From 83f70c8a9a68054e0c767035618877cc2b66bbe9999ee50e103d4e36d6faa672 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Mon, 20 Jul 2015 08:36:27 +0000 Subject: [PATCH] Accepting request 317420 from home:tobijk:X11:XOrg - Add patch u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch Prevent segmentation faults with more than 256 clients (introduced by xproto 7.0.28 increasing the max client count 256 -> 512) Fdo Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91316 OBS-URL: https://build.opensuse.org/request/show/317420 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=579 --- ...-clientsWritable-fd_set-is-initializ.patch | 63 +++++++++++++++++++ xorg-x11-server.changes | 7 +++ xorg-x11-server.spec | 4 ++ 3 files changed, 74 insertions(+) create mode 100644 u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch diff --git a/u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch b/u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch new file mode 100644 index 0000000..536e526 --- /dev/null +++ b/u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch @@ -0,0 +1,63 @@ +From 7cc7ffd25d5e50b54cb942d07d4cb160f20ff9c5 Mon Sep 17 00:00:00 2001 +From: Martin Peres +Date: Fri, 17 Jul 2015 17:21:26 +0300 +Subject: [PATCH] os: make sure the clientsWritable fd_set is initialized + before use + +In WaitForSomething(), the fd_set clientsWritable may be used unitialized when +the boolean AnyClientsWriteBlocked is set in the WakeupHandler(). This leads to +a crash in FlushAllOutput() after x11proto's commit +2c94cdb453bc641246cc8b9a876da9799bee1ce7. + +The problem did not manifest before because both the XFD_SIZE and the maximum +number of clients were set to 256. As the connectionTranslation table was +initalized for the 256 clients to 0, the test on the index not being 0 was +aborting before dereferencing the client #0. + +As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the XFD_SIZE +got bumped to 512. This lead the OutputPending fd_set to have any fd above 256 +to be uninitialized which in turns lead to reading an index after the end of +the ConnectionTranslation table. This index would then be used to find the +client corresponding to the fd marked as pending writes and would also result +to an out-of-bound access which would usually be the fatal one. + +Fix this by zeroing the clientsWritable fd_set at the beginning of +WaitForSomething(). In this case, the bottom part of the loop, which would +indirectly call FlushAllOutput, will not do any work but the next call to +select will result in the execution of the right codepath. This is exactly what +we want because we need to know the writable clients before handling them. In +the end, it also makes sure that the fds above MaxClient are initialized, +preventing the crash in FlushAllOutput(). + +Thanks to everyone involved in tracking this one down! + +Reported-by: Karol Herbst +Reported-by: Tobias Klausmann +Signed-off-by: Martin Peres +Tested-by: Martin Peres +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316 +Cc: Ilia Mirkin +Cc: Martin Peres +Cc: Olivier Fourdan +Cc: Alan Coopersmith +--- + os/WaitFor.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/os/WaitFor.c b/os/WaitFor.c +index 431f1a6..993c14e 100644 +--- a/os/WaitFor.c ++++ b/os/WaitFor.c +@@ -158,6 +158,7 @@ WaitForSomething(int *pClientsReady) + Bool someReady = FALSE; + + FD_ZERO(&clientsReadable); ++ FD_ZERO(&clientsWritable); + + if (nready) + SmartScheduleStopTimer(); +-- +2.4.5 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 7541447..2aad0b5 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Fri Jul 17 13:01:12 UTC 2015 - tobias.johannes.klausmann@mni.thm.de + +- Add patch u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch + Prevent segmentation faults with more than 256 clients (introduced + by xproto 7.0.28 increasing the max client count 256 -> 512) + Fdo Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91316 +------------------------------------------------------------------- Tue Jun 16 21:07:03 UTC 2015 - tobias.johannes.klausmann@mni.thm.de - Update to version 1.17.2: diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 62bb02f..8fcc6cf 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -173,6 +173,8 @@ Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch Patch1211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch Patch1222: b_sync-fix.patch +Patch1300: u_0001-os-make-sure-the-clientsWritable-fd_set-is-initializ.patch + %description This package contains the X.Org Server. @@ -268,6 +270,8 @@ cp %{SOURCE90} . ### patch222 might not be applicable anymore #%patch1222 -p1 +%patch1300 -p1 + find . -type f \! -name '*.orig' \! -path ./source-file-list > source-file-list %build