https://bugs.kde.org/show_bug.cgi?id=519995

[email protected] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDSINFO                   |REPORTED
         Resolution|BACKTRACE                   |---

--- Comment #8 from [email protected] ---
(In reply to Harald Sitter from comment #6)
> Have you read the website I linked?

Thanks for bearing with me.

Summary: kiod6 crash in MTPStorage::findEntry / getFileFromPath due to sized
deallocation mismatch

Severity: Crash
Keywords: qt6, needs_verification

When connecting an Android phone via MTP and attempting to browse its internal
storage in Dolphin, kiod6 crashes immediately with a fatal allocator error:
sized deallocation mismatch (small) from libhardened_malloc.so. The crash
occurs inside kio-extras MTP code when a std::unique_ptr<unsigned int> is
destroyed.

Steps to reproduce:
1. Boot a system with hardened_malloc enabled (secureblue / Fedora with
glibc-hwcaps hardened allocator).
2. Open Dolphin (standard icon view, previews enabled, default sorting).
3. Connect an Android phone via USB and select File Transfer (MTP).
4. In Dolphin, click the phone's internal storage item.
5. kiod6 crashes and D-Bus restarts it repeatedly; Dolphin hangs waiting for a
reply.

Expected result: Dolphin lists the MTP storage contents.
Actual result: kiod6 aborts. A notification "/usr/libexec/kf6/kiod6 has
encountered a fatal error" appears in a loop.

Environment:
- kio-extras: 26.04.2-1.fc44
- qt6-qtbase: 6.11.1-1.fc44
- hardened_malloc: from glibc-hwcaps/x86-64-v3 (Fedora 44)
- Session: Wayland (Plasma 6)

Workaround:
Running kiod6 with LD_PRELOAD= (disabling hardened_malloc for that process
only) prevents the crash entirely. This confirms the crash is a
sized-deallocation mismatch in the MTP code, not a false positive from the
allocator.

Backtrace:

Captured by running kiod6 under GDB via D-Bus activation wrapper.

Thread 1 "kiod6" received signal SIGABRT, Aborted.
#0  __pthread_kill_implementation
#1  __pthread_kill_internal
#2  raise
#3  abort
#4  ?? () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so
#5  ?? () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so
#6  free_sized () from /lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so
#7  std::default_delete<unsigned int>::operator() (this=<optimized out>,
__ptr=0x...)
    at /usr/include/c++/16/bits/unique_ptr.h:86
#8  std::unique_ptr<unsigned int, std::default_delete<unsigned
int>>::~unique_ptr (this=<optimized out>)
    at /usr/include/c++/16/bits/unique_ptr.h:408
#9  MTPStorage::findEntry (this=0x..., fileNeedle=..., parentPath=...,
parentId=<optimized out>)
    at
/usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:330
#10 MTPStorage::getFileFromPath (this=0x..., path=...)
    at
/usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:275
#11 MTPStorage::getFileMetadata (this=0x..., path=...)
    at
/usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/mtp/kiod_module/mtpstorage.cpp:403
#12 StorageAdaptor::getFileMetadata (this=<optimized out>, path=...)
    at
/usr/src/debug/kio-extras-26.04.2-1.fc44.x86_64/redhat-linux-build/mtp/kiod_module/storageadaptor.cpp:69
#13 StorageAdaptor::qt_static_metacall
#14 StorageAdaptor::qt_metacall
#15 QDBusConnectionPrivate::deliverCall
#16 QDBusConnectionPrivate::activateCall
#17 QDBusConnectionPrivate::activateObject
#18 QDBusActivateObjectEvent::placeMetaCall
#19 QObject::event
#20 QApplicationPrivate::notify_helper
#21 QCoreApplication::notifyInternal2
#22 QCoreApplication::sendEvent
#23 QCoreApplicationPrivate::sendPostedEvents
#24 postEventSourceDispatch
#25 g_main_dispatch
#26 g_main_context_dispatch_unlocked
#27 g_main_context_iterate_unlocked
#28 g_main_context_iteration
#29 QEventDispatcherGlib::processEvents
#30 QEventLoop::exec
#31 QCoreApplication::exec
#32 main

Note on debug symbols:
The libhardened_malloc.so frames show ?? because it is a distro-specific
hardened allocator without separate debuginfo packages. However, the kio-extras
and qt6-qtbase frames are fully resolved with source paths and line numbers.

Root cause analysis:
The crash occurs when MTPStorage::findEntry destroys a std::unique_ptr<unsigned
int> whose allocated size does not match the size passed to the deallocator.
hardened_malloc enforces C++14 sized deallocation strictly and aborts here,
whereas the default glibc allocator may silently tolerate the mismatch. This
suggests a real memory safety issue in the MTP storage lister code.

Full GDB session logs will be attached as supplementary files shortly.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to