Bug 35066 - Crash in SecurityAuthorizationExpired with big xauth timeouts
Summary: Crash in SecurityAuthorizationExpired with big xauth timeouts
Status: RESOLVED DUPLICATE of bug 27134
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL: http://bugs.debian.org/616667
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-06 11:24 UTC by Cyril Brulebois
Modified: 2011-03-07 09:30 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
GDB session (3.20 KB, text/plain)
2011-03-06 11:24 UTC, Cyril Brulebois 		no flags Details
View All

Description Cyril Brulebois 2011-03-06 11:24:13 UTC 
Created attachment 44181 [details]
GDB session

First reported in Debian bug #616667 by Ian Jackson:
  http://bugs.debian.org/616667

Steps to reproduce:
$ touch foo && xauth -f foo generate $DISPLAY . untrusted timeout 1000000000

Prerequisite: X Server built with --enable-xcsecurity, reproduced with 1.7, 1.9, and 1.10.

Gdb session attached.

Bottom line:
 1. int overflow in os/WaitFor.c for big timeouts.
 2. AFAICT, wrong comparison between unsigned int:

(int) (a-b) will be negative with e.g. a=INT_MAX*4/5; b=INT_MAX*1/5, which is wrong.

The assert happens in SecurityAuthorizationExpired because the Timer is only going to be set on/attached to “pAuth” once TimerSet returns, so calling the callback from within TimerSet can only fail.

[If that's a supposedly-supported codepath, the assert should probably become: assert((pAuth->timer == NULL) || …);
but I don't think that should happen at all.
]

Patches will follow on xorg-devel@ in a few minutes.
Comment 1 Julien Cristau 2011-03-07 09:30:56 UTC 

*** This bug has been marked as a duplicate of bug 27134 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.