Fix use-after-free when closing Discover (!1090) · Merge requests · Plasma / Discover

When closing Discover:

First, ResourcesModel::~ResourcesModel() is called, with AbstractResource (child object of AbstractResourcesBackend) freed.
Next, DiscoverObject::~DiscoverObject() is called, with its child object timeout destroyed. Then, openResourceOrWait() is invoked, and res.resource->isInstalled() accesses freed memory (use-after-free).

Changes:

Add m_isDeleting to avoid accessing freed memory during destruction.
Rename variables for readability.

BUG: 466619

Possible approaches

Check DiscoverObject::m_isDeleting in openResourceOrWait().
disconnect all QTimer at the start of DiscoverObject destruction.
Swap the destruction order of ResourcesModel and DiscoverObject.
Implement ResourcesModel::isModelNull() and check it in openResourceOrWait().
...

This Merge Request chooses Approach 1, because it is easy to implement.

Test

Steps to reproduce the crash (metioned in bug 477111):

Press Win to open the Application Launcher.
Right click an application in the Application Launcher, select Uninstall or Manage Add-Ons....
Close the Discover when it is still loading.

Note: Steps 1-2 can be replaced with direct CLI execution:

plasma-discover appstream://org.kde.discover.desktop

After modification, Discover will not crash.

Limitations

With Approach 1, there is a low probability that the QTimer may be triggered during the destruction of ResourcesModel, potentially leading to a UAF. Approach 4 can avoid this issue.

Edited May 23, 2025 by Wendi Gan

Fix use-after-free when closing Discover

Possible approaches

Test

Limitations

Merge request reports