From unknown Sat Apr 04 08:36:10 2026 MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#900 closed by Stefan Baur (Closing) Message-ID: References: <77e92347-fe34-4465-b2af-87e572009afd@baur-itcs.de> X-X2go-PR-Keywords: patch X-X2go-PR-Message: they-closed 900 X-X2go-PR-Package: libnx-x11 X-X2go-PR-Source: nx-libs Date: Fri, 19 Jan 2024 20:05:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1705694702-22609-1" This is a multi-part message in MIME format... ------------=_1705694702-22609-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the libnx-x11 package: #900: Gedit, gnome-terminal and others crash in rootless mode It has been closed by Stefan Baur . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Stefan Baur by replying to this email. --=20 878: https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=3D878 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1705694702-22609-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 878-quiet) by bugs.x2go.org; 19 Jan 2024 20:04:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id BDE805DAE9 for <878-quiet@bugs.x2go.org>; Fri, 19 Jan 2024 21:04:27 +0100 (CET) Received: from [192.168.0.25] ([178.202.75.45]) by mrelayeu.kundenserver.de (mreue106 [213.165.67.113]) with ESMTPSA (Nemesis) id 1MFL8J-1rKcWA0w9Z-00FfoB for <878-quiet@bugs.x2go.org>; Fri, 19 Jan 2024 21:04:27 +0100 Message-ID: <77e92347-fe34-4465-b2af-87e572009afd@baur-itcs.de> Date: Fri, 19 Jan 2024 21:04:26 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Stefan Baur Content-Language: en-US To: 878-quiet@bugs.x2go.org Subject: Closing Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:BfvvhTSYLzDUhYkxQPqIDQdcuLQ/Nj2G0O+SxheBJ+0Jb5o9tPi Zgd+K5omksDoGEemKNAMdIm54eaEXAcmRpmPzUX2uluOh7qiSNw/c41kI5y4Gzzo4HnEzOY 2Uk5lSBWRjm7WmJip+DopQcp6IeX1CSwH6nAUKrcVlEdmZhuZvBm/HU4vhfO3vFwrYdJ0aG qtfHLwwfQsqS9N8tkLE6w== UI-OutboundReport: notjunk:1;M01:P0:te6/1FoRdN0=;EbhCU9U8VisVguLdysAPdTy74G9 tz/+N/vS6pT1awVInIbbB93+lDn4vLHgiNOSvnf/EOmstygpC/xpsJKr+sze6LWwP7S4GLQw6 PbcWibNt/xL874R77CIeLxlzLEafIAA0E5xBzt7QU9utPzcv7wCuVsxr+MG8/zkMFtDDQywZ9 J0q+ZTfznnYNzF77PCbAOQqRu1CqoaDbG2WMB1maFhCMTqWXW8h93JVasYruPtN/QjBpJ/uJc /aMuzkyhbNQ2568Y2KjGwMqKpm1332Ftkvg2n6gmjJZWEKbYENcVD6F6do21gC1zw0l7Gj1hr wmLQAVZrR0wm0OgAT23YrKg6mWftphJLKi+aLkkGLUybzDwYvL0yvKJLZG8PLM9ZpQLsvZJSh kR3tpzAUo/LYRkMtmvLsxYXM4ZOzSk+Nd2yqEshvgOm0h70o7Vet1SvgvBdwjt0OWdbWQWMTt GRa5BQS8+shv7Mjicn3sJgEnMOTz3gJsUN5VeEkI3DyD8vIgZC/QYL6hYVp4E6oqe9uWNFNe4 pM+HbulyOmIbmRgfM11HSAPuKPgHOHSQ3zInbX5pYfTcuq62hrt0sNarjqyura7VsrSyrBcV5 9V1AHsk7TFPD7tz5Ubc7kLgVJkASLE/hDQHx07Q0TW8f9k9Oehlv1rQkfiuMu4/vS+wX+XOej c3J1xhm7jQ7+XaJRQ4lL1G1zBAs+ZnOyd5vgvJaKzQdLsjzHIS0l1Ub1RQTgsP/PjE24kVuya RoyXIl9dSv+z2devIRYi21WyM29sjd0KeAQamBwMGjbEaaE1H4G6mkJ6YpjJ78WBFuBUbze/I lH7/W4YFLs63eIJUtGkvKya42Mz/aODpX+d2lAnDMlKOlXXj3wivxeXawitytHYR8qY5lL6wV oV8qC0h6WC8BIaA== Control: close -1 Control: archive -1 -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 ------------=_1705694702-22609-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 2 Jul 2015 06:21:26 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_20,HTML_FONT_FACE_BAD, HTML_MESSAGE autolearn=no version=3.3.2 Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 3C03B5DA86 for ; Thu, 2 Jul 2015 08:21:25 +0200 (CEST) Received: by wgqq4 with SMTP id q4so53940904wgq.1 for ; Wed, 01 Jul 2015 23:21:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=XYKETiVk9VA55/yM2iEM9mvXwhZpR1skDeTjSQ6a8+4=; b=efFOPt26fQy14xt1fy5x3JNoFffjEQdbwNNYB3VJ/hvSvZIICDs0TKKdX0ZE9l+dYa GxYxCBp1zkG29vmBWDPH7Z6i9Cbr9NCn5IMYM9lQNtjrRlIprr8P1cvzA5207cIZCuiF pkAXnD6qCKVJ0FN6rDePbXq/GDk+Iu6HR7tbw0ifVbjxoYIKflDjumEGyO5hkDFsFvRH o6zAMM7q+npYBFDCu7LaHFXb8UB9X7L1WREAYsVquTJF3oCKWd3NQAQqmBoM7mbyCrRI e066e8JG0KgHYfgGrzmK1nIfwHfHUFJ+ZB8O2M4dE7TNhb+QjxRWjDYGHiSr5LFcn+QA S8Qw== X-Gm-Message-State: ALoCoQlie1yzZY0VvLOKgNSGHp58hIc10c40zBO1TuBMvqOrKKyzV2DFTnpbjyxMEVeRlmBHApAP X-Received: by 10.180.91.100 with SMTP id cd4mr50381152wib.1.1435818084955; Wed, 01 Jul 2015 23:21:24 -0700 (PDT) Received: from [192.168.2.2] (h-136-31.a336.priv.bahnhof.se. [176.10.136.31]) by mx.google.com with ESMTPSA id gw7sm25396419wib.15.2015.07.01.23.21.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Jul 2015 23:21:24 -0700 (PDT) Message-ID: <5594D862.70701@ieee.org> Date: Thu, 02 Jul 2015 08:21:22 +0200 From: Camilo Alejandro Arboleda User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: submit@bugs.x2go.org Subject: Gedit, gnome-terminal and others crash in rootless mode Content-Type: multipart/mixed; boundary="------------050906010407070406090707" This is a multi-part message in MIME format. --------------050906010407070406090707 Content-Type: multipart/alternative; boundary="------------030304030007030908050006" --------------030304030007030908050006 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Package: libnx-X11 Version: 2.3.5 Setup: 1. x2goserver in a debian testing machine. 2. x2goclient in a windows machine. 3. Create a session with a virtual desktop. 4. Run gedit in the session created in 3. 5. Create a session in windows launching only xterm. 6. Run gedit from the console created in 5. 7. Create a session in windows launching only gedit. Results: 1. Steps from Setup 3, 4 and 5 work fine. 2. Steps from Setup 6 and 7 crash (close the session). A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT. Running x2goagent with a debugger gives the following backtrace: *(gdb) backtrace* #0 _XData32 (dpy=3Ddpy@entry=3D0xf591b0, data=3Ddata@entry=3D0x163c2c4, len=3Dlen@entry=3D18652) at XlibInt.c:3775 #1 0x00007f759e34dce1 in XChangeProperty (dpy=3D0xf591b0, w=3D, property=3D, type=3D6, format=3D, mode=3D, data=3D0x163c2c4 "\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377= \377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\= 364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035= ", nelements=3D4663) at ChProp.c:85 #2 0x00000000004b1e37 in nxagentExportProperty (pWin=3D0x20, property=3D*4663*, type=3D23315140, format=3D4669, mode=3D32, nUnits=3D*4= 663*, value=3D0x15fc2e0) at Rootless.c:763 #3 0x000000000042222a in ProcChangeProperty (client=3D0xf591b0) at X/NXproperty.c:331 #4 0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748 Looking at the highlighted values, it seems that gedit is sending a malformed ChangeProperty request, and rootless is failing to process it. Specifically the segment between lines 735-780, tries to set a property that is bigger than the maximum size required, but because it's a malformed request it ends up writing in memory outside the boundaries of the output buffer. Alternatives: 1. Ensure that nxagentExportProperty never writes beyond the boundaries of the output buffer. 2. Resize the output buffer to match the required size (ProcChangeProperty seems to do something similar). 3. Ignore big requests (see attached patch). --=20 --------------030304030007030908050006 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Package: libnx-X11

Version: 2.3.5

Setup:
  1. x2goserver in a debian testing machine.
  2. x2goclient in a windows machine.
  3. Create a session with a virtual desktop.
  4. Run gedit in the session created in 3.
  5. Create a session in windows launching only xterm.
  6. Run gedit from the console created in 5.
  7. Create a session in windows launching only gedit.

Results:

  1. Steps from Setup 3, 4 and 5 work fine.
  2. Steps from Setup 6 and 7 crash (close the session).


A quick look in dmesg shows that libNX_X11.so.6.2 caused a SEGFAULT.

Running x2goagent with a debugger gives the following backtrace:

(gdb) backtrace
#0  _XData32 (dpy=dpy@entry=0xf591b0, data=data@entry=0x163c2c4, len=len@entry=18652) at XlibInt.c:3775
#1  0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized out>, property=<optimized out>, type=6, format=<optimized out>, mode=<optimized out>,
    data=0x163c2c4 "\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035", nelements=4663) at ChProp.c:85
#2  0x00000000004b1e37 in nxagentExportProperty (pWin=0x20, property=4663, type=23315140, format=4669, mode=32, nUnits=4663, value=0x15fc2e0) at Rootless.c:763
#3  0x000000000042222a in ProcChangeProperty (client=0xf591b0) at X/NXproperty.c:331
#4  0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748

Looking at the highlighted values, it seems that gedit is sending a malformed ChangeProperty request, and rootless is failing to process it.

Specifically the segment between lines 735-780, tries to set a property that is bigger than the maximum size required, but because it's a malformed request it ends up writing in memory outside the boundaries of the output buffer.

Alternatives:
  1. Ensure that nxagentExportProperty never writes beyond the boundaries of the output buffer.
  2. Resize the output buffer to match the required size (ProcChangeProperty seems to do something similar).
  3. Ignore big requests (see attached patch).

--

--------------030304030007030908050006-- --------------050906010407070406090707 Content-Type: text/x-patch; name="fail_on_big_requests.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="fail_on_big_requests.patch" diff --git a/nx-X11/programs/Xserver/hw/nxagent/Rootless.c b/nx-X11/progr= ams/Xserver/hw/nxagent/Rootless.c index 74d2d1f..7bdb190 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Rootless.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Rootless.c @@ -738,36 +738,6 @@ int nxagentExportProperty(pWin, property, type, form= at, mode, nUnits, value) XChangeProperty(nxagentDisplay, nxagentWindow(pWin), propertyX, = typeX, format, mode, (void*)output, nUnits); } - else if (mode =3D=3D PropModeReplace) - { - int n; - char *data; - - XDeleteProperty(nxagentDisplay, nxagentWindow(pWin), propertyX);= - - data =3D (char *) output; - - while (nUnits > 0) - { - if ((format >> 3) * nUnits + sizeof(xChangePropertyReq) < - (MAX_REQUEST_SIZE << 2)) - { - n =3D nUnits; - } - else - { - n =3D ((MAX_REQUEST_SIZE << 2) - sizeof(xChangePropertyReq))= / - (format >> 3); - } - - XChangeProperty(nxagentDisplay, nxagentWindow(pWin), propertyX= , - typeX, format, PropModeAppend, (void*) dat= a, n); - - nUnits -=3D n; - - data =3D (char *) data + n * (format >> 3); - } - } else { #ifdef WARNING --------------050906010407070406090707-- ------------=_1705694702-22609-1--