Use-after-free when removing directory while permissions dialog is active
Steps to reproduce
mkdir ./perms
thunar ./
- Right-click on the
perms
directory and open the Properties dialog - Go to the Permissions tab
- Change the group Access value from
Read only
toRead & Write
- While the "Apply recursively" prompt is open, run
rmdir perms
in a terminal to trigger a use-after-free and a CRITICAL
Debugging
(thunar:367442): Gtk-CRITICAL **: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
ERROR: AddressSanitizer: heap-use-after-free on address 0x5140000ce570 at pc 0x555555b2dba2 bp 0x7fffffffcd10 sp 0x7fffffffcd08
READ of size 8 at 0x5140000ce570 thread T0
#0 0x555555b2dba1 in thunar_permissions_chooser_file_changed /home/s/code/thunar/thunar/thunar-permissions-chooser.c:898:3
#1 0x555555b3154e in thunar_permissions_chooser_change_mode /home/s/code/thunar/thunar/thunar-permissions-chooser.c:776:11
#2 0x555555b2e90e in thunar_permissions_chooser_access_changed /home/s/code/thunar/thunar/thunar-permissions-chooser.c:830:7
#3 0x7ffff7a4b72f in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#4 0x7ffff7a7a895 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3888:8
#5 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#6 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#7 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#8 0x7ffff72fdd12 in gtk_combo_box_set_active_internal /usr/src/debug/gtk3/build/../gtk/gtk/gtkcombobox.c:3855:3
#9 0x7ffff72fe43f in gtk_combo_box_set_active_iter /usr/src/debug/gtk3/build/../gtk/gtk/gtkcombobox.c:3917:3
#10 0x7ffff72fe43f in gtk_combo_box_set_active_iter /usr/src/debug/gtk3/build/../gtk/gtk/gtkcombobox.c:3907:1
#11 0x7ffff72fe8d3 in gtk_combo_box_menu_activate /usr/src/debug/gtk3/build/../gtk/gtk/gtkcombobox.c:2829:5
#12 0x7ffff7a49fbf in g_cclosure_marshal_VOID__STRINGv /usr/src/debug/glib2/build/../glib/gobject/gmarshal.c:1462:3
#13 0x7ffff7a6b8d2 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:897:7
#14 0x7ffff7a6b8d2 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3424:8
#15 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#16 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#17 0x7ffff7506d76 in item_activated_cb /usr/src/debug/gtk3/build/../gtk/gtk/gtktreemenu.c:1427:7
#18 0x7ffff7506d76 in item_activated_cb /usr/src/debug/gtk3/build/../gtk/gtk/gtktreemenu.c:1413:1
#19 0x7ffff7a4b72f in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#20 0x7ffff7a7a895 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3888:8
#21 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#22 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#23 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#24 0x7ffff754128c in gtk_widget_activate /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7845:7
#25 0x7ffff74052ac in gtk_menu_shell_activate_item /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:1375:3
#26 0x7ffff74055e9 in gtk_menu_shell_button_release /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:791:19
#27 0x7ffff7287828 in _gtk_marshal_BOOLEAN__BOXEDv /usr/src/debug/gtk3/build/gtk/gtkmarshalers.c:130:14
#28 0x7ffff7a6b8d2 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:897:7
#29 0x7ffff7a6b8d2 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3424:8
#30 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#31 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#32 0x7ffff7554cd4 in gtk_widget_event_internal.part.0.lto_priv.0 /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7812:4
#33 0x7ffff73eec6a in propagate_event_up /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2588:25
#34 0x7ffff73eec6a in propagate_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2691:5
#35 0x7ffff73ef796 in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1921:9
#36 0x7ffff73ef796 in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1691:1
#37 0x7ffff7d1cb76 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:73:6
#38 0x7ffff7d1cb76 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:67:1
#39 0x7ffff7d75437 /usr/src/debug/gtk3/build/../gtk/gdk/x11/gdkeventsource.c:354:1
#40 0x7ffff6f40198 in g_main_dispatch /usr/src/debug/glib2/build/../glib/glib/gmain.c:3344:28
#41 0x7ffff6f9f3be in g_main_context_dispatch_unlocked /usr/src/debug/glib2/build/../glib/glib/gmain.c:4152:7
#42 0x7ffff6f9f3be in g_main_context_iterate_unlocked.isra.0 /usr/src/debug/glib2/build/../glib/glib/gmain.c:4217:5
#43 0x7ffff6f3f711 in g_main_context_iteration /usr/src/debug/glib2/build/../glib/glib/gmain.c:4282:12
#44 0x7ffff7109ed5 in g_application_run /usr/src/debug/glib2/build/../glib/gio/gapplication.c:2712:7
#45 0x555555a0d5de in main /home/s/code/thunar/thunar/main.c:86:3
#46 0x7ffff6d29ccf in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#47 0x7ffff6d29d89 in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
#48 0x5555558af734 in _start (/usr/local/bin/thunar+0x35b734) (BuildId: 8a64c9dd51bfcd64)
0x5140000ce570 is located 304 bytes inside of 448-byte region [0x5140000ce440,0x5140000ce600)
freed by thread T0 here:
#0 0x55555599d8e2 in free.part.0 (/usr/local/bin/thunar+0x4498e2) (BuildId: 8a64c9dd51bfcd64)
#1 0x7ffff7a6ff80 in g_type_free_instance /usr/src/debug/glib2/build/../glib/gobject/gtype.c:2030:5
#2 0x7ffff7a5a732 in g_object_unref /usr/src/debug/glib2/build/../glib/gobject/gobject.c:4475:3
#3 0x7ffff74152e5 in gtk_notebook_forall /usr/src/debug/gtk3/build/../gtk/gtk/gtknotebook.c:4608:8
#4 0x7ffff730775d in gtk_container_destroy /usr/src/debug/gtk3/build/../gtk/gtk/gtkcontainer.c:1702:3
#5 0x7ffff7a4b695 in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#6 0x7ffff7a7aeb5 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:4008:7
#7 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#8 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#9 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#10 0x7ffff754f33d in gtk_widget_dispose /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:12166:7
#11 0x7ffff7a5a7d4 in g_object_run_dispose /usr/src/debug/glib2/build/../glib/gobject/gobject.c:1839:3
#12 0x7ffff7a5a7d4 in g_object_run_dispose /usr/src/debug/glib2/build/../glib/gobject/gobject.c:1829:1
#13 0x7ffff72b68ff in gtk_box_forall /usr/src/debug/gtk3/build/../gtk/gtk/gtkbox.c:2678:3
#14 0x7ffff730775d in gtk_container_destroy /usr/src/debug/gtk3/build/../gtk/gtk/gtkcontainer.c:1702:3
#15 0x7ffff7a4b695 in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#16 0x7ffff7a7aeb5 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:4008:7
#17 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#18 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#19 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#20 0x7ffff754f33d in gtk_widget_dispose /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:12166:7
#21 0x7ffff7a5a7d4 in g_object_run_dispose /usr/src/debug/glib2/build/../glib/gobject/gobject.c:1839:3
#22 0x7ffff7a5a7d4 in g_object_run_dispose /usr/src/debug/glib2/build/../glib/gobject/gobject.c:1829:1
#23 0x7ffff755f799 in gtk_window_forall /usr/src/debug/gtk3/build/../gtk/gtk/gtkwindow.c:8632:6
#24 0x7ffff730775d in gtk_container_destroy /usr/src/debug/gtk3/build/../gtk/gtk/gtkcontainer.c:1702:3
#25 0x7ffff7a4b72f in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#26 0x7ffff7a7aeb5 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:4008:7
#27 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#28 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#29 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
previously allocated by thread T0 here:
#0 0x55555599ec81 in calloc (/usr/local/bin/thunar+0x44ac81) (BuildId: 8a64c9dd51bfcd64)
#1 0x7ffff6f4651a in g_malloc0 /usr/src/debug/glib2/build/../glib/glib/gmem.c:133:13
#2 0x7ffff7a77000 in g_type_create_instance /usr/src/debug/glib2/build/../glib/gobject/gtype.c:1933:17
#3 0x7ffff7a5cb10 in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2603:24
#4 0x7ffff7a5e0c6 in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2600:6
#5 0x7ffff7a5e0c6 in g_object_new_with_properties /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2766:14
#6 0x7ffff7a5f009 in g_object_new /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2412:12
#7 0x555555b4e481 in thunar_properties_dialog_constructed /home/s/code/thunar/thunar/thunar-properties-dialog.c:917:33
#8 0x7ffff7a5cc65 in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2654:5
#9 0x7ffff7a5ec4a in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2920:29
#10 0x7ffff7a5ec4a in g_object_new_valist /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2942:16
#11 0x7ffff7a5efdd in g_object_new /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2415:12
#12 0x555555b45b4e in thunar_properties_dialog_new /home/s/code/thunar/thunar/thunar-properties-dialog.c:1832:10
#13 0x555555a2c1cd in thunar_action_manager_action_properties /home/s/code/thunar/thunar/thunar-action-manager.c:2206:16
#14 0x7ffff7a4b72f in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:834:7
#15 0x7ffff7a7a895 in signal_emit_unlocked_R.isra.0 /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3888:8
#16 0x7ffff7a6b7a1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3520:7
#17 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#18 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#19 0x7ffff754128c in gtk_widget_activate /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7845:7
#20 0x7ffff74052ac in gtk_menu_shell_activate_item /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:1375:3
#21 0x7ffff74055e9 in gtk_menu_shell_button_release /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:791:19
#22 0x7ffff7287828 in _gtk_marshal_BOOLEAN__BOXEDv /usr/src/debug/gtk3/build/gtk/gtkmarshalers.c:130:14
#23 0x7ffff7a6b8d2 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:897:7
#24 0x7ffff7a6b8d2 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3424:8
#25 0x7ffff7a6b9d6 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3263:7
#26 0x7ffff7a6ba93 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3583:3
#27 0x7ffff7554cd4 in gtk_widget_event_internal.part.0.lto_priv.0 /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7812:4
#28 0x7ffff73eec6a in propagate_event_up /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2588:25
#29 0x7ffff73eec6a in propagate_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2691:5
#30 0x7ffff73ef796 in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1921:9
#31 0x7ffff73ef796 in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1691:1
#32 0x7ffff7d1cb76 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:73:6
#33 0x7ffff7d1cb76 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:67:1
SUMMARY: AddressSanitizer: heap-use-after-free /home/s/code/thunar/thunar/thunar-permissions-chooser.c:898:3 in thunar_permissions_chooser_file_changed
Shadow bytes around the buggy address:
0x5140000ce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5140000ce300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5140000ce380: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x5140000ce400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x5140000ce480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x5140000ce500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x5140000ce580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5140000ce600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x5140000ce680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5140000ce700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5140000ce780: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Version: 2fcd48a9