X2Go Bug report logs - #900
Gedit, gnome-terminal and others crash in rootless mode

Package: libnx-x11; Maintainer for libnx-x11 is X2Go Developers <x2go-dev@lists.x2go.org>; Source for libnx-x11 is src:nx-libs.

Reported by: Camilo Alejandro Arboleda <camilo@ieee.org>

Date: Thu, 2 Jul 2015 06:25:02 UTC

Severity: normal

Tags: patch

Merged with 878, 956

Done: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/82

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#900; Package libnx-x11. (Thu, 02 Jul 2015 06:25:02 GMT) (full text, mbox, link).

Acknowledgement sent to Camilo Alejandro Arboleda <camilo@ieee.org>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 02 Jul 2015 06:25:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: libnx-X11

Version: 2.3.5

Setup:

 1. x2goserver in a debian testing machine.
 2. x2goclient in a windows machine.
 3. Create a session with a virtual desktop.
 4. Run gedit in the session created in 3.
 5. Create a session in windows launching only xterm.
 6. Run gedit from the console created in 5.
 7. Create a session in windows launching only gedit.

Results:

 1. Steps from Setup 3, 4 and 5 work fine.
 2. Steps from Setup 6 and 7 crash (close the session).


A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT.

Running x2goagent with a debugger gives the following backtrace:

*(gdb) backtrace*
#0  _XData32 (dpy=dpy@entry=0xf591b0, data=data@entry=0x163c2c4,
len=len@entry=18652) at XlibInt.c:3775
#1  0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized
out>, property=<optimized out>, type=6, format=<optimized out>,
mode=<optimized out>,
    data=0x163c2c4
"\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035",
nelements=4663) at ChProp.c:85
#2  0x00000000004b1e37 in nxagentExportProperty (pWin=0x20,
property=*4663*, type=23315140, format=4669, mode=32, nUnits=*4663*,
value=0x15fc2e0) at Rootless.c:763
#3  0x000000000042222a in ProcChangeProperty (client=0xf591b0) at
X/NXproperty.c:331
#4  0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748

Looking at the highlighted values, it seems that gedit is sending a
malformed ChangeProperty request, and rootless is failing to process it.

Specifically the segment between lines 735-780, tries to set a property
that is bigger than the maximum size required, but because it's a
malformed request it ends up writing in memory outside the boundaries of
the output buffer.

Alternatives:

 1. Ensure that nxagentExportProperty never writes beyond the boundaries
    of the output buffer.
 2. Resize the output buffer to match the required size
    (ProcChangeProperty seems to do something similar).
 3. Ignore big requests (see attached patch).


--

[Message part 2 (text/html, inline)]

[fail_on_big_requests.patch (text/x-patch, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#900; Package libnx-x11. (Mon, 25 Jan 2016 06:35:03 GMT) (full text, mbox, link).

🔗 View this message in rfc822 format

[Message part 1 (text/plain, inline)]

Control: tags -1 patch
Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/82

Hi Camilo,

On  Do 02 Jul 2015 08:21:22 CEST, Camilo Alejandro Arboleda wrote:

Your bug report has just been moved [1] to the new upstream location  
of nx-libs on Github.

> Looking at the highlighted values, it seems that gedit is sending a
> malformed ChangeProperty request, and rootless is failing to process it.

Is it really a malformed request or a problem with broken BIG-REQUESTS  
support [2] in libXcomp3 (aka nxcomp)?

> Specifically the segment between lines 735-780, tries to set a property
> that is bigger than the maximum size required, but because it's a
> malformed request it ends up writing in memory outside the boundaries of
> the output buffer.
>
> Alternatives:
>
>  1. Ensure that nxagentExportProperty never writes beyond the boundaries
>     of the output buffer.
>  2. Resize the output buffer to match the required size
>     (ProcChangeProperty seems to do something similar).
>  3. Ignore big requests (see attached patch).

Is option 3. really the optimal approach? It feels like option 2.  
would be the way to go here...

Please continue, if possible for you, this discussion on Github.

Mike

[1] https://github.com/ArcticaProject/nx-libs/issues/82
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766299
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 23 Feb 2016 14:30:02 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 900-submit@bugs.x2go.org. (Tue, 23 Feb 2016 14:30:02 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/ArcticaProject/nx-libs/issues/82'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 900-submit@bugs.x2go.org. (Tue, 23 Feb 2016 14:30:02 GMT) (full text, mbox, link).

Unset Bug forwarded-to-address Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 878-submit@bugs.x2go.org. (Wed, 24 Feb 2016 14:08:22 GMT) (full text, mbox, link).

Merged 878 900 956 Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 878-submit@bugs.x2go.org. (Wed, 24 Feb 2016 14:08:22 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/ArcticaProject/nx-libs/issues/82'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 29 Feb 2016 09:15:02 GMT) (full text, mbox, link).

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#900; Package libnx-x11. (Tue, 18 Oct 2016 16:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to "FedEx International Next Flight" <allan.haas@signatureluxuryauctions.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 18 Oct 2016 16:30:03 GMT) (full text, mbox, link).

Message #26 received at 900-submit@bugs.x2go.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Dear Customer,

We could not deliver your item.
Delivery Label is attached to this email.

Yours trully,
Allan Haas,
Sr. Station Manager.

[0000353890.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#900; Package libnx-x11. (Mon, 24 Oct 2016 06:40:01 GMT) (full text, mbox, link).

Acknowledgement sent to "FedEx International Next Flight" <danny.durham@egescapes.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 24 Oct 2016 06:40:01 GMT) (full text, mbox, link).

Message #31 received at 900@bugs.x2go.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel has arrived at October 22. Courier was unable to deliver the parcel to you.
You can review complete details of your order in the find attached.

Warm regards,
Danny Durham,
Station Manager.

[000715375.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#900; Package libnx-x11. (Thu, 03 Nov 2016 07:15:01 GMT) (full text, mbox, link).

Acknowledgement sent to "FedEx 2Day A.M." <larry.springer@doctorprior.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 03 Nov 2016 07:15:02 GMT) (full text, mbox, link).

Message #36 received at 900@bugs.x2go.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel has arrived at November 01. Courier was unable to deliver the parcel to you.
You can review complete details of your order in the find attached.

Yours faithfully,
Larry Springer,
Sr. Support Agent.

[FedEx_000224558.zip (application/zip, attachment)]

Marked Bug as done Request was from Stefan Baur <X2Go-ML-1@baur-itcs.de> to 878-quiet@bugs.x2go.org. (Fri, 19 Jan 2024 20:05:02 GMT) (full text, mbox, link).

Notification sent to Camilo Alejandro Arboleda <camilo@ieee.org>:
Bug acknowledged by developer. (Fri, 19 Jan 2024 20:05:02 GMT) (full text, mbox, link).

Bug archived. Request was from Stefan Baur <X2Go-ML-1@baur-itcs.de> to 878-quiet@bugs.x2go.org. (Fri, 19 Jan 2024 20:05:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:05:11 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

X2Go Bug report logs - #900 Gedit, gnome-terminal and others crash in rootless mode

X2Go Bug report logs - #900
Gedit, gnome-terminal and others crash in rootless mode