https://bugs.kde.org/show_bug.cgi?id=519995
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDSINFO |REPORTED Resolution|BACKTRACE |--- --- Comment #8 from [email protected] --- (In reply to Harald Sitter from comment #6) > Have you read the website I linked? Thanks for bearing with me. Summary: kiod6 crash in MTPStorage::findEntry / getFileFromPath due to sized deallocation mismatch Severity: Crash Keywords: qt6, needs_verification When connecting an Android phone via MTP and attempting to browse its internal storage in Dolphin, kiod6 crashes immediately with a fatal allocator error: sized deallocation mismatch (small) from libhardened_malloc.so. The crash occurs inside kio-extras MTP code when a std::unique_ptr<unsigned int> is destroyed. Steps to reproduce: 1. Boot a system with hardened_malloc enabled (secureblue / Fedora with glibc-hwcaps hardened allocator). 2. Open Dolphin (standard icon view, previews enabled, default sorting). 3. Connect an Android phone via USB and select File Transfer (MTP). 4. In Dolphin, click the phone's internal storage item. 5. kiod6 crashes and D-Bus restarts it repeatedly; Dolphin hangs waiting for a reply. Expected result: Dolphin lists the MTP storage contents. Actual result: kiod6 aborts. A notification "/usr/libexec/kf6/kiod6 has encountered a fatal error" appears in a loop. Environment: - kio-extras: 26.04.2-1.fc44 - qt6-qtbase: 6.11.1-1.fc44 - hardened_malloc: from glibc-hwcaps/x86-64-v3 (Fedora 44) - Session: Wayland (Plasma 6) Workaround: Running kiod6 with LD_PRELOAD= (disabling hardened_malloc for that process only) prevents the crash entirely. This confirms the crash is a sized-deallocation mismatch in the MTP code, not a false positive from the allocator. Backtrace: Captured by running kiod6 under GDB via D-Bus activation wrapper. Thread 1 "kiod6" received signal SIGABRT, Aborted. #0 __pthread_kill_implementation #1 __pthread_kill_internal #2 raise #3 abort #4 ?? () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so #5 ?? () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so #6 free_sized () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so #7 std::default_delete<unsigned int>::operator() (this=<optimized out>, __ptr=0x...) at /usr/include/c++/16/bits/unique_ptr.h:86 #8 std::unique_ptr<unsigned int, std::default_delete<unsigned int>>::~unique_ptr (this=<optimized out>) at /usr/include/c++/16/bits/unique_ptr.h:408 #9 MTPStorage::findEntry (this=0x..., fileNeedle=..., parentPath=..., parentId=<optimized out>) at /usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:330 #10 MTPStorage::getFileFromPath (this=0x..., path=...) at /usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:275 #11 MTPStorage::getFileMetadata (this=0x..., path=...) at /usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:403 #12 StorageAdaptor::getFileMetadata (this=<optimized out>, path=...) at /usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/redhat-linux-build/mtp/kiod_module/storageadaptor.cpp:69 #13 StorageAdaptor::qt_static_metacall #14 StorageAdaptor::qt_metacall #15 QDBusConnectionPrivate::deliverCall #16 QDBusConnectionPrivate::activateCall #17 QDBusConnectionPrivate::activateObject #18 QDBusActivateObjectEvent::placeMetaCall #19 QObject::event #20 QApplicationPrivate::notify_helper #21 QCoreApplication::notifyInternal2 #22 QCoreApplication::sendEvent #23 QCoreApplicationPrivate::sendPostedEvents #24 postEventSourceDispatch #25 g_main_dispatch #26 g_main_context_dispatch_unlocked #27 g_main_context_iterate_unlocked #28 g_main_context_iteration #29 QEventDispatcherGlib::processEvents #30 QEventLoop::exec #31 QCoreApplication::exec #32 main Note on debug symbols: The libhardened_malloc.so frames show ?? because it is a distro-specific hardened allocator without separate debuginfo packages. However, the kio-extras and qt6-qtbase frames are fully resolved with source paths and line numbers. Root cause analysis: The crash occurs when MTPStorage::findEntry destroys a std::unique_ptr<unsigned int> whose allocated size does not match the size passed to the deallocator. hardened_malloc enforces C++14 sized deallocation strictly and aborts here, whereas the default glibc allocator may silently tolerate the mismatch. This suggests a real memory safety issue in the MTP storage lister code. Full GDB session logs will be attached as supplementary files shortly. -- You are receiving this mail because: You are watching all bug changes.
