Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free in kitty/mouse.c when using hyperlinked grep with vim #5506

Closed
spholz opened this issue Sep 17, 2022 · 0 comments
Closed

Use-after-free in kitty/mouse.c when using hyperlinked grep with vim #5506

spholz opened this issue Sep 17, 2022 · 0 comments
Labels

Comments

@spholz
Copy link

spholz commented Sep 17, 2022

Describe the bug
Kitty sometimes crashes due to a segfault when clicking on a hyperlink of the hyperlinked_grep kitten. Running kitty with asan (always) reports a use-after-free (an old window pointer seems to be used maybe? (the pointer before the realloc in kitty/state.c:271)).

To Reproduce
Steps to reproduce the behavior:

  1. Write the provided example config file (see Additional context) for open-actions.conf
  2. Run the hyperlinked_grep kitten (kitty +kitten hyperlinked_grep test)
  3. Click on a result line (not on the file name)
  4. A use-after-free occurs

Environment details

kitty 0.26.2 (1c44da2b4a) created by Kovid Goyal
Linux sinkpad 5.19.9-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Thu, 15 Sep 2022 16:08:24 +0000 x86_64
Arch Linux 5.19.9-zen1-1-zen (/dev/tty)

DISTRIB_ID="Arch"
DISTRIB_RELEASE="rolling"
DISTRIB_DESCRIPTION="Arch Linux"
Running under: Wayland
Frozen: False
Paths:
  kitty: /home/s/repos/kitty/kitty/launcher/kitty
  base dir: /home/s/repos/kitty
  extensions dir: /home/s/repos/kitty/kitty
  system shell: /bin/zsh

Config options different from defaults:

Important environment variables seen by the kitty process:
	PATH                                /home/s/repos/kitty/kitty/launcher:/home/s/.local/bin:/home/s/.cargo/bin:/home/s/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/opt/devkitpro/tools/bin:/media/data/intelFPGA_lite/20.1/quartus/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/home/s/.local/share/npm/bin:/home/s/.dotnet/tools:/var/lib/flatpak/exports/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/s/.local/share/JetBrains/Toolbox/scripts
	LANG                                en_US.UTF-8
	EDITOR                              nvim
	SHELL                               /bin/zsh
	DISPLAY                             :1
	WAYLAND_DISPLAY                     wayland-0
	USER                                s
	XCURSOR_SIZE                        24
	LC_MONETARY                         de_DE.UTF-8
	LC_NUMERIC                          de_DE.UTF-8
	LC_TIME                             de_DE.UTF-8
	XDG_DATA_DIRS                       /home/s/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share
	XDG_SEAT                            seat0
	LC_MEASUREMENT                      de_DE.UTF-8
	XDG_SEAT_PATH                       /org/freedesktop/DisplayManager/Seat0
	XDG_SESSION_CLASS                   user
	XDG_SESSION_PATH                    /org/freedesktop/DisplayManager/Session1
	XDG_CURRENT_DESKTOP                 KDE
	XDG_RUNTIME_DIR                     /run/user/1000
	XDG_VTNR                            1
	XDG_SESSION_DESKTOP                 KDE
	XDG_CONFIG_HOME                     /home/s/.config
	XDG_SESSION_TYPE                    wayland
	XDG_SESSION_ID                      2
	XDG_CONFIG_DIRS                     /home/s/.config/kdedefaults:/etc/xdg
	XDG_CACHE_HOME                      /home/s/.cache
	XDG_DATA_HOME                       /home/s/.local/share

Additional context
minimal config (based on the example config)
.config/kitty/open-actions.conf:

protocol file
fragment_matches [0-9]+
action launch --type=overlay vim +${FRAGMENT} ${FILE_PATH}

no kitty.conf is needed

asan output (latest git revision of kitty):

=================================================================
==108303==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000966f8 at pc 0x7f139d1edbcc bp 0x7fff413a9aa0 sp 0x7fff413a9a90
WRITE of size 32 at 0x61a0000966f8 thread T0
    #0 0x7f139d1edbcb in send_pending_click_to_window kitty/mouse.c:496
    #1 0x7f139d297f5d in send_pending_click_to_window_id kitty/state.c:596
    #2 0x7f139bc1a54d in dispatchTimers glfw/backend_utils.c:209
    #3 0x7f139bc1ad90 in pollForEvents glfw/backend_utils.c:310
    #4 0x7f139bbe2320 in handleEvents glfw/wl_window.c:796
    #5 0x7f139bbe9fd0 in _glfwPlatformWaitEvents glfw/wl_window.c:1309
    #6 0x7f139bbd691a in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #7 0x7f139bbb3cff in glfwRunMainLoop glfw/init.c:355
    #8 0x7f139d158e02 in run_main_loop kitty/glfw.c:1590
    #9 0x7f139d0a57b5 in main_loop kitty/child-monitor.c:1150
    #10 0x7f13a05f96b3  (/usr/lib/libpython3.10.so.1.0+0x1596b3)
    #11 0x7f13a05e65b9 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x1465b9)
    #12 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #13 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #14 0x7f13a05ef53a in _PyObject_FastCallDictTstate (/usr/lib/libpython3.10.so.1.0+0x14f53a)
    #15 0x7f13a05ffb8c in _PyObject_Call_Prepend (/usr/lib/libpython3.10.so.1.0+0x15fb8c)
    #16 0x7f13a06cbf01  (/usr/lib/libpython3.10.so.1.0+0x22bf01)
    #17 0x7f13a05f024a in _PyObject_MakeTpCall (/usr/lib/libpython3.10.so.1.0+0x15024a)
    #18 0x7f13a05eafab in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x14afab)
    #19 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #20 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #21 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #22 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #23 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #24 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #25 0x7f13a05e4dcf  (/usr/lib/libpython3.10.so.1.0+0x144dcf)
    #26 0x7f13a0693fb3 in PyEval_EvalCode (/usr/lib/libpython3.10.so.1.0+0x1f3fb3)
    #27 0x7f13a069a29a  (/usr/lib/libpython3.10.so.1.0+0x1fa29a)
    #28 0x7f13a05f701e  (/usr/lib/libpython3.10.so.1.0+0x15701e)
    #29 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #30 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #31 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
    #32 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
    #33 0x7f13a06b7da6  (/usr/lib/libpython3.10.so.1.0+0x217da6)
    #34 0x7f13a0536d6c  (/usr/lib/libpython3.10.so.1.0+0x96d6c)
    #35 0x55902a7289f6 in run_embedded kitty/launcher/main.c:203
    #36 0x55902a729839 in main kitty/launcher/main.c:338
    #37 0x7f139fca328f  (/usr/lib/libc.so.6+0x2328f)
    #38 0x7f139fca3349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
    #39 0x55902a7273b4 in _start ../sysdeps/x86_64/start.S:115

0x61a0000966f8 is located 120 bytes inside of 1248-byte region [0x61a000096680,0x61a000096b60)
freed by thread T0 here:
    #0 0x7f13a0a2f7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
    #1 0x7f139d28d423 in add_window kitty/state.c:271
    #2 0x7f139d28db35 in pyadd_window kitty/state.c:1255
    #3 0x7f13a05f6997  (/usr/lib/libpython3.10.so.1.0+0x156997)

previously allocated by thread T0 here:
    #0 0x7f13a0a2f7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
    #1 0x7f139d28d423 in add_window kitty/state.c:271
    #2 0x7f139d28db35 in pyadd_window kitty/state.c:1255
    #3 0x7f13a05f6997  (/usr/lib/libpython3.10.so.1.0+0x156997)

SUMMARY: AddressSanitizer: heap-use-after-free kitty/mouse.c:496 in send_pending_click_to_window
Shadow bytes around the buggy address:
  0x0c348000ac80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000ac90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000aca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000acb0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c348000acc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c348000acd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c348000ace0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000acf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000ad00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000ad10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000ad20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==108303==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant