** Description changed:
- This crash occurred on resume from suspend (to RAM) on a precise box up-
- to-date as of Feb 24.
+ [Impact]
+ Crash bug and silent memory corruption due to out of bounds access that may
not be noticed until much much later, in which case it's fatal.
+
+ [Test Case]
+ The easiest is running with valgrind, starting X and then while doing touch
motions launch /etc/X11/Xsession and disable/enable touchpad with the keyboard
fn keys.
+ 1. Start X (either with or without valgrind attached)
+ 2. Start doing motions with 2 fingers and simultaneously launch
/etc/X11/Xsession through ssh. If you're running valgrind, you will see a out
of bound access.
+ 3. Disable touchpad through builtin keys.
+ Broken Behavior: X will die due to memory corrupted memory being freed
+ Fixed Behavior: X survives
+
+ [Regression Potential]
+ The fixed package is upstream as 1.6.1-1ubuntu2, but this is in fact 1.6.2-1
without the commit tagging it as such. As such a few weeks of testing has
already been done by quantal users. The package will also fix jumpy cursor
behavior after suspend on some macbooks.
+
+ [Original Report]
+ This crash occurred on resume from suspend (to RAM) on a precise box
up-to-date as of Feb 24.
=> 0x7f5ca44a42bc <free+28>: mov -0x8(%rdi),%rax
- 0x7f5ca44a42c0 <free+32>: lea -0x10(%rdi),%rsi
- 0x7f5ca44a42c4 <free+36>: test $0x2,%al
- 0x7f5ca44a42c6 <free+38>: jne 0x7f5ca44a42f0 <free+80>
- 0x7f5ca44a42c8 <free+40>: test $0x4,%al
- 0x7f5ca44a42ca <free+42>: lea 0x33344f(%rip),%rdi #
0x7f5ca47d7720
- 0x7f5ca44a42d1 <free+49>: je 0x7f5ca44a42df <free+63>
- 0x7f5ca44a42d3 <free+51>: mov %rsi,%rax
- 0x7f5ca44a42d6 <free+54>: and $0xfffffffffc000000,%rax
- 0x7f5ca44a42dc <free+60>: mov (%rax),%rdi
- 0x7f5ca44a42df <free+63>: xor %edx,%edx
- 0x7f5ca44a42e1 <free+65>: jmpq 0x7f5ca44a01f0
- 0x7f5ca44a42e6 <free+70>: nopw %cs:0x0(%rax,%rax,1)
- 0x7f5ca44a42f0 <free+80>: mov 0x332e9d(%rip),%r11d #
0x7f5ca47d7194
- 0x7f5ca44a42f7 <free+87>: test %r11d,%r11d
- 0x7f5ca44a42fa <free+90>: jne 0x7f5ca44a4330 <free+144>
+ 0x7f5ca44a42c0 <free+32>: lea -0x10(%rdi),%rsi
+ 0x7f5ca44a42c4 <free+36>: test $0x2,%al
+ 0x7f5ca44a42c6 <free+38>: jne 0x7f5ca44a42f0 <free+80>
+ 0x7f5ca44a42c8 <free+40>: test $0x4,%al
+ 0x7f5ca44a42ca <free+42>: lea 0x33344f(%rip),%rdi #
0x7f5ca47d7720
+ 0x7f5ca44a42d1 <free+49>: je 0x7f5ca44a42df <free+63>
+ 0x7f5ca44a42d3 <free+51>: mov %rsi,%rax
+ 0x7f5ca44a42d6 <free+54>: and $0xfffffffffc000000,%rax
+ 0x7f5ca44a42dc <free+60>: mov (%rax),%rdi
+ 0x7f5ca44a42df <free+63>: xor %edx,%edx
+ 0x7f5ca44a42e1 <free+65>: jmpq 0x7f5ca44a01f0
+ 0x7f5ca44a42e6 <free+70>: nopw %cs:0x0(%rax,%rax,1)
+ 0x7f5ca44a42f0 <free+80>: mov 0x332e9d(%rip),%r11d #
0x7f5ca47d7194
+ 0x7f5ca44a42f7 <free+87>: test %r11d,%r11d
+ 0x7f5ca44a42fa <free+90>: jne 0x7f5ca44a4330 <free+144>
#9 0x00007f5ca641ad93 in FatalSignal (signo=11) at ../../os/log.c:550
beenhere = 1
#10 <signal handler called>
No symbol table info available.
#11 __memmove_ssse3_back () at
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2723
No locals.
#12 0x00007f5ca64128e2 in WriteToClient (who=0x7f5caa9a46f0, count=4,
__buf=0x100000000) at /usr/include/x86_64-linux-gnu/bits/string3.h:58
oc = 0x7f5caa904180
oco = 0x7f5caa90a700
padBytes = <optimized out>
buf = 0x100000000 <Address 0x100000000 out of bounds>
#13 0x00007f5ca63afeac in ProcXIGetProperty (client=0x7f5caa9a46f0) at
../../Xi/xiproperty.c:1263
stuff = 0x7f5caada9bb0
dev = 0x7f5caa3f3630
reply = {repType = 1 '\001', RepType = 59 ';', sequenceNumber = 24,
length = 1, type = 19, bytes_after = 0, num_items = 1, format = 32 ' ', pad0 =
0 '\000', pad1 = 0, pad2 = 2791869824, pad3 = 32604}
length = 4
rc = <optimized out>
format = 32
nitems = 1
bytes_after = 0
data = 0x100000000 <Address 0x100000000 out of bounds>
type = 19
ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: xserver-xorg-core 2:1.11.4-0ubuntu4
ProcVersionSignature: Ubuntu 3.2.0-17.26-generic 3.2.6
Uname: Linux 3.2.0-17-generic x86_64
.tmp.unity.support.test.0:
ApportVersion: 1.93-0ubuntu2
Architecture: amd64
CompizPlugins: No value set for
`/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: compiz
Date: Mon Feb 27 09:09:11 2012
DistUpgraded: Log time: 2012-01-16 18:59:55.567693
DistroCodename: precise
DistroVariant: ubuntu
DkmsStatus: virtualbox, 4.1.8, 3.2.0-17-generic, x86_64: installed
ExecutablePath: /usr/bin/Xorg
ExtraDebuggingInterest: Yes, whatever it takes to get this fixed in Ubuntu
GraphicsCard:
Intel Corporation Core Processor Integrated Graphics Controller [8086:0046]
(rev 18) (prog-if 00 [VGA controller])
Subsystem: CLEVO/KAPOK Computer Device [1558:3100]
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 004: ID 046d:c00e Logitech, Inc. M-BJ58/M-BJ69 Optical Wheel
Mouse
MachineType: System76, Inc. Lemur UltraThin
ProcCmdline: /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7
-novtswitch -background none
ProcEnviron:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-17-generic
root=UUID=552496e2-92cc-4e0f-87c0-322edc0cb632 ro quiet splash pcie_aspm=force
vt.handoff=7
SegvAnalysis:
Segfault happened at: 0x7f5ca44a42bc <free+28>: mov -0x8(%rdi),%rax
PC (0x7f5ca44a42bc) ok
source "-0x8(%rdi)" (0xfffffff8) not located in a known VMA region (needed
readable region)!
destination "%rax" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: xorg-server
StacktraceTop:
?? () from /lib/x86_64-linux-gnu/libc.so.6
WriteToClient ()
?? ()
?? ()
?? ()
Title: Xorg crashed with SIGSEGV in WriteToClient()
UpgradeStatus: Upgraded to precise on 2012-01-17 (41 days ago)
UserGroups:
dmi.bios.date: 11/11/2010
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: CALPELLACRB.86C.0000.X.0000000000
dmi.board.asset.tag: Tag 12345
dmi.board.name: Lemur UltraThin
dmi.board.vendor: System76, Inc.
dmi.board.version: lemu2
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: System76, Inc.
dmi.chassis.version: lemu2
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvrCALPELLACRB.86C.0000.X.0000000000:bd11/11/2010:svnSystem76,Inc.:pnLemurUltraThin:pvrlemu2:rvnSystem76,Inc.:rnLemurUltraThin:rvrlemu2:cvnSystem76,Inc.:ct10:cvrlemu2:
dmi.product.name: Lemur UltraThin
dmi.product.version: lemu2
dmi.sys.vendor: System76, Inc.
version.compiz: compiz 1:0.9.7.0~bzr2995-0ubuntu5
version.ia32-libs: ia32-libs 20090808ubuntu33
version.libdrm2: libdrm2 2.4.30-1ubuntu1
version.libgl1-mesa-dri: libgl1-mesa-dri 8.0.1-0ubuntu2
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 8.0.1-0ubuntu2
version.xserver-xorg-core: xserver-xorg-core 2:1.11.4-0ubuntu4
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev
1:2.6.99.901+git20120126-0ubuntu2
version.xserver-xorg-video-ati: xserver-xorg-video-ati
1:6.14.99~git20111219.aacbd629-0ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.17.0-1ubuntu4
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau
1:0.0.16+git20111201+b5534a1-1build2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/941953
Title:
Xorg crashed with SIGSEGV in WriteToClient() with buf = 0x100000000
from ProcXIGetProperty()
To manage notifications about this bug go to:
https://bugs.launchpad.net/xserver-xorg-input-synaptics/+bug/941953/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
