17438 – X aborts due to an invalid free when the keyboard driver is "keyboard"

Bug 17438 - X aborts due to an invalid free when the keyboard driver is "keyboard"

Summary: X aborts due to an invalid free when the keyboard driver is "keyboard"

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/General (show other bugs)
Version:	git
Hardware:	Other All

Importance:	medium minor
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-04 15:59 UTC by Aaron Plattner
Modified:	2010-08-13 11:31 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Fix usage of heap memory for driver names. (2.23 KB, patch) 2010-08-04 23:51 UTC, Jesse Adkins	no flags	Details \| Splinter Review
View All

Description Aaron Plattner 2008-09-04 15:59:34 UTC

Setting the keyboard driver to "keyboard" instead of "kbd" in xorg.conf causes the X server to abort on shutdown:

X.Org X Server 1.4.99.905 (1.5.0 RC 5)
Release Date: 5 September 2007
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-53.1.19.el5 x86_64 
Current Operating System: Linux tenor 2.6.25.9-76.fc9.x86_64 #1 SMP Fri Jun 27 15:58:30 EDT 2008 x86_64
Build Date: 01 July 2008  11:17:07AM
Build ID: xorg-x11-server 1.4.99.905-1.20080701.fc9 
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Thu Sep  4 15:57:30 2008
(==) Using config file: "/etc/X11/XF86Config"
[New Thread 0x7fc6418da780 (LWP 2380)]
(no debugging symbols found)
(no debugging symbols found)
(EE) Failed to load module "type1" (module does not exist, 0)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
error setting MTRR (base = 0xb0000000, size = 0x0ff00000, type = 1) Invalid argument (22)
(no debugging symbols found)
(no debugging symbols found)
(EE) Failed to initialize GLX extension (Compatible NVIDIA X driver not found)
Detaching after fork from child process 2400.
expected keysym, got XF86Info: line 914 of inet
Detaching after fork from child process 2401.
expected keysym, got XF86Info: line 914 of inet
*** glibc detected *** /usr/bin/X: free(): invalid pointer: 0x000000000056a97e ***
(no debugging symbols found)
======= Backtrace: =========
/lib64/libc.so.6[0x3026478158]
/lib64/libc.so.6(cfree+0x76)[0x302647a796]
/usr/bin/X(DeleteInputDeviceRequest+0x4b)[0x490e0b]
/usr/bin/X(CloseDownDevices+0x29)[0x43fb79]
/usr/bin/X(main+0x499)[0x42cc89]
/lib64/libc.so.6(__libc_start_main+0xfa)[0x302641e32a]
/usr/bin/X(FontFileCompleteXLFD+0x281)[0x42c029]
======= Memory map: ========
00110000-00116000 r-xp 00000000 08:03 3066598                            /usr/lib64/libpciaccess.so.0.10.2
00116000-00315000 ---p 00006000 08:03 3066598                            /usr/lib64/libpciaccess.so.0.10.2
00315000-00316000 rw-p 00005000 08:03 3066598                            /usr/lib64/libpciaccess.so.0.10.2
00400000-005a4000 r-xp 00000000 08:03 3064550                            /usr/bin/Xorg
005a4000-005a5000 r-xp 00000000 08:03 3065094                            /usr/lib64/tls/libnvidia-tls.so.177.71
005a5000-006a4000 ---p 00001000 08:03 3065094                            /usr/lib64/tls/libnvidia-tls.so.177.71
006a4000-006a5000 rw-p 00000000 08:03 3065094                            /usr/lib64/tls/libnvidia-tls.so.177.71
007a3000-007ae000 rw-p 001a3000 08:03 3064550                            /usr/bin/Xorg
007ae000-007d7000 rw-p 007ae000 00:00 0 
007d7000-0083e000 r-xp 00000000 08:03 3065483                            /usr/lib64/libXfont.so.1.4.1
0083e000-00a3d000 ---p 00067000 08:03 3065483                            /usr/lib64/libXfont.so.1.4.1
00a3d000-00a49000 rw-p 00066000 08:03 3065483                            /usr/lib64/libXfont.so.1.4.1
00a49000-00a50000 rw-p 00a49000 00:00 0 
00a50000-00a60000 r-xp 00000000 08:03 3067175                            /usr/lib64/libhal.so.1.0.0
00a60000-00c5f000 ---p 00010000 08:03 3067175                            /usr/lib64/libhal.so.1.0.0
00c5f000-00c60000 rw-p 0000f000 08:03 3067175                            /usr/lib64/libhal.so.1.0.0
00c60000-00da0000 r-xp 00000000 08:03 147556                             /lib64/libcrypto.so.0.9.8g
00da0000-00f9f000 ---p 00140000 08:03 147556                             /lib64/libcrypto.so.0.9.8g
00f9f000-00fc0000 rw-p 0013f000 08:03 147556                             /lib64/libcrypto.so.0.9.8g
00fc0000-00fc3000 rw-p 00fc0000 00:00 0 
00fc3000-00fdb000 r-xp 00000000 08:03 147516                             /lib64/libaudit.so.0.0.0
00fdb000-011da000 ---p 00018000 08:03 147516                             /lib64/libaudit.so.0.0.0
011da000-011db000 r--p 00017000 08:03 147516                             /lib64/libaudit.so.0.0.0
011db000-011dc000 rw-p 00018000 08:03 147516                             /lib64/libaudit.so.0.0.0
011dc000-01208000 r-xp 00000000 08:03 3238157                            /usr/lib64/xorg/modules/drivers/nv_drv.so
01208000-01407000 ---p 0002c000 08:03 3238157                            /usr/lib64/xorg/modules/drivers/nv_drv.so
01407000-0140b000 rw-p 0002b000 08:03 3238157                            /usr/lib64/xorg/modules/drivers/nv_drv.so
0140b000-01410000 r-xp 00000000 08:03 3342977                            /usr/lib64/xorg/modules/input/kbd_drv.so
01410000-01610000 ---p 00005000 08:03 3342977                            /usr/lib64/xorg/modules/input/kbd_drv.so
01610000-01612000 rw-p 00005000 08:03 3342977                            /usr/lib64/xorg/modules/input/kbd_drv.so
01b90000-01bba000 r-xp 00000000 08:03 3523376                            /usr/lib64/xorg/modules/extensions/libextmod.so
01bba000-01dba000 ---p 0002a000 08:03 3523376                            /usr/lib64/xorg/modules/extensions/libextmod.so
01dba000-01dbd000 rw-p 0002a000 08:03 3523376                            /usr/lib64/xorg/modules/extensions/libextmod.so
0218e000-02307000 rw-p 0218e000 00:00 0                                  [heap]
02d53000-02d56000 r-xp 00000000 08:03 3523375                            /usr/lib64/xorg/modules/extensions/libdri2.so
02d56000-02f55000 ---p 00003000 08:03 3523375                            /usr/lib64/xorg/modules/extensions/libdri2.so
02f55000-02f56000 rw-p 00002000 08:03 3523375                            /usr/lib64/xorg/modules/extensions/libdri2.so
031e0000-031e9000 r-xp 00000000 08:03 3523374                            /usr/lib64/xorg/modules/extensions/libdri.so
031e9000-033e9000 ---p 00009000 08:03 3523374                            /usr/lib64/xorg/modules/extensions/libdri.so
033e9000-033ea000 rw-p 00009000 08:03 3523374                            /usr/lib64/xorg/modules/extensions/libdri.so
04293000-04297000 r-xp 00000000 08:03 3523373                            /usr/lib64/xorg/modules/extensions/libdbe.so
04297000-04497000 ---p 00004000 08:03 3523373                            /usr/lib64/xorg/modules/extensions/libdbe.so
04497000-04498000 rw-p 00004000 08:03 3523373                            /usr/lib64/xorg/modules/extensions/libdbe.so
047fb000-04822000 r-xp 00000000 08:03 3238026                            /usr/lib64/xorg/modules/libfb.so
04822000-04a22000 ---p 00027000 08:03 3238026                            /usr/lib64/xorg/modules/libfb.so
04a22000-04a23000 rw-p 00027000 08:03 3238026                            /usr/lib64/xorg/modules/libfb.so
04e60000-04ebd000 r-xp 00000000 08:03 3238141                            /usr/lib64/xorg/modules/libxaa.so
04ebd000-050bc000 ---p 0005d000 08:03 3238141                            /usr/lib64/xorg/modules/libxaa.so
050bc000-050bf000 rw-p 0005c000 08:03 3238141                            /usr/lib64/xorg/modules/libxaa.so
05512000-05536000 r-xp 00000000 08:03 3238135                            /usr/lib64/xorg/modules/libint10.so
05536000-05735000 ---p 00024000 08:03 3238135                            /usr/lib64/xorg/modules/libint10.so
05735000-05737000 rw-p 00023000 08:03 3238135                            /usr/lib64/xorg/modules/libint10.so
05737000-05738000 rw-p 05737000 00:00 0 
05972000-0598c000 r-xp 00000000 08:03 147468                             /lib64/libselinux.so.1
0598c000-05b8b000 ---p 0001a000 08:03 147468                             /lib64/libselinux.so.1
05b8b000-05b8c000 r--p 00019000 08:03 147468                             /lib64/libselinux.so.1
05b8c000-05b8d000 rw-p 0001a000 08:03 147468                             /lib64/libselinux.so.1
05b8d000-05b8e000 rw-p 05b8d000 00:00 0 
05cba000-05d49000 r-xp 00000000 08:03 3065121                            /usr/lib64/libfreetype.so.6.3.16
05d49000-05f48000 ---p 0008f000 08:03 3065121                            /usr/lib64/libfreetype.so.6.3.16
05f48000-05f4e000 rw-p 0008e000 08:03 3065121                            /usr/lib64/libfreetype.so.6.3.16
06806000-06810000 r-xp 00000000 08:03 3064756                            /usr/lib64/libdrm.so.2.3.0
06810000-06a10000 ---p 0000a000 08:03 3064756                            /usr/lib64/libdrm.so.2.3.0
06a10000-06a11000 rw-p 0000a000 08:03 3064756                            /usr/lib64/libdrm.so.2.3.0
06b12000-06b1d000 r-xp 00000000 08:03 3343312                            /usr/lib64/xorg/modules/input/mouse_drv.so
06b1d000-06d1c000 ---p 0000b000 08:03 3343312                            /usr/lib64/xorg/modules/input/mouse_drv.so
06d1c000-06d1e000 rw-p 0000a000 08:03 3343312                            /usr/lib64/xorg/modules/input/mouse_drv.so
06deb000-06f1e000 r-xp 00000000 08:03 3522561                            /usr/lib64/xorg/modules/extensions/libglx.so.177.71
06f1e000-0701d000 ---p 00133000 08:03 3522561                            /usr/lib64/xorg/modules/extensions/libglx.so.177.71
0701d000-07091000 rwxp 00132000 08:03 3522561                            /usr/lib64/xorg/modules/extensions/libglx.so.177.71
07091000-07093000 rwxp 07091000 00:00 0 
0775a000-0775b000 r-xp 00000000 08:03 3441004                            /usr/lib64/xorg/modules/fonts/libfreetype.so
0775b000-0795a000 ---p 00001000 08:03 3441004                            /usr/lib64/xorg/modules/fonts/libfreetype.so
0795a000-0795b000 rw-p 00000000 08:03 3441004                            /usr/lib64/xorg/modules/fonts/libfreetype.so
3024c00000-3024c1d000 r-xp 00000000 08:03 147528                         /lib64/ld-2.8.so
3024e1c000-3024e1d000 r--p 0001c000 08:03 147528                         /lib64/ld-2.8.so
3024e1d000-3024e1e000 rw-p 0001d000 08:03 147528                         /lib64/ld-2.8.so
3025000000-3025006000 r-xp 00000000 08:03 3066583                        /usr/lib64/libfontenc.so.1.0.0
3025006000-3025205000 ---p 00006000 08:03 3066583                        /usr/lib64/libfontenc.so.1.0.0
3025205000-3025207000 rw-p 00005000 08:03 3066583                        /usr/lib64/libfontenc.so.1.0.0
3026400000-3026562000 r-xp 00000000 08:03 147798                         /lib64/libc-2.8.so
3026562000-3026762000 ---p 00162000 08:03 147798                         /lib64/libc-2.8.so
3026762000-3026766000 r--p 00162000 08:03 147798                         /lib64/libc-2.8.so
3026766000-3026767000 rw-p 00166000 08:03 147798                         /lib64/libc-2.8.so
3026767000-302676c000 rw-p 3026767000 00:00 0 
3026800000-3026802000 r-xp 00000000 08:03 147802                         /lib64/libdl-2.8.so
3026802000-3026a02000 ---p 00002000 08:03 147802                         /lib64/libdl-2.8.so
3026a02000-3026a03000 r--p 00002000 08:03 147802                         /lib64/libdl-2.8.so
3026a03000-3026a04000 rw-p 00003000 08:03 147802                         /lib64/libdl-2.8.so
3026c00000-3026c84000 r-xp 00000000 08:03 147806                         /lib64/libm-2.8.so
3026c84000-3026e83000 ---p 00084000 08:03 147806                         /lib64/libm-2.8.so
3026e83000-3026e84000 r--p 00083000 08:03 147806                         /lib64/libm-2.8.so
3026e84000-3026e85000 rw-p 00084000 08:03 147806                         /lib64/libm-2.8.so
3027000000-3027016000 r-xp 00000000 08:03 147800                         /lib64/libpthread-2.8.so
3027016000-3027215000 ---p 00016000 08:03 147800                         /lib64/libpthread-2.8.so
3027215000-3027216000 r--p 00015000 08:03 147800                         /lib64/libpthread-2.8.so
3027216000-3027217000 rw-p 00016000 08:03 147800                         /lib64/libpthread-2.8.so
3027217000-302721b000 rw-p 3027217000 00:00 0 
3027800000-3027815000 r-xp 00000000 08:03 147799                         /lib64/libz.so.1.2.3
3027815000-3027a14000 ---p 00015000 08:03 147799                         /lib64/libz.so.1.2.3
3027a14000-3027a15000 rw-p 00014000 08:03 147799                         /lib64/libz.so.1.2.3
3028000000-3028007000 r-xp 00000000 08:03 147801                         /lib64/librt-2.8.so
3028007000-3028207000 ---p 00007000 08:03 147801                         /lib64/librt-2.8.so
3028207000-3028208000 r--p 00007000 08:03 147801                         /lib64/librt-2.8.so
3028208000-3028209000 rw-p 00008000 08:03 147801                         /lib64/librt-2.8.so
3028400000-3028405000 r-xp 00000000 08:03 499860                         /usr/lib64/libXdmcp.so.6.0.0
3028405000-3028604000 ---p 00005000 08:03 499860                         /usr/lib64/libXdmcp.so.6.0.0
3028604000-3028605000 rw-p 00004000 08:03 499860                         /usr/lib64/libXdmcp.so.6.0.0
3028800000-3028802000 r-xp 00000000 08:03 499859                         /usr/lib64/libXau.so.6.0.0
3028802000-3028a01000 ---p 00002000 08:03 499859                         /usr/lib64/libXau.so.6.0.0
3028a01000-3028a02000 rw-p 00001000 08:03 499859                         /usr/lib64/libXau.so.6.0.0
302c800000-302c816000 r-xp 00000000 08:03 147807                         /lib64/libgcc_s-4.3.0-20080428.so.1
302c816000-302ca15000 ---p 00016000 08:03 147807                         /lib64/libgcc_s-4.3.0-20080428.so.1
302ca15000-302ca16000 rw-p 00015000 08:03 147807                         /lib64/libgcc_s-4.3.0-20080428.so.1
302cc00000-302cc03000 r-xp 00000000 08:03 147808                         /lib64/libcap.so.2.06
302cc03000-302ce03000 ---p 00003000 08:03 147808                         /lib64/libcap.so.2.06
302ce03000-302ce04000 rw-p 00003000 08:03 147808                         /lib64/libcap.so.2.06
302dc00000-302dc3c000 r-xp 00000000 08:03 147809                         /lib64/libdbus-1.so.3.4.0
302dc3c000-302de3b000 ---p 0003c000 08:03 147809                         /lib64/libdbus-1.so.3.4.0
302de3b000-302de3c000 r--p 0003b000 08:03 147809                         /lib64/libdbus-1.so.3.4.0
302de3c000-302de3d000 rw-p 0003c000 08:03 147809                         /lib64/libdbus-1.so.3.4.0
302f000000-302f02b000 r-xp 00000000 08:03 499922                         /usr/lib64/libpixman-1.so.0.10.0
302f02b000-302f22a000 ---p 0002b000 08:03 499922                         /usr/lib64/libpixman-1.so.0.10.0
302f22a000-302f22c000 rw-p 0002a000 08:03 499922                         /usr/lib64/libpixman-1.so.0.10.0
7fc628000000-7fc628021000 rw-p 7fc628000000 00:00 0 
7fc628021000-7fc62c000000 ---p 7fc628021000 00:00 0 
7fc62f7be000-7fc63f6be000 rw-s b0000000 00:00 4427                       /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/resource1
7fc63f6be000-7fc6406be000 rw-s c6000000 00:00 4426                       /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/resource0
7fc6406be000-7fc6406fe000 rw-s 000c0000 00:0f 1297                       /dev/mem
7fc6406fe000-7fc64071e000 rw-s 000a0000 00:0f 1297                       /dev/mem
7fc64071e000-7fc64080f000 rw-p 7fc64071e000 00:00 0 
7fc64080f000-7fc641425000 r-xp 00000000 08:03 3064757                    /usr/lib64/libGLcore.so.177.71
7fc641425000-7fc641525000 ---p 00c16000 08:03 3064757                    /usr/lib64/libGLcore.so.177.71
7fc641525000-7fc6418b3000 rwxp 00c16000 08:03 3064757                    /usr/lib64/libGLcore.so.177.71
7fc6418b3000-7fc6418c3000 rwxp 7fc6418b3000 00:00 0 
7fc6418da000-7fc6418e3000 rw-p 7fc6418da000 00:00 0 
7fc6418f9000-7fc6418fc000 rw-p 7fc6418f9000 00:00 0 
7fff498e7000-7fff498fb000 rwxp 7ffffffea000 00:00 0                      [stack]
7fff498fb000-7fff498fc000 rw-p 7fffffffe000 00:00 0 
7fff499fe000-7fff49a00000 r-xp 7fff499fe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x0000003026432215 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003026432215 in raise () from /lib64/libc.so.6
#1  0x0000003026433d83 in abort () from /lib64/libc.so.6
#2  0x0000003026472858 in __libc_message () from /lib64/libc.so.6
#3  0x0000003026478158 in malloc_printerr () from /lib64/libc.so.6
#4  0x000000302647a796 in free () from /lib64/libc.so.6
#5  0x0000000000490e0b in DeleteInputDeviceRequest ()
#6  0x000000000043fb79 in CloseDownDevices ()
#7  0x000000000042cc89 in main ()

Comment 1 Peter Hutterer 2008-09-09 21:56:21 UTC

weird. I can't reproduce that here, and looking at the source this shouldn't
happen.

xf86Init.c does:
if (!xf86NameCmp((*pDev)->driver, "keyboard")) {
            strcpy((*pDev)->driver, "kbd");
}

I guess that this merely triggers some memory corruption elsewhere?

Comment 2 Jesse Adkins 2010-08-04 23:51:10 UTC

Created attachment 37580 [details] [review]
Fix usage of heap memory for driver names.

Comment 3 Peter Hutterer 2010-08-12 15:27:51 UTC

Review of attachment 37580 [details] [review]:

amended to use strdup instead of Xstrdup, nothing in the tree uses Xstrdup anymore. but other than that, merged, thank you.

Comment 4 Jesse Adkins 2010-08-13 11:31:24 UTC

This was fixed with commit bce12f2. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.