Skip to content

Use-after-free when renaming file that was renamed in the background

Version information

27c1c796 compiled on Arch Linux

Steps to reproduce

  1. thunar -q
  2. mkdir rename-test
  3. touch rename-test/a
  4. thunar rename-test/
  5. In a terminal, cd into rename-test/ and run while [ 1 ] ; do mv a b || mv b a; sleep 1; done
  6. In Thunar, rename the file to trigger a use-after-free (you may have to try a few renames to get the timing right)

Current behavior

A use-after-free is triggered

Expected outcome

No memory errors

Backtrace

ERROR: AddressSanitizer: heap-use-after-free on address 0x7b37b16433d0 at pc 0x7f17b8d39ced bp 0x7ffddca0aae0 sp 0x7ffddca0a2a0
READ of size 4 at 0x7b37b16433d0 thread T0
    #0 0x7f17b8d39cec in strcmp /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:504:5
    #1 0x7f17b7a2dc92 in g_strcmp0 glib/glib/gtestutils.c:3669:10
    #2 0x5651efb56be4 in thunar_dialogs_show_rename_file thunar/thunar/thunar-dialogs.c:370:11
    #3 0x5651efaffa7c in thunar_application_rename_file thunar/thunar/thunar-application.c:1989:9
    #4 0x5651efaf6ee4 in thunar_action_manager_action_rename thunar/thunar/thunar-action-manager.c:2580:7
    #5 0x7f17b6b01cc9 in _gtk_marshal_BOOLEAN__OBJECT_UINT_FLAGS gtk/builddir/gtk/gtkmarshalers.c:727:14
    #6 0x7f17b7d078f2 in g_closure_invoke glib/gobject/gclosure.c:916:7
    #7 0x7f17b7d79cad in signal_emit_unlocked_R glib/gobject/gsignal.c:3902:8
    #8 0x7f17b7d756da in signal_emit_valist_unlocked glib/gobject/gsignal.c:3547:7
    #9 0x7f17b7d76ac0 in g_signal_emit_valist glib/gobject/gsignal.c:3277:7
    #10 0x7f17b7d76ac0 in g_signal_emit glib/gobject/gsignal.c:3597:3
    #11 0x7f17b6b367a8 in gtk_accel_group_activate gtk/gtk/gtkaccelgroup.c:910:3
    #12 0x7f17b6b369a8 in gtk_accel_groups_activate gtk/gtk/gtkaccelgroup.c:948:13
    #13 0x7f17b7155762 in gtk_window_activate_key gtk/gtk/gtkwindow.c:12097:19
    #14 0x7f17b7160631 in gtk_window_key_press_event gtk/gtk/gtkwindow.c:8288:15
[...snip...]

0x7b37b16433d2 is located 0 bytes after 2-byte region [0x7b37b16433d0,0x7b37b16433d2)
freed by thread T0 here:
    #0 0x7f17b8d7205d in free /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_malloc_linux.cpp:51:3
    #1 0x7f17b7998968 in g_free glib/glib/gmem.c:208:3
    #2 0x5651efb63df5 in thunar_file_info_clear thunar/thunar/thunar-file.c:933:3
    #3 0x5651efb63062 in thunar_file_load thunar/thunar/thunar-file.c:1258:3
    #4 0x5651efb75369 in thunar_file_reload thunar/thunar/thunar-file.c:4420:8
    #5 0x5651efb84d41 in thunar_folder_monitor thunar/thunar/thunar-folder.c:1060:11
    #6 0x7f17b85cdc68 in _g_cclosure_marshal_VOID__OBJECT_OBJECT_ENUMv glib/gio/gmarshal-internal.c:1382:3
    #7 0x7f17b7d081ff in _g_closure_invoke_va glib/gobject/gclosure.c:980:7
    #8 0x7f17b7d74079 in signal_emit_valist_unlocked glib/gobject/gsignal.c:3438:8
    #9 0x7f17b7d76ac0 in g_signal_emit_valist glib/gobject/gsignal.c:3277:7
    #10 0x7f17b7d76ac0 in g_signal_emit glib/gobject/gsignal.c:3597:3
    #11 0x7f17b8595e4f in g_file_monitor_emit_event glib/gio/gfilemonitor.c:307:3
    #12 0x7f17b88cb361 in g_file_monitor_source_dispatch glib/gio/glocalfilemonitor.c:582:9
    #13 0x7f17b7972fbc in g_main_dispatch glib/glib/gmain.c:3524:27
    #14 0x7f17b7972fbc in g_main_context_dispatch_unlocked glib/glib/gmain.c:4375:7
    #15 0x7f17b79741dd in g_main_context_iterate_unlocked glib/glib/gmain.c:4440:5
    #16 0x7f17b7974f24 in g_main_loop_run glib/glib/gmain.c:4642:5
    #17 0x7f17b6ca9df3 in gtk_dialog_run gtk/gtk/gtkdialog.c:1399:3
    #18 0x5651efb56b91 in thunar_dialogs_show_rename_file thunar/thunar/thunar-dialogs.c:355:14
    #19 0x5651efaffa7c in thunar_application_rename_file thunar/thunar/thunar-application.c:1989:9
    #20 0x5651efaf6ee4 in thunar_action_manager_action_rename thunar/thunar/thunar-action-manager.c:2580:7
[...snip...]

previously allocated by thread T0 here:
    #0 0x7f17b8d72fc5 in malloc /usr/src/debug/compiler-rt/compiler-rt-20.1.6.src/lib/asan/asan_malloc_linux.cpp:67:3
    #1 0x7f17b7998852 in g_malloc glib/glib/gmem.c:100:13
    #2 0x7f17b7904896 in g_path_get_basename glib/glib/gfileutils.c:2661:12
    #3 0x7f17b88b0273 in g_local_file_get_basename glib/gio/glocalfile.c:293:10
    #4 0x7f17b85456d7 in g_file_get_basename glib/gio/gfile.c:567:10
    #5 0x5651efb64c35 in thunar_file_info_reload thunar/thunar/thunar-file.c:1007:20
    #6 0x5651efb630ab in thunar_file_load thunar/thunar/thunar-file.c:1264:3
    #7 0x5651efb75369 in thunar_file_reload thunar/thunar/thunar-file.c:4420:8
    #8 0x5651efb84d41 in thunar_folder_monitor thunar/thunar/thunar-folder.c:1060:11
    #9 0x7f17b85cdc68 in _g_cclosure_marshal_VOID__OBJECT_OBJECT_ENUMv glib/gio/gmarshal-internal.c:1382:3
    #10 0x7f17b7d081ff in _g_closure_invoke_va glib/gobject/gclosure.c:980:7
    #11 0x7f17b7d74079 in signal_emit_valist_unlocked glib/gobject/gsignal.c:3438:8
    #12 0x7f17b7d76ac0 in g_signal_emit_valist glib/gobject/gsignal.c:3277:7
    #13 0x7f17b7d76ac0 in g_signal_emit glib/gobject/gsignal.c:3597:3
    #14 0x7f17b8595e4f in g_file_monitor_emit_event glib/gio/gfilemonitor.c:307:3
    #15 0x7f17b88cb361 in g_file_monitor_source_dispatch glib/gio/glocalfilemonitor.c:582:9
[...snip...]

Additional information

This bug looks pretty similar to #1323 (closed). I noticed the issue while trying to reproduce a separate use-after-free with renamed files.