https://bugs.kde.org/show_bug.cgi?id=356647
Bug ID: 356647
Summary: use-after-free crash on closing cervisia having opened
a non-CVS folder
Product: cervisia
Version: unspecified
Platform: Compiled Sources
OS: Linux
Status: UNCONFIRMED
Severity: crash
Priority: NOR
Component: general
Assignee: christian.lo...@hamburg.de
Reporter: santhiar.anir...@gmail.com
Cervisia crashes with a use-after-free bug on closing the application after
opening an non-CVS folder.
I ran into this problem on driving Cervisia via a command line script.
I opened a non CVS folder via the command line, and while the error dialog was
being displayed,
closed Cervisia using qdbus
The application crashed
Reproducible: Always
Steps to Reproduce:
1. From a terminal, say "cervisia nonCVSFolder"
2. When the error dialog is displayed, from another terminal, issue
3. "qdbus `qdbus | grep cervisia` /cervisia/MainWindow_1/actions/file_quit
trigger"
Actual Results:
Cervisia crashes
Expected Results:
Cervisia closes smoothly
Application details:
Qt: 4.8.7
KDE Development Platform: 4.14.13
Cervisia: 3.10.0
KCrash Report:
Application: Cervisia (cervisia), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[KCrash Handler]
#6 0x00007fcea1956a81 in QMap<QAction*, KUrl>::constBegin (this=<optimized
out>) at qt4/include/QtCore/qmap.h:374
#7 0x00007fcea19542c0 in KRecentFilesAction::removeUrl (this=<optimized out>,
url=...) at KDE/kde/kdelibs/kdeui/actions/krecentfilesaction.cpp:234
#8 0x00007fce949c5074 in CervisiaPart::openSandbox (this=0xa97c40, url=...) at
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
#9 0x00007fce949c49a9 in CervisiaPart::openUrl (this=0xa97c40, u=...) at
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
#10 0x00007fcea43a4d8b in CervisiaShell::openURL (this=<optimized out>,
url=...) at KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
#11 0x00007fcea43a15fe in kdemain (argc=<optimized out>, argv=<optimized out>)
at KDE/kde/kdesdk/cervisia/main.cpp:196
#12 0x0000000000400a21 in main (argc=-1641208064, argv=0xffffffff) at
KDE/build/kde/kdesdk/cervisia/cervisia_dummy.cpp:3
On investigating further using Cervisia built with Address Sanitizer, this is a
use-after-free vulnerability. AddressSanitizer reported the following stack:
=================================================================
==12997==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100013e3f0
at pc 0x7fdd437ea9cd bp 0x7fffc88647b0 sp 0x7fffc88647a8
READ of size 8 at 0x61100013e3f0 thread T0
#0 0x7fdd437ea9cc in CervisiaPart::openSandbox(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813
#1 0x7fdd437e80a9 in CervisiaPart::openUrl(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
#2 0x7fdd571558b4 in CervisiaShell::openURL(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
#3 0x7fdd5714cce1 in kdemain KDE/kde/kdesdk/cervisia/main.cpp:196
#4 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
#5 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#6 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
0x61100013e3f0 is located 112 bytes inside of 216-byte region
[0x61100013e380,0x61100013e458)
freed by thread T0 here:
#0 0x43120a in operator delete(void*)
(KDE/install-asan/bin/cervisia+0x43120a)
#1 0x7fdd437e6419 in CervisiaPart::~CervisiaPart()
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:180
#2 0x7fdd5715528f in CervisiaShell::~CervisiaShell()
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:81
#3 0x7fdd57154ca5 in ~CervisiaShell
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
#4 0x7fdd57154ca5 in CervisiaShell::~CervisiaShell()
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:80
#5 0x7fdd53509e3d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24ee3d)
#6 0x7fdd535099a7 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24e9a7)
#7 0x7fdd522ef345 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0345)
#8 0x7fdd52910f72 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1f72)
#9 0x7fdd553a4133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
#10 0x7fdd554aa0b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
#11 0x7fdd5226448e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23548e)
#12 0x7fdd5226a32b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b32b)
#13 0x7fdd55084340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#14 0x7fdd534e8dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22ddc5)
#15 0x7fdd534ed549 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x232549)
#16 0x7fdd534ea3f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
#17 0x7fdd5353b2f6 in
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2802f6)
#18 0x7fdd5237c669 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d669)
#19 0x7fdd534e3f6b in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228f6b)
#20 0x7fdd534e4331 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x229331)
#21 0x7fdd52a18c8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
#22 0x7fdd54e109dc in KMessageBox::createKMessageBox(KDialog*, QIcon
const&, QString const&, QStringList const&, QString const&, bool*,
QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
#23 0x7fdd54e0dfe1 in KMessageBox::createKMessageBox(KDialog*,
QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*,
QFlags<KMessageBox::Option>, QString const&)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
#24 0x7fdd54e20f44 in KMessageBox::sorryWId(unsigned long, QString const&,
QString const&, QFlags<KMessageBox::Option>)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:928
#25 0x7fdd54e2090d in KMessageBox::sorry(QWidget*, QString const&, QString
const&, QFlags<KMessageBox::Option>)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:907
#26 0x7fdd437e9814 in CervisiaPart::openSandbox(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1807
#27 0x7fdd437e80a9 in CervisiaPart::openUrl(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:222
#28 0x7fdd571558b4 in CervisiaShell::openURL(KUrl const&)
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:139
#29 0x7fdd5714cce1 in kdemain KDE/kde/kdesdk/cervisia/main.cpp:196
#30 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
#31 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#32 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
previously allocated by thread T0 here:
#0 0x430f8a in operator new(unsigned long)
(KDE/install-asan/bin/cervisia+0x430f8a)
#1 0x7fdd437f58c9 in QObject*
KPluginFactory::createPartInstance<CervisiaPart>(QWidget*, QObject*,
QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:483
#2 0x7fdd543410cc in KPluginFactory::create(char const*, QWidget*,
QObject*, QList<QVariant> const&, QString const&)
KDE/kde/kdelibs/kdecore/util/kpluginfactory.cpp:203
#3 0x7fdd5715781e in KParts::ReadOnlyPart*
KPluginFactory::create<KParts::ReadOnlyPart>(QObject*, QList<QVariant> const&)
KDE/install-asan/include/kpluginfactory.h:507
#4 0x7fdd57151019 in CervisiaShell::CervisiaShell(char const*)
KDE/kde/kdesdk/cervisia/cervisiashell.cpp:48
#5 0x7fdd5714cbfa in kdemain KDE/kde/kdesdk/cervisia/main.cpp:190
#6 0x445ce8 in main (KDE/install-asan/bin/cervisia+0x445ce8)
#7 0x7fdd50e5376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#8 0x445bec in _start (KDE/install-asan/bin/cervisia+0x445bec)
SUMMARY: AddressSanitizer: heap-use-after-free
KDE/kde/kdesdk/cervisia/cervisiapart.cpp:1813 CervisiaPart::openSandbox(KUrl
const&)
Shadow bytes around the buggy address:
0x0c228001fc20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228001fc30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228001fc40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228001fc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228001fc60: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c228001fc70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c228001fc80: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c228001fc90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228001fca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228001fcb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c228001fcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==12997==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
