x00007fff5fec0060, flags=<unavailable>) at qeventloop.cpp:182:9
    frame #38: 0x000079db6b5a94fd libQt6Core.so.6`QCoreApplication::exec() at qcoreapplication.cpp:1486:32
    frame #39: 0x000062d083742b19 konsole`main(argc=1, argv=0x00007fff5fec0288) at main.cpp:258:15
    frame #40: 0x000079db70fc2c1d ld-musl-x86_64.so.1`libc_start_main_stage2(main=(konsole`main at main.cpp:131), argc=<unavailable>, argv=0x00007fff5fec0288) at __libc_start_main.c:95:7
    frame #41: 0x000062d083741576 konsole`_start + 22

EXPECTED RESULT
The URL gets pasted into Konsole.

SOFTWARE/OS VERSIONS
OS: Chimera Linux
KDE Frameworks Version: 6.5.0
Konsole version: 24.05.2
Qt Version:  6.7.2

ADDITIONAL INFORMATION
Downstream ticket: https://github.com/chimera-linux/cports/issues/2416 (we believe the gnome-console crash to be unrelated)
We carry a patch to fix the crash: https://github.com/chimera-linux/cports/blob/96d7d8642064298f87327492b09a722e1675a672/contrib/konsole/patches/drag-and-drop-urls.patch
Comment 1 Christoph Cullmann 2024-12-05 22:24:58 UTC
I see, the extractDroppedText call might invalidate that due to 

KIO::StatJob *job = KIO::mostLocalUrl(urls[i], KIO::HideProgressInfo);
        if (!job->exec()) {
            continue;
        }
Comment 2 Christoph Cullmann 2024-12-05 22:25:27 UTC
ttps://github.com/chimera-linux/cports/blob/96d7d8642064298f87327492b09a722e1675a672/contrib/konsole/patches/drag-and-drop-urls.patch
Comment 4 Christoph Cullmann 2024-12-05 22:29:49 UTC
Git commit cc628b2a50c0926386dd9fee9567bf6d5e74d047 by Christoph Cullmann.
Committed on 05/12/2024 at 22:29.
Pushed by cullmann into branch 'master'.

ensure we don't use an invalidated mimeData

M  +4    -2    src/terminalDisplay/TerminalDisplay.cpp

https://invent.kde.org/utilities/konsole/-/commit/cc628b2a50c0926386dd9fee9567bf6d5e74d047