https://bugs.kde.org/show_bug.cgi?id=519995
--- Comment #4 from [email protected] --- (In reply to Harald Sitter from comment #2) > . UPDATE: kmtpd.so / kiod6: sized deallocation mismatch (undefined behavior) aborts on hardened_malloc System: Fedora 44 with KDE Plasma 26.04.2, KIO 6.27.0, Qt 6.11.1, kio-extras 26.04.2 Problem: Dolphin hangs indefinitely when opening an Android phone via MTP. Investigation: The org.kde.kmtpd5 D-Bus service (provided by kiod6 loading kmtpd.so) crashes with SIGABRT in a loop. Dolphin's KIO workers then hang in KIO::ConnectionBackend::waitForIncomingTask with ms=-1 (infinite timeout), waiting on a socket for kmtpd5 that never responds. Root cause: kmtpd.so triggers a sized deallocation mismatch (small) -- undefined behavior in C++ memory management. This is caught by hardened_malloc (used by secureblue, GrapheneOS, and others) which correctly aborts. glibc's malloc silently tolerates the same bug. Journal evidence: <pre> kiod6[PID]: fatal allocator error: sized deallocation mismatch (small) dbus-:[email protected]: Main process exited, code=dumped, status=6/ABRT </pre> Dependencies verified: kio-extras 26.04.2, libmtp 1.1.22, kmtpd.so and mtp.so plugins present. No SELinux denials related to MTP. Why this matters: This is not a distro-specific issue. It is undefined behavior that could cause silent memory corruption, use-after-free, or heap metadata corruption on standard glibc systems. The hardened allocator is simply exposing a bug that already exists. Workaround: Running kiod6 with LD_PRELOAD= (disabling the hardened allocator) prevents the abort and allows MTP to function normally. Reproduction: I can reproduce this consistently on a system with hardened_malloc enabled. I am happy to test patches or provide additional diagnostics. Suggested fix: Audit kmtpd.so and its libmtp interaction for mismatched new/delete, malloc/free, or operator delete with incorrect size parameters. -- You are receiving this mail because: You are watching all bug changes.
