102126 – Crash in ProcGetPointerControl

Bug 102126 - Crash in ProcGetPointerControl

Summary: Crash in ProcGetPointerControl

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/General (show other bugs)
Version:	git
Hardware:	Other All

Importance:	medium normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-09 04:01 UTC by Jonas Ådahl
Modified:	2018-04-23 20:52 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Jonas Ådahl 2017-08-09 04:01:53 UTC

I don't know what triggered it, and I hadn't patched X to not catch crashes so I don't have a core dump, but the following crash happened:

(EE) Backtrace:
(EE) 0: /home/jonas/Dev/gnome/install/bin/Xwayland (OsSigHandler+0x29) [0x479d89]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f50645bb25f]
(EE) 2: /home/jonas/Dev/gnome/install/bin/Xwayland (ProcGetPointerControl+0x58) [0x43ac08]
(EE) 3: /home/jonas/Dev/gnome/install/bin/Xwayland (Dispatch+0x32a) [0x443b7a]
(EE) 4: /home/jonas/Dev/gnome/install/bin/Xwayland (dix_main+0x378) [0x447a88]
(EE) 5: /lib64/libc.so.6 (__libc_start_main+0xee) [0x7f50641f85fe]
(EE) 6: /home/jonas/Dev/gnome/install/bin/Xwayland (_start+0x2a) [0x42970a]
(EE) 7: ? (?+0x2a) [0x2a]
(EE)
(EE) Segmentation fault at address 0x8

Comment 1 Jonas Ådahl 2017-08-21 04:03:07 UTC

Got this again, but firefox crashed as a side effect, eating up all available core dump space, making coredumpctl discard the Xwayland dump before I had a chance to examine it. Coredumpctl still reports more or less the same trace:

                Stack trace of thread 15288:
                #0  0x000000000043af58 ProcGetPointerControl (Xwayland)
                #1  0x0000000000443eca Dispatch (Xwayland)
                #2  0x0000000000447dd8 dix_main (Xwayland)
                #3  0x00007f313b8835fe __libc_start_main (libc.so.6)
                #4  0x000000000042979a _start (Xwayland)

Comment 2 Jonas Ådahl 2017-08-21 04:03:55 UTC

Moving to xorg, as I don't think this is really Xwayland related.

Comment 3 Adam Jackson 2018-04-23 20:52:00 UTC

Pretty sure this was fixed by:

commit 9f7a9be13d6449c00c86d3035374f4f543654b3f
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Dec 5 09:59:06 2017 +0100

    dix: avoid deferencing NULL PtrCtrl
    
    PtrCtrl really makes sense for relative pointing device only, absolute
    devices such as touch devices do not have any PtrCtrl set.
    
    In some cases, if the client issues a XGetPointerControl() immediatlely
    after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
    a NULL pointer dereference will occur leading to a crash of Xwayland.
    
    Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
    return the default control values otherwise, to avoid the NULL pointer
    dereference.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.