libnemo-private: fix use-after-free crash in nemo_file_mark_gone#3724
Open
KonTy wants to merge 1 commit intolinuxmint:masterfrom
Open
libnemo-private: fix use-after-free crash in nemo_file_mark_gone#3724KonTy wants to merge 1 commit intolinuxmint:masterfrom
KonTy wants to merge 1 commit intolinuxmint:masterfrom
Conversation
nemo_directory_remove_file() calls nemo_file_unref() when the directory is monitoring its file list. If the caller holds no extra ref, this can drop the refcount to zero and free the NemoFile object in place. The subsequent nemo_file_clear_info() call then dereferences the freed pointer, causing a SIGSEGV. Reproduced during file rename: rename_get_info_callback finds an existing_file with the same new name and calls nemo_file_mark_gone on it with no extra ref held, triggering the crash. Fix by holding a temporary ref around nemo_directory_remove_file so the object remains valid until nemo_file_clear_info returns. Fixes linuxmint#3712
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3712.
nemo_directory_remove_file() calls nemo_file_unref() when the directory is monitoring its file list. If the caller holds no extra ref on the file, this can drop the refcount to zero and free the NemoFile object. The nemo_file_clear_info() call immediately after then dereferences the freed pointer, causing a SIGSEGV.
This crash surfaces during file rename: rename_get_info_callback finds an existing file with the same new name and passes it to nemo_file_mark_gone() without holding an extra ref.
The fix is to take a temporary ref around the nemo_directory_remove_file() call so the object stays alive until nemo_file_clear_info() returns.