Bug 35066

Summary: Crash in SecurityAuthorizationExpired with big xauth timeouts
Product: xorg Reporter: Cyril Brulebois <kibi>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED DUPLICATE QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
URL: http://bugs.debian.org/616667
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
GDB session none

Description Cyril Brulebois 2011-03-06 11:24:13 UTC 
Created attachment 44181 [details]
GDB session

First reported in Debian bug #616667 by Ian Jackson:
  http://bugs.debian.org/616667

Steps to reproduce:
$ touch foo && xauth -f foo generate $DISPLAY . untrusted timeout 1000000000

Prerequisite: X Server built with --enable-xcsecurity, reproduced with 1.7, 1.9, and 1.10.

Gdb session attached.

Bottom line:
 1. int overflow in os/WaitFor.c for big timeouts.
 2. AFAICT, wrong comparison between unsigned int:

(int) (a-b) will be negative with e.g. a=INT_MAX*4/5; b=INT_MAX*1/5, which is wrong.

The assert happens in SecurityAuthorizationExpired because the Timer is only going to be set on/attached to “pAuth” once TimerSet returns, so calling the callback from within TimerSet can only fail.

[If that's a supposedly-supported codepath, the assert should probably become: assert((pAuth->timer == NULL) || …);
but I don't think that should happen at all.
]

Patches will follow on xorg-devel@ in a few minutes.
Comment 1 Julien Cristau 2011-03-07 09:30:56 UTC 

*** This bug has been marked as a duplicate of bug 27134 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.