OpenBSD recently switch to a new malloc() model, based on mmap() which randomizes the addresses of the returned pages. So the probability of having a hole at the end of a malloc()ed block has increased quite a bit. This has exposed a problem in fbBltOne() which happens after some times spent browsing the web with firefox. I'm attaching a transcript of a debug session on Xorg 6.8.2. Unfortunatly, I don't know how to fix this exactly.
Created attachment 3111 [details] [review] genius-KB19eNB I've marked with <--- the address (src value) that is out of bounds.
Bump the severity a bit, since this really makes the X server almost unusable on recent OpenBSD.
src is a 19x10x1 pixmap. It is exactly 40 bytes long, starting at 0x86f83fd8. It happens to be just at the end of a page. When X segfaults, it was trying to access the adress 0x86f84000 which is one byte after the end of the pixmap, which is on a different page that, with the new OpenBSD malloc, is not readable as the following procmap excerpt shows it: 0x86f83000 0x86f84000 rw- COW NNC 1 0 0 0x86f84000 0x86f85000 --- COW NNC 1 0 0
One of the OpenBSD developpers, Thierry Deval, tried to analyse the problem. Here are his words: I'm pretty sure the X bug is in the LoadBits macro (at least that's where it crashes). Indeed, if leftShift != 0 and the number of significant bits to move is less than the remaining shifted word (i.e. rightShift), we don't need to complete the pattern with the next word. The diff I propose may not necessarily be the best, but seems to render my X and FireFox use more stable. Well, I'm running for several hours only, so I must test further...
Created attachment 3160 [details] Xorg logfile
looks reasonable to me, adding to the block list so we get more eyes on it.
I got several reports that the proposed patch is wrong. It's causing corruption, specifically in text entry fields in firefox. Someone with more knowledge on fb internals really needs to look at this.
Created attachment 2877 [details] Standalone testcase for the bug; link with /usr/X11R6/lib/modules/libfb.a
Created attachment 2878 [details] [review] Patch that fixes the problem
*** Bug 4069 has been marked as a duplicate of this bug. ***
Created attachment 3097 [details] Standalone testcase for the fbBlt() bug; link with /usr/X11R6/lib/modules/libfb.a
Created attachment 3098 [details] [review] Patch that fixes the fbBlt() problem
Found a rather similar bug in fbBlt() (by code inspection). Again there is a potential read past the end of a buffer. The fix here is a bit more elegant though.
Keith, sorry for pestering you with so many bugs. But maybe you want to comment.
Latest patches from Mark commited. Several weeks of use under OpenBSD have not revelaed any new problems.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.