Use-after-free when loading keyboard Settings panel
valgrind errors (and subsequent crash) when starting the keyboard Settings panel.
On F34, using gnome-desktop3-40.0-1.fc34.x86_64
and gnome-control-center-40.0-1.fc34.x86_64
, I get:
==742430== Invalid read of size 1
==742430== at 0x4847454: strcmp (vg_replace_strmem.c:863)
==742430== by 0x4AD21CC: g_str_equal (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x4AD3396: g_hash_table_contains (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x58BC23A: add_layout_to_table.part.0 (gnome-xkb-info.c:155)
==742430== by 0x58C1B3F: UnknownInlinedFun (gnome-xkb-info.c:144)
==742430== by 0x58C1B3F: UnknownInlinedFun (gnome-xkb-info.c:185)
==742430== by 0x58C1B3F: add_layouts.isra.0 (gnome-xkb-info.c:272)
==742430== by 0x58C1D5D: UnknownInlinedFun (gnome-xkb-info.c:301)
==742430== by 0x58C1D5D: parse_rules.isra.0 (gnome-xkb-info.c:765)
==742430== by 0x58C205F: UnknownInlinedFun (gnome-xkb-info.c:781)
==742430== by 0x58C205F: gnome_xkb_info_get_layout_info (gnome-xkb-info.c:1039)
==742430== by 0x1BA7F3: cc_input_source_xkb_get_label (cc-input-source-xkb.c:40)
==742430== by 0x1C05EB: UnknownInlinedFun (cc-input-row.c:268)
==742430== by 0x1C05EB: cc_input_row_new (cc-input-row.c:281)
==742430== by 0x1B98C6: add_input_row (cc-input-list-box.c:284)
==742430== by 0x1B9E7E: UnknownInlinedFun (cc-input-list-box.c:327)
==742430== by 0x1B9E7E: add_input_sources_from_settings (cc-input-list-box.c:336)
==742430== by 0x4A7A0F8: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==742430== Address 0x22224b50 is 0 bytes inside a block of size 10 free'd
==742430== at 0x48430E4: free (vg_replace_malloc.c:755)
==742430== by 0x4AF410C: g_free (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x58BC0FA: free_layout (gnome-xkb-info.c:103)
==742430== by 0x4ADD269: ??? (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x4ADDC92: g_hash_table_replace (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x58C1AE4: add_layouts.isra.0 (gnome-xkb-info.c:271)
==742430== by 0x58C1D5D: UnknownInlinedFun (gnome-xkb-info.c:301)
==742430== by 0x58C1D5D: parse_rules.isra.0 (gnome-xkb-info.c:765)
==742430== by 0x58C205F: UnknownInlinedFun (gnome-xkb-info.c:781)
==742430== by 0x58C205F: gnome_xkb_info_get_layout_info (gnome-xkb-info.c:1039)
==742430== by 0x1BA7F3: cc_input_source_xkb_get_label (cc-input-source-xkb.c:40)
==742430== by 0x1C05EB: UnknownInlinedFun (cc-input-row.c:268)
==742430== by 0x1C05EB: cc_input_row_new (cc-input-row.c:281)
==742430== by 0x1B98C6: add_input_row (cc-input-list-box.c:284)
==742430== by 0x1B9E7E: UnknownInlinedFun (cc-input-list-box.c:327)
==742430== by 0x1B9E7E: add_input_sources_from_settings (cc-input-list-box.c:336)
==742430== Block was alloc'd at
==742430== at 0x484086F: malloc (vg_replace_malloc.c:380)
==742430== by 0x4AF77F8: g_malloc (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x4B0D4D7: g_strjoin (in /usr/lib64/libglib-2.0.so.0.6800.0)
==742430== by 0x58C1A21: add_layouts.isra.0 (gnome-xkb-info.c:247)
==742430== by 0x58C1D5D: UnknownInlinedFun (gnome-xkb-info.c:301)
==742430== by 0x58C1D5D: parse_rules.isra.0 (gnome-xkb-info.c:765)
==742430== by 0x58C205F: UnknownInlinedFun (gnome-xkb-info.c:781)
==742430== by 0x58C205F: gnome_xkb_info_get_layout_info (gnome-xkb-info.c:1039)
==742430== by 0x1BA7F3: cc_input_source_xkb_get_label (cc-input-source-xkb.c:40)
==742430== by 0x1C05EB: UnknownInlinedFun (cc-input-row.c:268)
==742430== by 0x1C05EB: cc_input_row_new (cc-input-row.c:281)
==742430== by 0x1B98C6: add_input_row (cc-input-list-box.c:284)
==742430== by 0x1B9E7E: UnknownInlinedFun (cc-input-list-box.c:327)
==742430== by 0x1B9E7E: add_input_sources_from_settings (cc-input-list-box.c:336)
==742430== by 0x4A7A0F8: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==742430== by 0x4A61B8C: ??? (in /usr/lib64/libgobject-2.0.so.0.6800.0)
Repeated another time (seems to be one such use-after-free per configured keyboard layout), and when clicking the +
button:
==743843== Warning: invalid file descriptor 1024 in syscall close()
==743843== Warning: invalid file descriptor 1025 in syscall close()
==743843== Warning: invalid file descriptor 1026 in syscall close()
==743843== Warning: invalid file descriptor 1027 in syscall close()
==743843== Use --log-fd=<number> to select an alternative log fd.
==743843== Warning: invalid file descriptor 1028 in syscall close()
==743843== Warning: invalid file descriptor 1029 in syscall close()
==743777== Invalid read of size 8
==743777== at 0x58BC17B: collect_layout_ids (gnome-xkb-info.c:1079)
==743777== by 0x4AD3497: g_hash_table_foreach (in /usr/lib64/libglib-2.0.so.0.6800.0)
==743777== by 0x58C2512: gnome_xkb_info_get_layouts_for_language (gnome-xkb-info.c:1124)
==743777== by 0x1C3DA6: UnknownInlinedFun (cc-input-chooser.c:949)
==743777== by 0x1C3DA6: cc_input_chooser_new (cc-input-chooser.c:1068)
==743777== by 0x1BB2FB: show_input_chooser (cc-input-list-box.c:443)
==743777== by 0x4A5165D: g_cclosure_marshal_VOID__OBJECTv (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4EC7AA8: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x506C0BE: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== Address 0x228bddd0 is 0 bytes inside an unallocated block of size 960 in arena "client"
==743777==
==743777== Invalid read of size 1
==743777== at 0x4AD2154: g_str_hash (in /usr/lib64/libglib-2.0.so.0.6800.0)
==743777== by 0x4ADDD17: g_hash_table_add (in /usr/lib64/libglib-2.0.so.0.6800.0)
==743777== by 0x1C3DE3: UnknownInlinedFun (cc-input-chooser.c:882)
==743777== by 0x1C3DE3: UnknownInlinedFun (cc-input-chooser.c:951)
==743777== by 0x1C3DE3: cc_input_chooser_new (cc-input-chooser.c:1068)
==743777== by 0x1BB2FB: show_input_chooser (cc-input-list-box.c:443)
==743777== by 0x4A5165D: g_cclosure_marshal_VOID__OBJECTv (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4EC7AA8: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x506C0BE: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4E897CB: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==743777==
==743777==
==743777== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==743777== Access not within mapped region at address 0x0
==743777== at 0x4AD2154: g_str_hash (in /usr/lib64/libglib-2.0.so.0.6800.0)
==743777== by 0x4ADDD17: g_hash_table_add (in /usr/lib64/libglib-2.0.so.0.6800.0)
==743777== by 0x1C3DE3: UnknownInlinedFun (cc-input-chooser.c:882)
==743777== by 0x1C3DE3: UnknownInlinedFun (cc-input-chooser.c:951)
==743777== by 0x1C3DE3: cc_input_chooser_new (cc-input-chooser.c:1068)
==743777== by 0x1BB2FB: show_input_chooser (cc-input-list-box.c:443)
==743777== by 0x4A5165D: g_cclosure_marshal_VOID__OBJECTv (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4EC7AA8: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x506C0BE: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== by 0x4A70849: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4A70992: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.6800.0)
==743777== by 0x4E897CB: ??? (in /usr/lib64/libgtk-3.so.0.2404.23)
==743777== If you believe this happened as a result of a stack
==743777== overflow in your program's main thread (unlikely but
==743777== possible), you can try to increase the size of the
==743777== main thread stack using the --main-stacksize= flag.
==743777== The main thread stack size used in this run was 8388608.