Use-after-free in SmcCloseConnection after libSM timeout
Version information
5e483a3d compiled on Arch Linux
Steps to reproduce
- Run
thunar -q - Run
gdb thunar - In gdb, run
b thunar_application_open_window - In gdb, run
rto run Thunar and trigger the breakpoint - Wait 60 seconds to allow a session manager timeout to occur
- In gdb, run
continue- You should trigger a SIGPIPE when continuing because of the timeout:
Thread 1 "thunar" received signal SIGPIPE, Broken pipe.
- You should trigger a SIGPIPE when continuing because of the timeout:
- In gdb, run
continueagain to open Thunar - Close the Thunar window to trigger a use-after-free
Current behavior
A use-after-free is triggered when closing Thunar
Expected outcome
No use-after-free or memory errors
Backtrace
ERROR: AddressSanitizer: heap-use-after-free on address 0x7d0feb66c468 at pc 0x7ffff5afc952 bp 0x7fffffffd7c0 sp 0x7fffffffd7b0
READ of size 8 at 0x7d0feb66c468 thread T0
#0 0x7ffff5afc951 in SmcCloseConnection libsm/src/sm_client.c:303
#1 0x5555559fc23a in thunar_session_client_finalize thunar/thunar-session-client.c:129
#2 0x7ffff5d2bd16 in g_object_unref gobject/gobject.c:4831
#3 0x5555558e8b9c in thunar_application_shutdown thunar/thunar-application.c:478
#4 0x7ffff5d19990 in g_cclosure_marshal_VOID__VOIDv gobject/gmarshal.c:165
#5 0x7ffff5d0ab2c in g_type_class_meta_marshalv gobject/gclosure.c:1145
#6 0x7ffff5d12922 in _g_closure_invoke_va gobject/gclosure.c:980
#7 0x7ffff5d5de57 in signal_emit_valist_unlocked gobject/gsignal.c:3438
#8 0x7ffff5d6c919 in g_signal_emit_valist gobject/gsignal.c:3277
#9 0x7ffff5d6ca40 in g_signal_emit gobject/gsignal.c:3597
#10 0x7ffff66d1449 in g_application_run gio/gapplication.c:2721
#11 0x5555558c9918 in main thunar/main.c:86
0x7d0feb66c468 is located 104 bytes inside of 216-byte region [0x7d0feb66c400,0x7d0feb66c4d8)
freed by thread T0 here:
#0 0x7ffff791f8fd in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x7ffff2d536a9 in _IceFreeConnection libice/src/shutdown.c:288
#2 0x7ffff2d5446b in IceCloseConnection libice/src/shutdown.c:231
#3 0x55555596c51c in thunar_ice_process_messages thunar/thunar-ice.c:70
#4 0x7ffff56ca2ec in g_io_unix_dispatch glib/giounix.c:170
#5 0x7ffff558ef01 in g_main_dispatch glib/gmain.c:3524
#6 0x7ffff558ef01 in g_main_context_dispatch_unlocked glib/gmain.c:4375
#7 0x7ffff559aac2 in g_main_context_iterate_unlocked glib/gmain.c:4440
#8 0x7ffff559b625 in g_main_context_iteration glib/gmain.c:4505
#9 0x7ffff66d1006 in g_application_run gio/gapplication.c:2715
#10 0x5555558c9918 in main thunar/main.c:86
previously allocated by thread T0 here:
#0 0x7ffff7920e15 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67
#1 0x7ffff2d040ac in IceOpenConnection libice/src/connect.c:148
#2 0x7ffff5af9f1b in SmcOpenConnection libsm/src/sm_client.c:130
#3 0x5555559fc634 in thunar_session_client_connect thunar/thunar-session-client.c:173
#4 0x5555559fe0d3 in thunar_session_client_new thunar/thunar-session-client.c:475
#5 0x5555558e6b2a in thunar_application_startup thunar/thunar-application.c:418
#6 0x7ffff5d19990 in g_cclosure_marshal_VOID__VOIDv gobject/gmarshal.c:165
#7 0x7ffff5d0ab2c in g_type_class_meta_marshalv gobject/gclosure.c:1145
#8 0x7ffff5d12922 in _g_closure_invoke_va gobject/gclosure.c:980
#9 0x7ffff5d5de57 in signal_emit_valist_unlocked gobject/gsignal.c:3438
#10 0x7ffff5d6c919 in g_signal_emit_valist gobject/gsignal.c:3277
#11 0x7ffff5d6ca40 in g_signal_emit gobject/gsignal.c:3597
#12 0x7ffff66ce2d5 in g_application_register gio/gapplication.c:2355
#13 0x7ffff66cfa58 in g_application_real_local_command_line gio/gapplication.c:1155
#14 0x7ffff44c43a6 in gtk_application_local_command_line gtk/gtkapplication.c:343
#15 0x7ffff66d0813 in g_application_run gio/gapplication.c:2684
#16 0x5555558c9918 in main thunar/main.c:86Additional information
I triggered this bug while debugging memory leaks in menu code. I think it will be rare for end users to encounter it.