Bug 37562 - CreateColormap seems to add a padding of int size between each color - lead to abort in realloc in weird cases
Summary: CreateColormap seems to add a padding of int size between each color - lead t...
Status: RESOLVED MOVED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: ARM Linux (All)
: medium major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-24 20:48 UTC by Alban Browaeys
Modified: 2018-12-13 22:25 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Alban Browaeys 2011-05-24 20:48:39 UTC 
I wonder if this is a bug in assignment or allocation . Though
when assigning green and blue to pmap in CreateColormap of dix/colormap.c
there is a :+(MAXCLIENTS * sizeof(int))
pmap->green = (EntryPtr)((char *)pmap->numPixelsRed +(MAXCLIENTS * sizeof(int)));

running under omapfb kernel space 32 bpp and DefaultDepth 16 in xorg conf (this was a mistake though the issue remains):
X.Org X Server 1.10.1
Release Date: 2011-04-15
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.39-rc7-a101-initramfs-09745-gc6c0139-dirty armv7l Debian
Current Operating System: Linux archos101 2.6.39-rc7-a101-initramfs-09746-g02a1e82-dirty #263 PREEMPT Tue May 24 17:43:21 CEST 2011 armv7l
Kernel command line: console=tty0 earlyprintk loglevel=8 ram=4915200 omapfb.vrfb=y omapfb.rotate=2 omapfb.vram=0:4915200 omapdss.debug=y omapfb.debug=y debug twl4030_bci.debug=1 root=/dev/mmcblk1p1 ddebug_query="module twl4030_bci +p" ddebug_query="module twl4030_usb +p"
Build Date: 24 May 2011  12:09:27AM
xorg-server 2:1.10.1-2.1 (Alban Browaeys <prahal@yahoo.com>) 
Current version of pixman: 0.21.8
	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Tue May 24 18:32:13 2011
Converted `/usr/share/X11/%X' to `/usr/share/X11/xorg.conf.d'
Converted `/etc/X11/%X' to `/etc/X11/xorg.conf.d'
Converted `/etc/X11/%X' to `/etc/X11/xorg.conf'
Converted `/etc/%X' to `/etc/xorg.conf'
Converted `%P/etc/X11/%X.%H' to `/usr/etc/X11/xorg.conf.archos101'
Converted `%P/etc/X11/%X' to `/usr/etc/X11/xorg.conf'
Converted `%P/lib/X11/%X.%H' to `/usr/lib/X11/xorg.conf.archos101'
Converted `%P/lib/X11/%X' to `/usr/lib/X11/xorg.conf'
(==) Using config directory: "/etc/X11/xorg.conf.d"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
APM: OSPMOpen called
APM: Opening device
LoaderOpen(/usr/lib/xorg/modules/extensions/libextmod.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdbe.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libglx.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/librecord.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdri.so)
LoaderOpen(/usr/lib/xorg/modules/extensions/libdri2.so)
LoaderOpen(/usr/lib/xorg/modules/drivers/omapfb_drv.so)
LoaderOpen(/usr/lib/xorg/modules/drivers/omapfb_drv.so)
(EE) omapfb(0): OMAPFBPreInit: Opening '/dev/fb0' might have failed: (10) Invalid argument
xf86RegisterRootWindowProperty(0, 69, 19, 32, 1, 0x1e13b8)
new property filled
creating xf86RegisteredPropertiesTable[] size 1
xf86RegisteredPropertiesTable 0x1e2488
xf86RegisteredPropertiesTable[0] (nil)
xf86RegisterRootWindowProperty succeeded
(EE) omapfb(0): Mapping framebuffer memory succeeded: 4915200
LoaderOpen(/usr/lib/xorg/modules/libfb.so)
[tcsetpgrp failed in terminal_inferior: Opération non permise]

Breakpoint 3, mremap_chunk (p=0x1e5cf0, new_size=1032) at malloc.c:3574
3574	malloc.c: Aucun fichier ou dossier de ce type.
	in malloc.c
(gdb) bt
#0  mremap_chunk (p=0x1e5cf0, new_size=1032) at malloc.c:3574
#1  0x4033b70c in __libc_realloc (oldmem=0x1e5cf8, bytes=1028) at malloc.c:3790
#2  0x000a1854 in AllocColor (pmap=0x1e35a8, pred=<value optimized out>, pgreen=0xbefff59e, pblue=0xbefff59e, pPix=0xbefff590, client=0)
    at ../../dix/colormap.c:878
#3  0x000a4e84 in miCreateDefColormap (pScreen=0x1e24a8) at ../../mi/micmap.c:330
#4  0x40592c4c in OMAPFBScreenInit (scrnIndex=0, pScreen=0x1e24a8, argc=1, argv=0xbefff864) at ../../src/omapfb-driver.c:571
#5  0x000318c8 in AddScreen (pfnInit=0x1b9744 <_GLOBAL_OFFSET_TABLE_>, argc=1845032, argv=0x405928b4) at ../../dix/dispatch.c:3890
#6  0x00074a6c in InitOutput (pScreenInfo=0x12fdfc, argc=1825576, argv=0x72e28) at ../../../../hw/xfree86/common/xf86Init.c:738
#7  0x00025cec in main (argc=1, argv=0xbefff864, envp=<value optimized out>) at ../../dix/main.c:205
(gdb) n
Xorg: malloc.c:3574: mremap_chunk: Assertion `((size + offset) & (mp_.pagesize-1)) == 0' failed.






Valgrind shows:
creating xf86RegisteredPropertiesTable[] size 1
xf86RegisteredPropertiesTable 0x4e40950
xf86RegisteredPropertiesTable[0] (nil)
xf86RegisterRootWindowProperty succeeded
(EE) omapfb(0): Mapping framebuffer memory succeeded: 4915200
LoaderOpen(/usr/lib/xorg/modules/libfb.so)
==9607== Invalid write of size 2
==9607==    at 0x9F968: CreateColormap (colormap.c:382)
==9607==    by 0xA4E3F: miCreateDefColormap (micmap.c:315)
==9607==    by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571)
==9607==    by 0x318C7: AddScreen (dispatch.c:3890)
==9607==    by 0x74A6B: InitOutput (xf86Init.c:738)
==9607==    by 0x25CEB: main (main.c:205)
==9607==  Address 0x4e5e250 is 16 bytes before a block of size 1,024 alloc'd
==9607==    at 0x48334BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-arm-linux.so)
==9607== 
==9607== Invalid write of size 2
==9607==    at 0x9F958: CreateColormap (colormap.c:383)
==9607==    by 0xA4E3F: miCreateDefColormap (micmap.c:315)
==9607==    by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571)
==9607==    by 0x318C7: AddScreen (dispatch.c:3890)
==9607==    by 0x74A6B: InitOutput (xf86Init.c:738)
==9607==    by 0x25CEB: main (main.c:205)
==9607==  Address 0x4e5de04 is 4 bytes after a block of size 10,056 alloc'd
==9607==    at 0x48334BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-arm-linux.so)
==9607== 
==9607== Invalid read of size 2
==9607==    at 0x9DC04: FindBestPixel (colormap.c:1158)
==9607==    by 0xA17AB: AllocColor (colormap.c:868)
==9607==    by 0xA4E83: miCreateDefColormap (micmap.c:330)
==9607==    by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571)
==9607==    by 0x318C7: AddScreen (dispatch.c:3890)
==9607==    by 0x74A6B: InitOutput (xf86Init.c:738)
==9607==    by 0x25CEB: main (main.c:205)
==9607==  Address 0x4e5de10 is not stack'd, malloc'd or (recently) free'd
==9607== 
==9607== Invalid read of size 2
==9607==    at 0x9DC04: FindBestPixel (colormap.c:1158)
==9607==    by 0xA17AB: AllocColor (colormap.c:868)
==9607==    by 0xA4EC3: miCreateDefColormap (micmap.c:332)
==9607==    by 0x51ACC4B: OMAPFBScreenInit (omapfb-driver.c:571)
==9607==    by 0x318C7: AddScreen (dispatch.c:3890)
==9607==    by 0x74A6B: InitOutput (xf86Init.c:738)
==9607==    by 0x25CEB: main (main.c:205)
==9607==  Address 0x4e5de10 is not stack'd, malloc'd or (recently) free'd
==9607== 


I fixed this by removing "+(MAXCLIENTS * sizeof(int))" from :
pmap->green = (EntryPtr)((char *)pmap->numPixelsRed +(MAXCLIENTS * sizeof(int)));
and :
pmap->blue = (EntryPtr)((char *)pmap->numPixelsGreen +
				(MAXCLIENTS * sizeof(int)));

though I might be mistaken in the fix . Ie I did not found any evidence there is a use for this addition to the pointer offset. If this clue is wrong I will look after allocation were it does not seems to be accounted for.
Comment 1 GitLab Migration User 2018-12-13 22:25:03 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/410.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.