Bug#947813: SIGSEGV resulting from mesa dri2_add_config dealing poorly with invalid attrib
On 2019-12-31 2:04 p.m., Martin von Gagern wrote: > My issue appears to be largely due to a version mismatch, and I have > been able to resolve this. > > I had tried to get a specific version from unstable to test a fix for > a different bug, but apparently I misunderstood how pinning works and > got updates to mesa packages from the unstable release even after the > version for which I intended this. Once I downgraded mesa packages to > testing version, I was able to start X again. > > I'll leave it to you whether you believe this kind of issue is worth > addressing at the distro level (perhaps via more strict version > dependencies?) or forwarding to the upstream maintainers I suspect the problem was due to libegl-mesa0 being a different version than libglapi-mesa. The ABI between libglapi and other Mesa libraries isn't stable upstream, so all dependencies on libglapi-mesa should probably be restricted to the same version. > (so that unexpected behavior from a module library gets detected in a nicer > fashion than by crashing the X server). xserver code can't protect itself against memory corruption like this. > $ dpkg -l '*mesa*' > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ NameVersion Architecture Description > +++-===---=> > ii libegl-mesa0:amd64 19.2.6-1 amd64free > implementation of the EGL API -- Mesa vendor library > [...] > ii libglapi-mesa:amd64 19.3.1-3 amd64free > implementation of the GL API -- shared library -- Earthling Michel Dänzer | https://redhat.com Libre software enthusiast | Mesa and X developer
Bug#947813: SIGSEGV resulting from mesa dri2_add_config dealing poorly with invalid attrib
My issue appears to be largely due to a version mismatch, and I have been able to resolve this. I had tried to get a specific version from unstable to test a fix for a different bug, but apparently I misunderstood how pinning works and got updates to mesa packages from the unstable release even after the version for which I intended this. Once I downgraded mesa packages to testing version, I was able to start X again. I'll leave it to you whether you believe this kind of issue is worth addressing at the distro level (perhaps via more strict version dependencies?) or forwarding to the upstream maintainers (so that unexpected behavior from a module library gets detected in a nicer fashion than by crashing the X server). If you decide to just close this bug, that's fine with me, too. In that case sorry for the noise. $ cat /etc/apt/preferences.d/mesa.pref Explanation: test fix for #933906 Package: *mesa* Pin: release a=unstable Version: 19.1.4-1 Pin-Priority: 600 $ dpkg -l '*mesa*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ NameVersion Architecture Description +++-===---=> ii libegl-mesa0:amd64 19.2.6-1 amd64free implementation of the EGL API -- Mesa vendor library ii libegl-mesa0-dbgsym:amd64 19.2.6-1 amd64debug symbols for libegl-mesa0 ii libegl1-mesa:amd64 19.3.1-3 amd64 transitional dummy package ii libgl1-mesa-dri:amd64 19.3.1-3 amd64free implementation of the OpenGL API -- DRI modules ii libgl1-mesa-dri-dbgsym:amd6419.3.1-3 amd64debug symbols for libgl1-mesa-dri un libgl1-mesa-glx (no description available) un libgl1-mesa-swx11 (no description available) ii libglapi-mesa:amd64 19.3.1-3 amd64free implementation of the GL API -- shared library ii libglapi-mesa-dbgsym:amd64 19.3.1-3 amd64debug symbols for libglapi-mesa un libgles2-mesa (no description available) ii libglu1-mesa:amd64 9.0.1-1 amd64Mesa OpenGL utility library (GLU) ii libglx-mesa0:amd64 19.3.1-3 amd64free implementation of the OpenGL API -- GLX vendor libra> un libwayland-egl1-mesa (no description available) un mesa-opencl-icd (no description available) un mesa-utils(no description available) ii mesa-va-drivers:amd64 19.3.1-3 amd64Mesa VA-API video acceleration drivers ii mesa-vdpau-drivers:amd6419.3.1-3 amd64Mesa VDPAU video acceleration drivers ii mesa-vdpau-drivers-dbgsym:amd64 19.3.1-3 amd64debug symbols for mesa-vdpau-drivers ii mesa-vulkan-drivers:amd64 19.3.1-3 amd64Mesa Vulkan graphics drivers un mesag3(no description available) un xlibmesa3 (no description available)
Bug#947813: SIGSEGV resulting from mesa dri2_add_config dealing poorly with invalid attrib
Package: libegl-mesa0 Version: 19.2.6-1 It seems dri2_add_config is encountering some invalid values causing memory corruption and subsequent SIGSEGV at X server startup. The stack trace written to the Xorg log isn't too useful, so I ran X under gdb with debug symbols installed, and copied relevant portions below. The way I read the results from that, for i==24 I get attrib==__DRI_ATTRIB_MAX(=50). So dri2_add_config will enter the default case in egl_dri2.c:319, call the inlined _eglSetConfigKey for some invalid key for which _eglOffsetOfConfig returns its default of -1 (as seen in %rdx). The assertion of a positive offset apparently is disabled in my build. This clobbers some bytes of the display pointer in the base data structure, which will lead to invalid access later on, e.g. during _eglValidateConfig. I haven't been able to work out where the invalid attrib is coming from. I don't know where dri2_dpy->core->indexConfigAttrib is implemented. (gdb) break dri2_add_config Breakpoint 1 at 0x7fffecce8a40: file ../src/egl/drivers/dri2/egl_dri2.c, line 221. ⋮ Thread 1 "Xorg" hit Breakpoint 1, dri2_add_config (disp=disp@entry=0x55891220, dri_config=0x5585ab90, id=id@entry=1, surface_type=surface_type@entry=4, attr_list=attr_list@entry=0x7fffe2e4, rgba_masks=rgba_masks@entry=0x0) at ../src/egl/drivers/dri2/egl_dri2.c:221 221 ../src/egl/drivers/dri2/egl_dri2.c: No such file or directory. ⋮ [step past _eglInitConfig call] (gdb) watch base.Display Hardware watchpoint 2: base.Display (gdb) c Continuing. Thread 1 "Xorg" hit Hardware watchpoint 2: base.Display Old value = (_EGLDisplay *) 0x55891220 New value = (_EGLDisplay *) 0x5500 dri2_add_config (disp=disp@entry=0x55891220, dri_config=0x5585ab90, id=id@entry=1, surface_type=surface_type@entry=4, attr_list=attr_list@entry=0x7fffe2e4, rgba_masks=rgba_masks@entry=0x0) at ../src/egl/drivers/dri2/egl_dri2.c:239 239 in ../src/egl/drivers/dri2/egl_dri2.c (gdb) bt surface_type=surface_type@entry=4, attr_list=attr_list@entry=0x7fffe2e4, rgba_masks=rgba_masks@entry=0x0) at ../src/egl/drivers/dri2/egl_dri2.c:239 #1 0x7fffeccef239 in drm_add_configs_for_visuals (drv=0x7fffe370, disp=0x55891220) at ../src/egl/drivers/dri2/platform_drm.c:640 #2 dri2_initialize_drm (drv=drv@entry=0x55891d00, disp=disp@entry=0x55891220) at ../src/egl/drivers/dri2/platform_drm.c:761 #3 0x7fffecce894b in dri2_initialize (disp=0x55891220, drv=0x55891d00) at ../src/egl/drivers/dri2/egl_dri2.c:911 #4 dri2_initialize (drv=0x55891d00, disp=0x55891220) at ../src/egl/drivers/dri2/egl_dri2.c:876 #5 0x7fffecce4b9d in _eglMatchAndInitialize (disp=disp@entry=0x55891220) at ../src/egl/main/egldriver.c:75 #6 0x7fffecce4be6 in _eglMatchDriver (disp=disp@entry=0x55891220) at ../src/egl/main/egldriver.c:96 #7 0x7fffeccdf188 in eglInitialize (dpy=0x55891220, major=0x0, minor=0x0) at ../src/egl/main/eglapi.c:617 #8 0x7621d292 in glamor_egl_init (scrn=scrn@entry=0x557ff150, fd=) at ../../../../../../glamor/glamor_egl.c:927 #9 0x77fbd183 in try_enable_glamor (pScrn=0x557ff150) at ../../../../../../../hw/xfree86/drivers/modesetting/driver.c:769 #10 PreInit (pScrn=0x557ff150, flags=) at ../../../../../../../hw/xfree86/drivers/modesetting/driver.c:996 #11 0x555ef814 in InitOutput (pScreenInfo=pScreenInfo@entry=0x557c37c0 , argc=argc@entry=1, argv=argv@entry=0x7fffe6a8) at ../../../../../../hw/xfree86/common/xf86Init.c:522 #12 0x555b2714 in dix_main (argc=1, argv=0x7fffe6a8, envp=) at ../../../../dix/main.c:193 #13 0x76ed3bbb in __libc_start_main (main=0x5559c710 , argc=1, argv=0x7fffe6a8, init=, fini=, rtld_fini=, stack_end=0x7fffe698) at ../csu/libc-start.c:308 #14 0x5559c74a in _start () (gdb) disas Dump of assembler code for function dri2_add_config: 0x7fffecce8a40 <+0>: push %r15 0x7fffecce8a42 <+2>: push %r14 0x7fffecce8a44 <+4>: push %r13 0x7fffecce8a46 <+6>: push %r12 0x7fffecce8a48 <+8>: mov%rsi,%r12 0x7fffecce8a4b <+11>: mov%rdi,%rsi 0x7fffecce8a4e <+14>: push %rbp 0x7fffecce8a4f <+15>: xor%ebp,%ebp 0x7fffecce8a51 <+17>: push %rbx 0x7fffecce8a52 <+18>: lea0x15b7f(%rip),%rbx# 0x7fffeccfe5d8 0x7fffecce8a59 <+25>: sub$0x118,%rsp 0x7fffecce8a60 <+32>: mov0x70(%rdi),%r15 0x7fffecce8a64 <+36>: mov%rdi,(%rsp) 0x7fffecce8a68 <+40>: lea0x44(%rsp),%r14 0x7fffecce8a6d <+45>: lea0x40(%rsp),%r13 0x7fffecce8a72 <+50>: mov%edx,0x3c(%rsp) 0x7fffecce8a76 <+54>: mov%ecx,0x14(%rsp) 0x7fffecce8a7a <+58>: mov%r8,0x20(%rsp) 0x7fffecce8a7f <+63>: mov%r9,0x28(%rsp) 0x7fffecce8a84 <+68>: mov%fs:0x28,%rax 0x7fffecce8a8d <+77>: mov%rax,0x108(%rsp)
