Use-After-Free When Canceling Print Dialog
Steps to reproduce
- Compile and run git flatpak GTK4 widget factory with address sanitizer enabled.
- Click Print under the spin widget in page 3 in Pages tab
- Cancel printing
Current behavior
Address Sanitizer terminates the app because a use-after-free was detected. It runs normally without sanitizer.
Expected outcome
Runs normally regardless of sanitizer.
Version information
GTK version: 4.13.9-942fa7fc Flatpak runtime, an Ubuntu 23.10 host with X11.
GSK Renderer: GL (new), GLES 3.2, EGL 1.5, NVIDIA 545.29.06
meson options: -Db_sanitize=address
Additional information
Sanitizer output:
Printing was canceled
=================================================================
==967==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0002eb628 at pc 0x7f96969ae46a bp 0x7ffe89dda9d0 sp 0x7ffe89dda9c0
READ of size 8 at 0x60b0002eb628 thread T0
#0 0x7f96969ae469 in prepare_print_response ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation-portal.c:481
#1 0x7f9695dda78f in emit_signal_instance_in_idle_cb (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x12078f) (BuildId: 802b8fe46796912d6e8a4f57953f1d1112dc4d9b)
#2 0x7f9695f10666 in g_main_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x60666) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#3 0x7f9695f12786 in g_main_context_iterate_unlocked.isra.0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62786) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#4 0x7f9695f12e42 in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62e42) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#5 0x7f9695db1fcc in g_application_run (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xf7fcc) (BuildId: 802b8fe46796912d6e8a4f57953f1d1112dc4d9b)
#6 0x55c44d8d05d4 in main ../../../../../../../../../Projects/gnome/applications/gtk/demos/widget-factory/widget-factory.c:2641
#7 0x7f9695a8a089 in __libc_start_call_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x28089) (BuildId: aaf4e4a17ee738539558816006c01c47869048b8)
#8 0x7f9695a8a14a in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2814a) (BuildId: aaf4e4a17ee738539558816006c01c47869048b8)
#9 0x55c44d8d0634 in _start ../sysdeps/x86_64/start.S:115
0x60b0002eb628 is located 56 bytes inside of 112-byte region [0x60b0002eb5f0,0x60b0002eb660)
freed by thread T0 here:
#0 0x7f96978e18b0 in __interceptor_free.part.0 (/usr/lib/x86_64-linux-gnu/libasan.so.8+0xe18b0) (BuildId: f3245133c640da83d6f2d5f510e15d27b4f0f783)
#1 0x7f96969ad90f in prepare_print_response ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation-portal.c:475
#2 0x7f9695dda78f in emit_signal_instance_in_idle_cb (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x12078f) (BuildId: 802b8fe46796912d6e8a4f57953f1d1112dc4d9b)
#3 0x7f9695f10666 in g_main_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x60666) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#4 0x7f9695f12786 in g_main_context_iterate_unlocked.isra.0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62786) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#5 0x7f9695f12e42 in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62e42) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#6 0x7f9695db1fcc in g_application_run (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xf7fcc) (BuildId: 802b8fe46796912d6e8a4f57953f1d1112dc4d9b)
#7 0x55c44d8d05d4 in main ../../../../../../../../../Projects/gnome/applications/gtk/demos/widget-factory/widget-factory.c:2641
#8 0x7f9695a8a089 in __libc_start_call_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x28089) (BuildId: aaf4e4a17ee738539558816006c01c47869048b8)
#9 0x7f9695a8a14a in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2814a) (BuildId: aaf4e4a17ee738539558816006c01c47869048b8)
#10 0x55c44d8d0634 in _start ../sysdeps/x86_64/start.S:115
previously allocated by thread T0 here:
#0 0x7f96978e2757 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.8+0xe2757) (BuildId: f3245133c640da83d6f2d5f510e15d27b4f0f783)
#1 0x7f9695f19a31 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x69a31) (BuildId: d3d84af6da99bd363b9397c28c8205dced2b8596)
#2 0x7f96969ac9f1 in create_portal_data ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation-portal.c:560
#3 0x7f96969afab6 in gtk_print_operation_portal_run_dialog_async ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation-portal.c:707
#4 0x7f9696849658 in gtk_print_operation_run ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation.c:3115
#5 0x55c44d8d42f5 in activate_print ../../../../../../../../../Projects/gnome/applications/gtk/demos/widget-factory/widget-factory.c:500
#6 0x7f96977b26f9 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x186f9) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#7 0x7f96977c83db in signal_emit_unlocked_R.isra.0 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2e3db) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#8 0x7f96977c9e60 in signal_emit_valist_unlocked (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2fe60) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#9 0x7f96977cfe30 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35e30) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#10 0x7f96977cfef2 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35ef2) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#11 0x7f9695dbb584 in g_simple_action_activate (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x101584) (BuildId: 802b8fe46796912d6e8a4f57953f1d1112dc4d9b)
#12 0x7f969685fa4c in gtk_action_muxer_activate_action ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkactionmuxer.c:878
#13 0x7f969685fae1 in gtk_action_muxer_activate_action ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkactionmuxer.c:880
#14 0x7f96977b2911 in _g_closure_invoke_va (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x18911) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#15 0x7f96977c9f1e in signal_emit_valist_unlocked (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2ff1e) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#16 0x7f96977cfe30 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35e30) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#17 0x7f96977cfef2 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35ef2) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#18 0x7f96963eee58 in _gtk_marshal_VOID__INT_DOUBLE_DOUBLEv gtk/gtkmarshalers.c:3688
#19 0x7f96977b2911 in _g_closure_invoke_va (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x18911) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#20 0x7f96977c9f1e in signal_emit_valist_unlocked (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2ff1e) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#21 0x7f96977cfe30 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35e30) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#22 0x7f96977cfef2 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35ef2) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#23 0x7f9696576956 in gtk_gesture_click_end ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkgestureclick.c:275
#24 0x7f96977b5d59 in g_cclosure_marshal_VOID__BOXEDv (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1bd59) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#25 0x7f96977b2911 in _g_closure_invoke_va (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x18911) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#26 0x7f96977c9f1e in signal_emit_valist_unlocked (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2ff1e) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#27 0x7f96977cfe30 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35e30) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#28 0x7f96977cfef2 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35ef2) (BuildId: 58d19083ad73f2c7aa9cd57c77517556285792b2)
#29 0x7f96965703ac in _gtk_gesture_set_recognized ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkgesture.c:340
#30 0x7f96965703ac in _gtk_gesture_check_recognized ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkgesture.c:381
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../../../../../../Projects/gnome/applications/gtk/gtk/print/gtkprintoperation-portal.c:481 in prepare_print_response
Shadow bytes around the buggy address:
0x60b0002eb380: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x60b0002eb400: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x60b0002eb480: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x60b0002eb500: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x60b0002eb580: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
=>0x60b0002eb600: fd fd fd fd fd[fd]fd fd fd fd fd fd fa fa fa fa
0x60b0002eb680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x60b0002eb700: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x60b0002eb780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x60b0002eb800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x60b0002eb880: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==967==ABORTING
Code: https://gitlab.gnome.org/GNOME/gtk/-/blob/main/gtk/print/gtkprintoperation-portal.c#L475-481
Edited by Khalid Abu Shawarib