Bug 8085 - Invalid xkb calls can crash Xvnc
Summary: Invalid xkb calls can crash Xvnc
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VNC (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.15.0
Assignee: Alexander Zeijlon
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-08 14:19 CET by Pierre Ossman
Modified: 2023-05-26 14:30 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:
Must: * Our X server should be protected from crashes caused by third party programs. Should: * Bugs found should be reported upstream if they are still present in newer versions of X server.

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2023-02-08 14:19:06 CET 
x0vncserver 1.13.0 is doing some incorrect xkb calls that causes our X server to crash. We can see the following in the log:

> corrupted size vs. prev_size
> (EE) 
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x41) [0x76a2f1]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x36d909) [0x76d909]
> (EE) 2: /lib64/libc.so.6 (0x7f4406200000+0x3ea00) [0x7f440623ea00]
> (EE) 3: /lib64/libc.so.6 (0x7f4406200000+0x8ebec) [0x7f440628ebec]
> (EE) 4: /lib64/libc.so.6 (raise+0x16) [0x7f440623e956]
> (EE) 5: /lib64/libc.so.6 (abort+0xcf) [0x7f44062287f4]
> (EE) 6: /lib64/libc.so.6 (0x7f4406200000+0x82d3e) [0x7f4406282d3e]
> (EE) 7: /lib64/libc.so.6 (0x7f4406200000+0x9893c) [0x7f440629893c]
> (EE) 8: /lib64/libc.so.6 (0x7f4406200000+0x9940e) [0x7f440629940e]
> (EE) 9: /lib64/libc.so.6 (0x7f4406200000+0x9a91b) [0x7f440629a91b]
> (EE) 10: /lib64/libc.so.6 (free+0x73) [0x7f440629d133]
> (EE) 11: /opt/thinlinc/libexec/Xvnc (SrvXkbFreeClientMap+0x136) [0x576fc6]
> (EE) 12: /opt/thinlinc/libexec/Xvnc (SrvXkbFreeKeyboard+0xfb) [0x57365b]
> (EE) 13: /opt/thinlinc/libexec/Xvnc (ProcXkbGetKbdByName+0xaf8) [0x55f198]
> (EE) 14: /opt/thinlinc/libexec/Xvnc (Dispatch+0x325) [0x71c925]
> (EE) 15: /opt/thinlinc/libexec/Xvnc (dix_main+0x388) [0x720778]
> (EE) 16: /lib64/libc.so.6 (0x7f4406200000+0x29510) [0x7f4406229510]
> (EE) 17: /lib64/libc.so.6 (__libc_start_main+0x89) [0x7f44062295c9]
> (EE) 18: /opt/thinlinc/libexec/Xvnc (0x400000+0xc2fa0) [0x4c2fa0]
> (EE) 
> (EE) 
> Fatal server error:
> (EE) Caught signal 6 (Aborted). Server aborting
> (EE) 

On a different test run with a manually built Xvnc I got:

> (EE) 
> (EE) Backtrace:
> (EE) 0: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (xorg_backtrace+0x41) [0x609071]
> (EE) 1: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (0x400000+0x20c669) [0x60c669]
> (EE) 2: /lib64/libc.so.6 (0x7f09fa000000+0x3ea00) [0x7f09fa03ea00]
> (EE) 3: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (0x400000+0x17c749) [0x57c749]
> (EE) 4: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (ProcXkbSetMap+0x152) [0x582b22]
> (EE) 5: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (Dispatch+0x325) [0x5bb6b5]
> (EE) 6: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (dix_main+0x388) [0x5bf508]
> (EE) 7: /lib64/libc.so.6 (0x7f09fa000000+0x29510) [0x7f09fa029510]
> (EE) 8: /lib64/libc.so.6 (__libc_start_main+0x89) [0x7f09fa0295c9]
> (EE) 9: ./builddir/x86_64/unix/xserver/hw/vnc/Xvnc (0x400000+0xe7fb0) [0x4e7fb0]
> (EE) 
> (EE) Segmentation fault at address 0x68
> (EE) 
> Fatal server error:
> (EE) Caught signal 11 (Segmentation fault). Server aborting
> (EE)
Comment 1 Pierre Ossman cendio 2023-02-08 14:20:17 CET 
Could be the same issues as bug 7971.
Comment 3 Alexander Zeijlon cendio 2023-05-26 10:55:28 CEST 
This issue does not seem to be fixed by the patches added in bug 7971.
Note You need to log in before you can comment on or make changes to this bug.