https://bugs.kde.org/show_bug.cgi?id=355172
--- Comment #1 from Santhiar <santhiar.anir...@gmail.com> --- On further investigation, this is a use-after-free bug. I built okular with ASAN [http://clang.llvm.org/docs/AddressSanitizer.html] and here is the report from ASAN on triggering the steps to repro. ==4455==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004d300 at pc 0x7f5079e3e5bc bp 0x7fff0630a230 sp 0x7fff0630a228 READ of size 8 at 0x60300004d300 thread T0 #0 0x7f5079e3e5bb in Okular::Document::stopFontReading() KDE/kde/kdegraphics/okular/core/document.cpp:2815:11 #1 0x7f507a51a7ae in ~PropertiesDialog KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:178 #2 0x7f507a51a7ae in PropertiesDialog::~PropertiesDialog() KDE/kde/kdegraphics/okular/ui/propertiesdialog.cpp:177 #3 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3) #4 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62) #5 0x7f507a52f7e8 in Sidebar::~Sidebar() KDE/kde/kdegraphics/okular/ui/sidebar.cpp:514 #6 0x7f507a52f65e in Sidebar::~Sidebar() KDE/kde/kdegraphics/okular/ui/sidebar.cpp:512 #7 0x7f508db5cf0b in KParts::Part::~Part() KDE/kde/kdelibs/kparts/part.cpp:209:38 #8 0x7f508db66132 in ~ReadOnlyPart KDE/kde/kdelibs/kparts/part.cpp:463 #9 0x7f508db66132 in KParts::ReadWritePart::~ReadWritePart() KDE/kde/kdelibs/kparts/part.cpp:780 #10 0x7f507a2e23f8 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:891 #11 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857 #12 0x7f507a2e14c5 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:857 #13 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3) #14 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62) #15 0x7f508aa0a314 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df314) #16 0x7f508bf36b5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473 #17 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122 #18 0x7f508db8bd2c in KParts::MainWindow::~MainWindow() KDE/kde/kdelibs/kparts/mainwindow.cpp:79 #19 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93) #20 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3) #21 0x7f50890e6f2d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24df2d) #22 0x7f50890e6a97 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24da97) #23 0x7f508a3eb095 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0095) #24 0x7f508aa0cca2 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1ca2) #25 0x7f508bf42133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126 #26 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126 #27 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de) #28 0x7f508a36607b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b07b) #29 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311 #30 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135) #31 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x231639) #32 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e) #33 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22d6a7) #34 0x7f5089114f07 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtCore.so.4+0x27bf07) #35 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtCore.so.4+0x27ae1a) #36 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12) #37 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f) #38 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123) #39 0x7f5089112d81 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x279d81) #40 0x7f508a476a43 in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ba43) #41 0x7f50890c13fb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2283fb) #42 0x7f50890c174d in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x22874d) #43 0x7f508ab149ba in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e99ba) #44 0x7f507a30f36a in Okular::Part::slotShowProperties() KDE/kde/kdegraphics/okular/part.cpp:2528 #45 0x7f507a30f36a in Okular::Part::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdegraphics/okular/part.moc:234 #46 0x7f50890ed6f6 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x2546f6) #47 0x7f508a35016c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22516c) #48 0x7f508a34ff81 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x224f81) #49 0x7f508aa47446 in QMenuPrivate::activateCausedStack(QList<QPointer<QWidget> > const&, QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91c446) #50 0x7f508aa45305 in QMenuPrivate::activateAction(QAction*, QAction::ActionEvent, bool) (qt4/lib/libQtGui.so.4+0x91a305) #51 0x7f508aa4c731 in QMenu::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x921731) #52 0x7f508bf4bf3e in KMenu::mouseReleaseEvent(QMouseEvent*) KDE/kde/kdelibs/kdeui/widgets/kmenu.cpp:464 #53 0x7f508a3e96cd in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be6cd) #54 0x7f508aa4d079 in QMenu::event(QEvent*) (qt4/lib/libQtGui.so.4+0x922079) #55 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de) #56 0x7f508a3635e2 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2385e2) #57 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311 #58 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135) #59 0x7f508a36ad7e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fd7e) #60 0x7f508a361280 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236280) #61 0x7f508a431f78 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x306f78) #62 0x7f508a42dd45 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302d45) #63 0x7f508a476f7f in x11EventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtGui.so.4+0x34bf7f) #64 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12) #65 0x7f5084b1a05f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4805f) #66 0x7f5084b1a123 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48123) #67 0x7f5089112d81 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x279d81) #68 0x7f508a476a43 in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34ba43) #69 0x7f50890c13fb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2283fb) #70 0x7f50890c174d in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x22874d) #71 0x7f50890c690e in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22d90e) #72 0x7f508a362275 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237275) #73 0x45100b in main (KDE/install-asan/bin/okular+0x45100b) #74 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) #75 0x44f01c in _start (KDE/install-asan/bin/okular+0x44f01c) 0x60300004d300 is located 16 bytes inside of 24-byte region [0x60300004d2f0,0x60300004d308) freed by thread T0 here: #0 0x43a63a in operator delete(void*) (KDE/install-asan/bin/okular+0x43a63a) #1 0x7f5079e2d9a6 in Okular::Document::~Document() KDE/kde/kdegraphics/okular/core/document.cpp:2202 #2 0x7f507a2e1ee2 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:880 #3 0x7f507a2e14c5 in ~Part KDE/kde/kdegraphics/okular/part.cpp:857 #4 0x7f507a2e14c5 in Okular::Part::~Part() KDE/kde/kdegraphics/okular/part.cpp:857 #5 0x7f50890e5ec3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24cec3) #6 0x7f508a3d3e62 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a8e62) #7 0x7f508aa0a314 in QMainWindow::~QMainWindow() (qt4/lib/libQtGui.so.4+0x8df314) #8 0x7f508bf36b5e in KMainWindow::~KMainWindow() KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:473 #9 0x7f508c047ee1 in KXmlGuiWindow::~KXmlGuiWindow() KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:122 #10 0x7f508db8bd2c in KParts::MainWindow::~MainWindow() KDE/kde/kdelibs/kparts/mainwindow.cpp:79 #11 0x466a93 in Shell::~Shell() (KDE/install-asan/bin/okular+0x466a93) #12 0x465ae3 in Shell::~Shell() (KDE/install-asan/bin/okular+0x465ae3) #13 0x7f50890e6f2d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24df2d) #14 0x7f50890e6a97 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24da97) #15 0x7f508a3eb095 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0095) #16 0x7f508aa0cca2 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1ca2) #17 0x7f508bf42133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126 #18 0x7f508c0480b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126 #19 0x7f508a3601de in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2351de) #20 0x7f508a36607b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b07b) #21 0x7f508bc22340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311 #22 0x7f50890c6135 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22d135) #23 0x7f50890ca639 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x231639) #24 0x7f50890c773e in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22e73e) #25 0x7f50890c66a7 in QCoreApplication::sendPostedEvents(QObject*, int) (qt4/lib/libQtCore.so.4+0x22d6a7) #26 0x7f5089114f07 in QCoreApplication::sendPostedEvents() (qt4/lib/libQtCore.so.4+0x27bf07) #27 0x7f5089113e1a in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qt4/lib/libQtCore.so.4+0x27ae1a) #28 0x7f5084b19d12 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x47d12) previously allocated by thread T0 here: #0 0x43a3ba in operator new(unsigned long) (KDE/install-asan/bin/okular+0x43a3ba) #1 0x7f507a2c4975 in Okular::Part::Part(QWidget*, QObject*, QList<QVariant> const&, KComponentData) KDE/kde/kdegraphics/okular/part.cpp:355 #2 0x7f507a2c36dc in Okular::PartFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) KDE/kde/kdegraphics/okular/part.cpp:171 #3 0x472c94 in KParts::ReadWritePart* KPluginFactory::create<KParts::ReadWritePart>(QObject*, QList<QVariant> const&) (KDE/install-asan/bin/okular+0x472c94) #4 0x45f135 in Shell::Shell(QString const&) (KDE/install-asan/bin/okular+0x45f135) #5 0x45ab67 in Okular::main(QStringList const&, QString const&) (KDE/install-asan/bin/okular+0x45ab67) #6 0x4513f5 in main (KDE/install-asan/bin/okular+0x4513f5) #7 0x7f50879f376c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdegraphics/okular/core/document.cpp:2815 Okular::Document::stopFontReading() Shadow bytes around the buggy address: 0x0c0680001a10: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c0680001a20: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fd fd 0x0c0680001a30: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 0x0c0680001a40: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd 0x0c0680001a50: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fd fd =>0x0c0680001a60:[fd]fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c0680001a70: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680001a80: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd 0x0c0680001a90: fd fd fa fa fd fd fd fd fa fa fa fa fa fa fa fa 0x0c0680001aa0: fd fd fd fd fa fa fd fd fd fa fa fa fa fa fa fa 0x0c0680001ab0: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==4455==ABORTING The properties dialog spins a nested event loop, and the close event destroys the property dialog that is subsequently accessed by the handler still on stack. I shall be happy to supply any other information to help fix this UAF vulnerability. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ Okular-devel mailing list Okular-devel@kde.org https://mail.kde.org/mailman/listinfo/okular-devel
