ubuntu-x-swat team mailing list archive

Thread
Date
[Bug 519049] Re: "xauth generate" with large timeout triggers assertion

To: ubuntu-x-swat@xxxxxxxxxxxxxxxxxxx
From: Chris Halse Rogers <raof@xxxxxxxxxx>
Date: Mon, 07 Jun 2010 02:41:55 -0000
Reply-to: Bug 519049 <519049@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

- Running "xauth generate" with a large timeout value (e.g., "xauth
- generate :0.0 . trusted timeout 99999999") causes the X server to crash
- with an assertion failure.  Immediately upon running the command, the X
- server crashes, and after a few seconds, the login screen appears.
+ [Impact]
+ xauth is not commonly run by users, but applications should not be able to crash the X server.  In the case of a guest session, although this does not allow the guest to terminate other users' sessions it leaves the system at a blank VT from which it is not obvious how to recover.
+ 
+ [Development]
+ The patch has also been applied to ubuntu-x git, and will be uploaded with 2:1.8.1.901-1ubuntu1.
+ 
+ [Patch]
+ The patch is taken from upstream's patchwork tracker: http://patchwork.freedesktop.org/patch/242/ .  This patch replaces the existing 122_xext_fix_card32_overflow_in_xauth.patch added in 2:1.7.6-2ubuntu6, which was an earlier patch from the same mailing list thread.
+ 
+ [Test Case 1]
+ 1. Update Lucid to the latest version. Reboot and log into Gnome
+ 2. Open a gnome-terminal
+ 3. Run “xauth generate $DISPLAY . timeout 99999999”
+ 4. Xserver instantly crashes (and is restarted by display manager). It should not crash at this point.
+ 
+ [Test Case 2]
+ 1. Update Lucid to the latest version. Reboot and log into Gnome
+ 2. From the session menu select “Guest session”
+ 2. In the new guest session, open a gnome-terminal
+ 3. Run “xauth -i generate $DISPLAY . timeout 99999999”
+ 4. Xserver instantly crashes, resulting in a black screen.  After setting console to raw mode (Alt+SysRq+R) Ctrl+Alt+F7 (or possibly F8, F9, etc) will switch back to the original user's session.
+ 
+ [Regression Potential]
+ Low.  The patch is small, just dropping the assert that causes the crash and ensuring the timeout values fit in the positive range of a CARD32 value.
+ 
+ There is a known problem with the patch when the epoch time is sufficiently far in the future that we can ignore it for now.
+ """
+ When epoch time is GetTimeInMillis() -  
+ (CARD32)(MAXINT),  ie  Sun Jan 10 2038 11:09:28 GMT+0530 (IST), security 
+ authorization will expire with timeout reset to Zero.
+ """
+ 
+ [Original Report]
+ Running "xauth generate" with a large timeout value (e.g., "xauth generate :0.0 . trusted timeout 99999999") causes the X server to crash with an assertion failure.  Immediately upon running the command, the X server crashes, and after a few seconds, the login screen appears.
  
  I have attached a full backtrace.  Xorg.0.log and dmesg don't contain
  any relevant data.
  
  SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed.
  
  #3  0x0039f648 in *__GI___assert_fail (assertion=0x81e1ac0 "pAuth->timer == timer",
-         file=0x81e1aaa "../../Xext/security.c", line=322, function=0x81e1e3a "SecurityAuthorizationExpired") at assert.c:81
+         file=0x81e1aaa "../../Xext/security.c", line=322, function=0x81e1e3a "SecurityAuthorizationExpired") at assert.c:81
          buf = 0x9f64128 "X: ../../Xext/security.c:322: SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed.\n"
  #4  0x0815f5bc in SecurityAuthorizationExpired (timer=0x9ff7018, time=3179634, pval=0x6) at ../../Xext/security.c:322
          __PRETTY_FUNCTION__ = "SecurityAuthorizationExpired"
  #5  0x081313c2 in TimerSet (timer=0x9ff7018, flags=<value optimized out>, millis=3179338,
          func=0x815f520 <SecurityAuthorizationExpired>, arg=0x9ee0c70) at ../../os/WaitFor.c:465
          prev = <value optimized out>
          now = 6
  #6  0x0815f4f5 in SecurityStartAuthorizationTimer (pAuth=0x9ee0c70) at ../../Xext/security.c:353
  #7  0x0815fa01 in ProcSecurityGenerateAuthorization (client=0x9dfa820) at ../../Xext/security.c:578
          pAuth = 0x9ee0c70
          err = <value optimized out>
          authId = 372
          rep = {type = 164 '\244', pad0 = 96 '`', sequenceNumber = 2079, length = 3221023496, authId = 0,
            dataLength = 4, pad1 = 0, pad2 = 165652512, pad3 = 0, pad4 = 165652512, pad5 = 162973096}
          trustLevel = 0
          group = 0
          timeout = 99999999
          values = <value optimized out>
          protoname = 0xa002584 "MIT-MAGIC-COOKIE-1"
          authdata_len = <value optimized out>
          pAuthdata = <value optimized out>
          eventMask = 0
  
  lsb_release -rd:
  Description:	Ubuntu 9.10
  Release:	9.10
  
  apt-cache policy xserver-xorg-core:
  xserver-xorg-core:
    Installed: 2:1.6.4-2ubuntu4.1
    Candidate: 2:1.6.4-2ubuntu4.1
    Version table:
   *** 2:1.6.4-2ubuntu4.1 0
          500 http://us.archive.ubuntu.com karmic-updates/main Packages
          500 http://security.ubuntu.com karmic-security/main Packages
          100 /var/lib/dpkg/status
       2:1.6.4-2ubuntu4 0
          500 http://us.archive.ubuntu.com karmic/main Packages

** Changed in: xorg-server (Ubuntu)
       Status: Triaged => Fix Committed

** Changed in: xorg-server (Ubuntu Lucid)
       Status: Triaged => Fix Committed

-- 
"xauth generate" with large timeout triggers assertion
https://bugs.launchpad.net/bugs/519049
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to xorg-server in ubuntu.
References

[Bug 519049] [NEW] "xauth generate" with large timeout crashes X server
From: Courtney Bane, 2010-02-08