Heap use-after-free in KCM module
I use Gentoo lastest ~amd64. Relevant package versions:
[IP-] [ ] kde-plasma/systemsettings-5.21.3:5
[IP-] [ ] kde-plasma/plasma-firewall-5.21.3:5
Steps to reproduce: open System Settings (systemsettings5, not kcm_shell), enter Firewall, enter something else, enter Firewall again.
Reproducible: always.
AddressSanitizer report below:
==6156==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000170290 at pc 0x7f4316b1ee91 bp 0x7ffee719d170 sp 0x7ffee719d160
READ of size 8 at 0x60f000170290 thread T0
#0 0x7f4316b1ee90 in FirewallClient::capabilities() const /usr/src/debug/kde-plasma/plasma-firewall-5.21.3/plasma-firewall-5.21.3/kcm/core/firewallclient.cpp:155
#1 0x7f4316b9cbed in KCMFirewall::KCMFirewall(QObject*, QList<QVariant> const&) /usr/src/debug/kde-plasma/plasma-firewall-5.21.3/plasma-firewall-5.21.3/kcm/kcm.cpp:36
#2 0x7f4316ba4ef9 in QObject* KPluginFactory::createInstance<KCMFirewall, QObject>(QWidget*, QObject*, QList<QVariant> const&) /usr/include/KF5/KCoreAddons/kpluginfactory.h:726
#3 0x7f4337083ef1 in KPluginFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) (/usr/lib64/libKF5CoreAddons.so.5+0x4aef1)
#4 0x7f4338487997 in KCModuleLoader::loadModule(KCModuleInfo const&, KCModuleLoader::ErrorReporting, QWidget*, QStringList const&) (/usr/lib64/libKF5KCMUtils.so.5+0x1f997)
#5 0x7f4338490251 (/usr/lib64/libKF5KCMUtils.so.5+0x28251)
#6 0x7f43384906c7 in KCModuleProxy::realModule() const (/usr/lib64/libKF5KCMUtils.so.5+0x286c7)
#7 0x7f4338490dc2 in KCModuleProxy::showEvent(QShowEvent*) (/usr/lib64/libKF5KCMUtils.so.5+0x28dc2)
#8 0x7f43378a6ead in QWidget::event(QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x1a8ead)
#9 0x7f4337863162 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x165162)
#10 0x7f433786c1df in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x16e1df)
#11 0x7f4336d71c37 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x25ac37)
#12 0x7f43378a380b in QWidgetPrivate::show_helper() (/usr/lib64/libQt5Widgets.so.5+0x1a580b)
#13 0x7f43378a3768 in QWidgetPrivate::showChildren(bool) (/usr/lib64/libQt5Widgets.so.5+0x1a5768)
#14 0x7f43378a37e7 in QWidgetPrivate::show_helper() (/usr/lib64/libQt5Widgets.so.5+0x1a57e7)
#15 0x7f43378a6922 in QWidgetPrivate::setVisible(bool) (/usr/lib64/libQt5Widgets.so.5+0x1a8922)
#16 0x7f43378a3748 in QWidgetPrivate::showChildren(bool) (/usr/lib64/libQt5Widgets.so.5+0x1a5748)
#17 0x7f43378a37e7 in QWidgetPrivate::show_helper() (/usr/lib64/libQt5Widgets.so.5+0x1a57e7)
#18 0x7f43378a6922 in QWidgetPrivate::setVisible(bool) (/usr/lib64/libQt5Widgets.so.5+0x1a8922)
#19 0x7f433788ac4f in QStackedLayout::setCurrentIndex(int) (/usr/lib64/libQt5Widgets.so.5+0x18cc4f)
#20 0x7f433788aef8 in QStackedLayout::setCurrentWidget(QWidget*) (/usr/lib64/libQt5Widgets.so.5+0x18cef8)
#21 0x7f4337a1feb4 in QStackedWidget::setCurrentWidget(QWidget*) (/usr/lib64/libQt5Widgets.so.5+0x321eb4)
#22 0x7f433801e709 (/usr/lib64/libKF5WidgetsAddons.so.5+0xef709)
#23 0x7f4336da12ef (/usr/lib64/libQt5Core.so.5+0x28a2ef)
#24 0x7f4336d35e06 in QItemSelectionModel::selectionChanged(QItemSelection const&, QItemSelection const&) (/usr/lib64/libQt5Core.so.5+0x21ee06)
#25 0x7f4336d3e15d in QItemSelectionModel::select(QItemSelection const&, QFlags<QItemSelectionModel::SelectionFlag>) (/usr/lib64/libQt5Core.so.5+0x22715d)
#26 0x7f4336d3980c in QItemSelectionModel::select(QModelIndex const&, QFlags<QItemSelectionModel::SelectionFlag>) (/usr/lib64/libQt5Core.so.5+0x22280c)
#27 0x7f4336d375cb in QItemSelectionModel::setCurrentIndex(QModelIndex const&, QFlags<QItemSelectionModel::SelectionFlag>) (/usr/lib64/libQt5Core.so.5+0x2205cb)
#28 0x7f433801ca46 (/usr/lib64/libKF5WidgetsAddons.so.5+0xeda46)
#29 0x7f433801e59a (/usr/lib64/libKF5WidgetsAddons.so.5+0xef59a)
#30 0x7f4336da12ef (/usr/lib64/libQt5Core.so.5+0x28a2ef)
#31 0x7f4336d27df5 in QAbstractItemModel::layoutChanged(QList<QPersistentModelIndex> const&, QAbstractItemModel::LayoutChangeHint) (/usr/lib64/libQt5Core.so.5+0x210df5)
#32 0x7f4338024e6b in KPageWidgetModel::addPage(KPageWidgetItem*) (/usr/lib64/libKF5WidgetsAddons.so.5+0xf5e6b)
#33 0x7f431d01f73c (/usr/lib64/qt5/plugins/systemsettingsview/systemsettings_sidebar_mode.so+0x2373c)
#34 0x7f431d012256 (/usr/lib64/qt5/plugins/systemsettingsview/systemsettings_sidebar_mode.so+0x16256)
#35 0x7f431d0102dc (/usr/lib64/qt5/plugins/systemsettingsview/systemsettings_sidebar_mode.so+0x142dc)
#36 0x7f431d010c12 (/usr/lib64/qt5/plugins/systemsettingsview/systemsettings_sidebar_mode.so+0x14c12)
#37 0x7f4335eaa1cc (/usr/lib64/libQt5Qml.so.5+0x2b01cc)
#38 0x7f4335d8ef3d (/usr/lib64/libQt5Qml.so.5+0x194f3d)
#39 0x7f4335d90dc4 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const (/usr/lib64/libQt5Qml.so.5+0x196dc4)
#40 0x7f4335dac563 (/usr/lib64/libQt5Qml.so.5+0x1b2563)
#41 0x7f4335daf1ce (/usr/lib64/libQt5Qml.so.5+0x1b51ce)
#42 0x7f4335d49dfc in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) (/usr/lib64/libQt5Qml.so.5+0x14fdfc)
#43 0x7f4335ec68b7 in QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) (/usr/lib64/libQt5Qml.so.5+0x2cc8b7)
#44 0x7f4335e78dba in QQmlBoundSignalExpression::evaluate(void**) (/usr/lib64/libQt5Qml.so.5+0x27edba)
#45 0x7f4335e792c7 (/usr/lib64/libQt5Qml.so.5+0x27f2c7)
#46 0x7f4335ea9c93 in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) (/usr/lib64/libQt5Qml.so.5+0x2afc93)
#47 0x7f4336da1211 (/usr/lib64/libQt5Core.so.5+0x28a211)
#48 0x7f432e597100 in QQuickAbstractButtonPrivate::handleRelease(QPointF const&) (/usr/lib64/libQt5QuickTemplates2.so.5+0x87100)
#49 0x7f432e5b6b44 in QQuickControl::mouseReleaseEvent(QMouseEvent*) (/usr/lib64/libQt5QuickTemplates2.so.5+0xa6b44)
#50 0x7f43362a7ce7 in QQuickItem::event(QEvent*) (/usr/lib64/libQt5Quick.so.5+0x24bce7)
#51 0x7f4337863162 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x165162)
#52 0x7f433786c1df in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x16e1df)
#53 0x7f4336d71c37 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x25ac37)
#54 0x7f43362c489c in QQuickWindowPrivate::deliverMouseEvent(QQuickPointerMouseEvent*) (/usr/lib64/libQt5Quick.so.5+0x26889c)
#55 0x7f43362c5c39 in QQuickWindowPrivate::deliverPointerEvent(QQuickPointerEvent*) (/usr/lib64/libQt5Quick.so.5+0x269c39)
#56 0x7f4337267194 in QWindow::event(QEvent*) (/usr/lib64/libQt5Gui.so.5+0x12e194)
#57 0x7f4337863162 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x165162)
#58 0x7f433786c1df in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x16e1df)
#59 0x7f4336d71c37 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x25ac37)
#60 0x7f43365ec096 in QQuickWidget::mouseReleaseEvent(QMouseEvent*) (/usr/lib64/libQt5QuickWidgets.so.5+0xf096)
#61 0x7f43378a6ead in QWidget::event(QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x1a8ead)
#62 0x7f4337863162 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x165162)
#63 0x7f433786c49a in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x16e49a)
#64 0x7f4336d71c37 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x25ac37)
#65 0x7f433786b673 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/usr/lib64/libQt5Widgets.so.5+0x16d673)
#66 0x7f43378c237d (/usr/lib64/libQt5Widgets.so.5+0x1c437d)
#67 0x7f43378c56eb (/usr/lib64/libQt5Widgets.so.5+0x1c76eb)
#68 0x7f4337863162 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x165162)
#69 0x7f433786c1df in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x16e1df)
#70 0x7f4336d71c37 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x25ac37)
#71 0x7f433725b9ef in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib64/libQt5Gui.so.5+0x1229ef)
#72 0x7f433723d52a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Gui.so.5+0x10452a)
#73 0x7f432f0d3019 (/usr/lib64/libQt5XcbQpa.so.5+0x63019)
#74 0x7f4334c5c54a in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x5354a)
#75 0x7f4334c5c807 (/usr/lib64/libglib-2.0.so.0+0x53807)
#76 0x7f4334c5c8be in g_main_context_iteration (/usr/lib64/libglib-2.0.so.0+0x538be)
#77 0x7f4336dbe9bf in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Core.so.5+0x2a79bf)
#78 0x7f4336d7065a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Core.so.5+0x25965a)
#79 0x7f4336d782bc in QCoreApplication::exec() (/usr/lib64/libQt5Core.so.5+0x2612bc)
#80 0x5577115c0688 (/usr/bin/systemsettings5+0x15688)
#81 0x7f4336663e39 in __libc_start_main ../csu/libc-start.c:314
#82 0x5577115c1179 in _start (/usr/bin/systemsettings5+0x16179)
0x60f000170290 is located 0 bytes inside of 168-byte region [0x60f000170290,0x60f000170338)
freed by thread T0 here:
#0 0x7f43385a4d07 in operator delete(void*) (/usr/lib/gcc/x86_64-pc-linux-gnu/10.2.0/libasan.so.6+0xb3d07)
#1 0x7f4336d996d1 in QObjectPrivate::deleteChildren() (/usr/lib64/libQt5Core.so.5+0x2826d1)
previously allocated by thread T0 here:
#0 0x7f43385a41a7 in operator new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/10.2.0/libasan.so.6+0xb31a7)
#1 0x7f4316aaf6a8 in QObject* KPluginFactory::createInstance<FirewalldClient, QObject>(QWidget*, QObject*, QList<QVariant> const&) /usr/include/KF5/KCoreAddons/kpluginfactory.h:726
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/kde-plasma/plasma-firewall-5.21.3/plasma-firewall-5.21.3/kcm/core/firewallclient.cpp:155 in FirewallClient::capabilities() const
Shadow bytes around the buggy address:
0x0c1e80026000: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c1e80026010: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1e80026020: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1e80026030: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e80026040: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c1e80026050: fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e80026060: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1e80026070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e80026080: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
0x0c1e80026090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e800260a0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6156==ABORTING