Skip to content

Use-after-free when renaming folder via properties dialog

Steps to reproduce

  1. mkdir -p test/z
  2. thunar test/
  3. Double-click on the z folder
  4. Press the back button
  5. Right-click on the z folder and select Properties
  6. Change the folder name to zz and press Close

--> After step 6, you should receive a CRITICAL in the console and the test folder will appear empty in Thunar

Debugging

thunar-CRITICAL **: 17:52:28.571: thunar_properties_dialog_rename_finished: assertion '(((__extension__ ({ GTypeInstance *__inst = (GTypeInstance*) ((dialog)); GType __t = ((thunar_properties_dialog_get_type ())); gboolean __r; if (!__inst) __r = (0); else if (__inst->g_class && __inst->g_class->g_type == __t) __r = (!(0)); else __r = g_type_check_instance_is_a (__inst, __t); __r; }))))' failed

ERROR: AddressSanitizer: heap-use-after-free on address 0x519000351e10 at pc 0x56e2c6a7373c bp 0x7ffe62229720 sp 0x7ffe62229718
READ of size 8 at 0x519000351e10 thread T0
    #0 0x56e2c6a7373b in thunar_properties_dialog_rename_finished /home/s/code/thunar/thunar/thunar-properties-dialog.c:1100:3
    #1 0x7e4304cb86bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf)
    #2 0x7e4304ce6a35  (/usr/lib/libgobject-2.0.so.0+0x42a35)
    #3 0x7e4304cd7a41  (/usr/lib/libgobject-2.0.so.0+0x33a41)
    #4 0x7e4304cd7c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #5 0x7e4304cd7d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #6 0x7e43051bdc8f in exo_job_finished /home/s/code/exo/exo/exo-job.c:437:3
    #7 0x7e43051bdc8f in exo_job_async_ready /home/s/code/exo/exo/exo-job.c:274:3
    #8 0x7e43051bdc8f in exo_job_async_ready /home/s/code/exo/exo/exo-job.c:255:1
    #9 0x7e4304134f68  (/usr/lib/libglib-2.0.so.0+0x59f68)
    #10 0x7e43041933a6  (/usr/lib/libglib-2.0.so.0+0xb83a6)
    #11 0x7e4304133161 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58161)
    #12 0x7e4304306b65 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfb65)
    #13 0x56e2c694b0ea in main /home/s/code/thunar/thunar/main.c:86:3
    #14 0x7e4303f1eccf  (/usr/lib/libc.so.6+0x25ccf)
    #15 0x7e4303f1ed89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89)
    #16 0x56e2c67f46b4 in _start (/usr/local/bin/thunar+0x1ac6b4)

0x519000351e10 is located 656 bytes inside of 1056-byte region [0x519000351b80,0x519000351fa0)
freed by thread T0 here:
    #0 0x56e2c68e2862 in free.part.0 (/usr/local/bin/thunar+0x29a862)
    #1 0x7e4304cddbd0 in g_type_free_instance (/usr/lib/libgobject-2.0.so.0+0x39bd0)
    #2 0x7e4304cb86bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf)
    #3 0x7e4304ce6a35  (/usr/lib/libgobject-2.0.so.0+0x42a35)
    #4 0x7e4304cd7a41  (/usr/lib/libgobject-2.0.so.0+0x33a41)
    #5 0x7e4304cd7c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #6 0x7e4304cd7d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #7 0x56e2c69e3428 in thunar_file_dispose /home/s/code/thunar/thunar/thunar-file.c:468:7
    #8 0x7e4304cc68ff in g_object_run_dispose (/usr/lib/libgobject-2.0.so.0+0x228ff)
    #9 0x56e2c69e0466 in thunar_file_destroy /home/s/code/thunar/thunar/thunar-file.c:4378:7
    #10 0x56e2c69dfe43 in thunar_file_monitor /home/s/code/thunar/thunar/thunar-file.c:816:11
    #11 0x7e430429a558  (/usr/lib/libgio-2.0.so.0+0x73558)
    #12 0x7e4304cd7b72  (/usr/lib/libgobject-2.0.so.0+0x33b72)
    #13 0x7e4304cd7c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #14 0x7e4304cd7d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #15 0x7e430435ef2b  (/usr/lib/libgio-2.0.so.0+0x137f2b)
    #16 0x7e4304134f68  (/usr/lib/libglib-2.0.so.0+0x59f68)
    #17 0x7e43041933a6  (/usr/lib/libglib-2.0.so.0+0xb83a6)
    #18 0x7e4304133161 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58161)
    #19 0x7e4304306b65 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfb65)
    #20 0x56e2c694b0ea in main /home/s/code/thunar/thunar/main.c:86:3
    #21 0x7e4303f1eccf  (/usr/lib/libc.so.6+0x25ccf)
    #22 0x7e4303f1ed89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89)
    #23 0x56e2c67f46b4 in _start (/usr/local/bin/thunar+0x1ac6b4)

previously allocated by thread T0 here:
    #0 0x56e2c68e3c01 in calloc (/usr/local/bin/thunar+0x29bc01)
    #1 0x7e430413f2ba in g_malloc0 (/usr/lib/libglib-2.0.so.0+0x642ba)
    #2 0x7e4304ce3086 in g_type_create_instance (/usr/lib/libgobject-2.0.so.0+0x3f086)
    #3 0x7e4304cc8d90  (/usr/lib/libgobject-2.0.so.0+0x24d90)
    #4 0x7e4304ccaf0a in g_object_new_valist (/usr/lib/libgobject-2.0.so.0+0x26f0a)
    #5 0x7e4304ccb29d in g_object_new (/usr/lib/libgobject-2.0.so.0+0x2729d)
    #6 0x56e2c6a68b66 in thunar_properties_dialog_new /home/s/code/thunar/thunar/thunar-properties-dialog.c:1817:10
    #7 0x56e2c6963ba2 in thunar_action_manager_action_properties /home/s/code/thunar/thunar/thunar-action-manager.c:2206:16
    #8 0x7e4304cb86bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf)
    #9 0x7e4304ce6a35  (/usr/lib/libgobject-2.0.so.0+0x42a35)
    #10 0x7e4304cd7a41  (/usr/lib/libgobject-2.0.so.0+0x33a41)
    #11 0x7e4304cd7c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #12 0x7e4304cd7d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #13 0x7e430474128c in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x34128c)
    #14 0x7e43046052ac in gtk_menu_shell_activate_item (/usr/lib/libgtk-3.so.0+0x2052ac)
    #15 0x7e43046055e9  (/usr/lib/libgtk-3.so.0+0x2055e9)
    #16 0x7e4304487828  (/usr/lib/libgtk-3.so.0+0x87828)
    #17 0x7e4304cd7b72  (/usr/lib/libgobject-2.0.so.0+0x33b72)
    #18 0x7e4304cd7c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #19 0x7e4304cd7d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #20 0x7e4304754cd4  (/usr/lib/libgtk-3.so.0+0x354cd4)
    #21 0x7e43045eec6a  (/usr/lib/libgtk-3.so.0+0x1eec6a)
    #22 0x7e43045ef796 in gtk_main_do_event (/usr/lib/libgtk-3.so.0+0x1ef796)
    #23 0x7e4304f85b76  (/usr/lib/libgdk-3.so.0+0x33b76)
    #24 0x7e4304fde437  (/usr/lib/libgdk-3.so.0+0x8c437)
    #25 0x7e4304134f68  (/usr/lib/libglib-2.0.so.0+0x59f68)
    #26 0x7e43041933a6  (/usr/lib/libglib-2.0.so.0+0xb83a6)
    #27 0x7e4304135b96 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x5ab96)

SUMMARY: AddressSanitizer: heap-use-after-free /home/s/code/thunar/thunar/thunar-properties-dialog.c:1100:3 in thunar_properties_dialog_rename_finished
Shadow bytes around the buggy address:
  0x519000351b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x519000351e00: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x519000351f80: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000352000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000352080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Version: f399822b