ubuntu-x-swat team mailing list archive

Thread
Date
[Bug 525066] Re: x11vnc able to segfault xorg

To: ubuntu-x-swat@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <525066@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Jan 2011 22:44:01 -0000
Reply-to: Bug 525066 <525066@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi Sheng,

Thanks for providing the detailed backtrace. Looks like it's a stack
overflow in the client callback code when the client disappeared.  The
leftover callback resulted in an endless loop.

** Description changed:

  Binary package hint: xorg
  
  Lots of discussion over at:
  http://ubuntuforums.org/showthread.php?t=965695
  
  But the gist of it is, x11vnc is able to segfault xorg.  Quite simple to
  reproduce.  Find a "victim" machine and boot it up to the gdm login
  prompt.  Then ssh into the machine and run:
  
  # DISPLAY=:0 x11vnc
  
  (notice logged in as root) and then connect with a vnc client.  Try to
  log in and very quickly the vnc connection will be closed and when you
  reconnect you will be at a new login prompt.  That's because the last
  X11 server crashed.  Check out /var/log/Xorg.0.log.old on the victim
  machine.
  
+ (gdb) attach 3038
+ ...
+ 0x00007f7652ee9485 in ?? () from /lib/libdrm_intel.so.1
+ (gdb) cont
+ Continuing.
+ 
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00007f765395b662 in RecordAReply (pcbl=0x7e29a0, nulldata=0x0, calldata=0x7fffc929a050) at ../../record/record.c:601
+ 	in ../../record/record.c
+ (gdb) 
+ [K(gdb) bt
+ #0  0x00007f765395b662 in RecordAReply (pcbl=0x7e29a0, nulldata=0x0, calldata=0x7fffc929a050) at ../../record/record.c:601
+ #1  0x000000000043191c in _CallCallbacks (pcbl=0x7e29a0, call_data=0x7fffc929a050) at ../../dix/dixutils.c:743
+ #2  CallCallbacks (pcbl=0x7e29a0, call_data=0x7fffc929a050) at ../../dix/dixutils.c:877
+ #3  0x0000000000460091 in WriteToClient (who=0x41c8270, count=60, __buf=0x3d0b838) at ../../os/io.c:800
+ #4  0x00007f765395a8d2 in RecordFlushReplyBuffer (pContext=0x3d0b810, data1=0x0, len1=0, data2=<value optimized out>, len2=<value optimized out>)
+     at ../../record/record.c:251
+ #5  0x00007f765395a946 in RecordFlushAllContexts (pcbl=<value optimized out>, nulldata=<value optimized out>, calldata=<value optimized out>)
+     at ../../record/record.c:867
+ #6  0x000000000043191c in _CallCallbacks (pcbl=0x7e29a8, call_data=0x0) at ../../dix/dixutils.c:743
+ #7  CallCallbacks (pcbl=0x7e29a8, call_data=0x0) at ../../dix/dixutils.c:877
+ #8  0x000000000045ffd4 in WriteToClient (who=0x41c8270, count=60, __buf=0x3d0b838) at ../../os/io.c:824
+ #9  0x00007f765395a8d2 in RecordFlushReplyBuffer (pContext=0x3d0b810, data1=0x0, len1=0, data2=<value optimized out>, len2=<value optimized out>)
+     at ../../record/record.c:251
+ #10 0x00007f765395a946 in RecordFlushAllContexts (pcbl=<value optimized out>, nulldata=<value optimized out>, calldata=<value optimized out>)
+     at ../../record/record.c:867
+ #11 0x000000000043191c in _CallCallbacks (pcbl=0x7e29a8, call_data=0x0) at ../../dix/dixutils.c:743
+ #12 CallCallbacks (pcbl=0x7e29a8, call_data=0x0) at ../../dix/dixutils.c:877
+ #13 0x000000000045ffd4 in WriteToClient (who=0x41c8270, count=60, __buf=0x3d0b838) at ../../os/io.c:824
+ #14 0x00007f765395a8d2 in RecordFlushReplyBuffer (pContext=0x3d0b810, data1=0x0, len1=0, data2=<value optimized out>, len2=<value optimized out>)
+     at ../../record/record.c:251
+ [Repeats endlessly...]
+ 
  ProblemType: Bug
  Architecture: i386
  Date: Sat Feb 20 17:09:35 2010
  DistroRelease: Ubuntu 9.10
  MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
  NonfreeKernelModules: nvidia
  Package: xorg 1:7.4+3ubuntu10
  ProcCmdLine: auto BOOT_IMAGE=ubuntu root=/dev/mapper/rootvol-ubuntu_root
  ProcEnviron:
-  LANG=en_CA.UTF-8
-  SHELL=/bin/bash
+  LANG=en_CA.UTF-8
+  SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.31-19.56-generic
  RelatedPackageVersions:
-  xserver-xorg 1:7.4+3ubuntu10
-  libgl1-mesa-glx 7.6.0-1ubuntu4
-  libdrm2 2.4.14-1ubuntu1
-  xserver-xorg-video-intel 2:2.9.0-1ubuntu2.1
-  xserver-xorg-video-ati 1:6.12.99+git20090929.7968e1fb-0ubuntu1
+  xserver-xorg 1:7.4+3ubuntu10
+  libgl1-mesa-glx 7.6.0-1ubuntu4
+  libdrm2 2.4.14-1ubuntu1
+  xserver-xorg-video-intel 2:2.9.0-1ubuntu2.1
+  xserver-xorg-video-ati 1:6.12.99+git20090929.7968e1fb-0ubuntu1
  SourcePackage: xorg
  Uname: Linux 2.6.31-19-generic i686
  dmi.bios.date: 10/23/2003
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 080009
  dmi.board.name: P4P800S
  dmi.board.vendor: ASUSTeK Computer Inc.
  dmi.board.version: Rev 1.xx
  dmi.chassis.asset.tag: Asset-1234567890
  dmi.chassis.type: 3
  dmi.chassis.vendor: Chassis Manufacture
  dmi.chassis.version: Chassis Version
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080009:bd10/23/2003:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASUSTeKComputerInc.:rnP4P800S:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
  dmi.product.name: To Be Filled By O.E.M.
  dmi.product.version: To Be Filled By O.E.M.
  dmi.sys.vendor: To Be Filled By O.E.M.
  fglrx: Not loaded
  system:
-  distro:             Ubuntu
-  architecture:       i686kernel:             2.6.31-19-generic
+  distro:             Ubuntu
+  architecture:       i686kernel:             2.6.31-19-generic

** Changed in: xorg-server (Ubuntu)
     Assignee: (unassigned) => Bryce Harrington (bryce)

-- 
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to xorg-server in ubuntu.
https://bugs.launchpad.net/bugs/525066

Title:
  x11vnc able to segfault xorg
References

[Bug 525066] [NEW] x11vnc able to segfault xorg
From: Brian J. Murrell, 2010-02-20