Bug 49439

Summary: Synaptics: Memory corruption in UpdateTouchState
Product: xorg Reporter: Maarten Lankhorst <maarten.lankhorst>
Component: Input/synapticsAssignee: Chase Douglas <chase.douglas>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: chase.douglas, peter.hutterer
Version: git   
Hardware: Other   
OS: All   
See Also: https://launchpad.net/bugs/941953
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Diff needed to trigger the problem in ubuntu. none

Description Maarten Lankhorst 2012-05-03 10:32:20 UTC
Created attachment 60979 [details]
Diff needed to trigger the problem in ubuntu.

priv->num_slots can grow out of bounds if multitouch is enabled, resulting in memory corruption.

A simple patch is attached that crashes when the the problem is triggered.

On my laptop I seem to be able to reproduce it by simply running /usr/bin/Xorg in 1 window, making circles with 2 fingers on touchpad and then starting DISPLAY=:0 /etc/X11/Xsession in another.

Backtrace:

#0  0x00007ffff61cf445 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff61d2bab in __GI_abort () at abort.c:91
#2  0x00007ffff61c810e in __assert_fail_base (fmt=<optimized out>, assertion=0x7fffefdd4186 "priv->num_active_touches >= 0", 
    file=0x7fffefdd4170 "../../src/synaptics.c", line=<optimized out>, function=<optimized out>) at assert.c:94
#3  0x00007ffff61c81b2 in __GI___assert_fail (assertion=0x7fffefdd4186 "priv->num_active_touches >= 0", file=0x7fffefdd4170 "../../src/synaptics.c", 
    line=3021, function=0x7fffefdd4100 "UpdateTouchState") at assert.c:103
#4  0x00007fffefdc9e30 in UpdateTouchState (hw=<optimized out>, pInfo=<optimized out>) at ../../src/synaptics.c:3021
#5  0x00007fffefdcb033 in HandleTouches (hw=0x555555d5d3f0, pInfo=0x555555d35940) at ../../src/synaptics.c:3113
#6  HandleState (pInfo=<optimized out>, hw=<optimized out>, now=<optimized out>, from_timer=<optimized out>) at ../../src/synaptics.c:3306
#7  0x00007fffefdcd0b0 in ReadInput (pInfo=0x555555d35940) at ../../src/synaptics.c:1678
#8  0x00005555555df787 in xf86SigioReadInput (fd=<optimized out>, closure=0x555555d35940) at ../../../../hw/xfree86/common/xf86Events.c:298
#9  0x0000555555605757 in xf86SIGIO (sig=<optimized out>) at ../../../../../hw/xfree86/os-support/linux/../shared/sigio.c:111
#10 <signal handler called>
#11 SmartScheduleTimer (sig=14) at ../../os/utils.c:1158
#12 <signal handler called>
#13 __GI__dl_debug_state () at dl-debug.c:77
#14 0x00007ffff7ded908 in dl_open_worker (a=0x7fffffffdf70) at dl-open.c:294
#15 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffdfb8, errstring=0x7fffffffdfc0, mallocedp=0x7fffffffdfcf, 
    operate=0x7ffff7ded700 <dl_open_worker>, args=0x7fffffffdf70) at dl-error.c:178
#16 0x00007ffff7ded31a in _dl_open (file=0x7fffffffe1c0 "libnss_compat.so.2", mode=-2147483647, caller_dlopen=0x7ffff629d21e, nsid=-2, argc=1, 
    argv=<optimized out>, env=0x555555969370) at dl-open.c:639
#17 0x00007ffff62c7e02 in do_dlopen (ptr=0x7fffffffe170) at dl-libc.c:89
#18 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffe1a0, errstring=0x7fffffffe190, mallocedp=0x7fffffffe1af, 
    operate=0x7ffff62c7dc0 <do_dlopen>, args=0x7fffffffe170) at dl-error.c:178
#19 0x00007ffff62c7ec4 in dlerror_run (args=0x7fffffffe170, operate=0x7ffff62c7dc0 <do_dlopen>) at dl-libc.c:48
#20 __GI___libc_dlopen_mode (name=<optimized out>, mode=<optimized out>) at dl-libc.c:165
#21 0x00007ffff629d21e in nss_load_library (ni=<optimized out>) at nsswitch.c:372
#22 0x00007ffff629dc7d in __GI___nss_lookup_function (ni=0x555555d79330, fct_name=0x7ffff63127aa "getpwnam_r") at nsswitch.c:474
#23 0x00007ffff629de8c in __GI___nss_lookup (ni=0x7fffffffe2d0, fct_name=0x7ffff63127aa "getpwnam_r", fct2_name=0x0, fctp=0x7fffffffe2e0)
    at nsswitch.c:202
#24 0x00007ffff62562c8 in __getpwnam_r (name=0x555555ce4990 "i", resbuf=0x7ffff6552320, buffer=0x555555b35870 "X\374T\366\377\177", buflen=1024, 
    result=0x7fffffffe330) at ../nss/getXXbyYY_r.c:203
#25 0x00007ffff6255b74 in getpwnam (name=0x555555ce4990 "i") at ../nss/getXXbyYY.c:117
#26 0x00005555556db375 in siLocalCredGetId (addr=0x555555c7a272 "i", len=1, lcPriv=0x555555952790, id=0x7fffffffe3cc) at ../../os/access.c:1980
#27 0x00005555556db3d1 in siLocalCredCheckAddr (addrString=<optimized out>, length=<optimized out>, typePriv=<optimized out>)
    at ../../os/access.c:2055
#28 0x00005555556db11c in siCheckAddr (addrString=<optimized out>, length=11) at ../../os/access.c:1686
#29 0x00005555556dc4af in AddHost (client=0x555555ce4c60, family=5, length=11, pAddr=0x555555c7a268) at ../../os/access.c:1249
#30 0x00005555555a2881 in Dispatch () at ../../dix/dispatch.c:439
#31 0x00005555555917aa in main (argc=1, argv=<optimized out>, envp=<optimized out>) at ../../dix/main.c:287
Comment 1 Maarten Lankhorst 2012-05-03 10:46:11 UTC
Backtrace was with synaptics 1.6.0
Comment 2 Peter Hutterer 2012-05-14 14:58:01 UTC
http://patchwork.freedesktop.org/patch/10230/
Comment 3 Maarten Lankhorst 2012-05-15 00:57:30 UTC
I had that patch as a workaround locally, but since I didn't understand the problem well enough, I didn't want to accept it as real solution.
Comment 4 Peter Hutterer 2012-06-11 20:40:31 UTC
commit 55fc42e7c9b4948cadd4f98ef7b6a3b12e268e3e
Author: Chase Douglas <chase.douglas@canonical.com>
Date:   Mon May 14 10:20:01 2012 -0700

    Ignore pre-existing touches

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.