X2Go Bug report logs - #900
Gedit, gnome-terminal and others crash in rootless mode

Package: libnx-x11; Maintainer for libnx-x11 is X2Go Developers <x2go-dev@lists.x2go.org>; Source for libnx-x11 is src:nx-libs.

Reported by: Camilo Alejandro Arboleda <camilo@ieee.org>

Date: Thu, 2 Jul 2015 06:25:02 UTC

Severity: normal

Tags: patch

Merged with 878, 956

Done: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/82

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#900: Gedit, gnome-terminal and others crash in rootless mode
Reply-To: Camilo Alejandro Arboleda <camilo@ieee.org>, 900@bugs.x2go.org
Resent-From: Camilo Alejandro Arboleda <camilo@ieee.org>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 02 Jul 2015 06:25:02 +0000
Resent-Message-ID: <handler.900.B.143581808619377@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 900
X-X2Go-PR-Package: libnx-x11
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.143581808619377
          (code B); Thu, 02 Jul 2015 06:25:02 +0000
Received: (at submit) by bugs.x2go.org; 2 Jul 2015 06:21:26 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_20,HTML_FONT_FACE_BAD,
	HTML_MESSAGE autolearn=no version=3.3.2
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 3C03B5DA86
	for <submit@bugs.x2go.org>; Thu,  2 Jul 2015 08:21:25 +0200 (CEST)
Received: by wgqq4 with SMTP id q4so53940904wgq.1
        for <submit@bugs.x2go.org>; Wed, 01 Jul 2015 23:21:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:content-type;
        bh=XYKETiVk9VA55/yM2iEM9mvXwhZpR1skDeTjSQ6a8+4=;
        b=efFOPt26fQy14xt1fy5x3JNoFffjEQdbwNNYB3VJ/hvSvZIICDs0TKKdX0ZE9l+dYa
         GxYxCBp1zkG29vmBWDPH7Z6i9Cbr9NCn5IMYM9lQNtjrRlIprr8P1cvzA5207cIZCuiF
         pkAXnD6qCKVJ0FN6rDePbXq/GDk+Iu6HR7tbw0ifVbjxoYIKflDjumEGyO5hkDFsFvRH
         o6zAMM7q+npYBFDCu7LaHFXb8UB9X7L1WREAYsVquTJF3oCKWd3NQAQqmBoM7mbyCrRI
         e066e8JG0KgHYfgGrzmK1nIfwHfHUFJ+ZB8O2M4dE7TNhb+QjxRWjDYGHiSr5LFcn+QA
         S8Qw==
X-Gm-Message-State: ALoCoQlie1yzZY0VvLOKgNSGHp58hIc10c40zBO1TuBMvqOrKKyzV2DFTnpbjyxMEVeRlmBHApAP
X-Received: by 10.180.91.100 with SMTP id cd4mr50381152wib.1.1435818084955;
        Wed, 01 Jul 2015 23:21:24 -0700 (PDT)
Received: from [192.168.2.2] (h-136-31.a336.priv.bahnhof.se. [176.10.136.31])
        by mx.google.com with ESMTPSA id gw7sm25396419wib.15.2015.07.01.23.21.23
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 01 Jul 2015 23:21:24 -0700 (PDT)
Message-ID: <5594D862.70701@ieee.org>
Date: Thu, 02 Jul 2015 08:21:22 +0200
From: Camilo Alejandro Arboleda <camilo@ieee.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: submit@bugs.x2go.org
Content-Type: multipart/mixed;
 boundary="------------050906010407070406090707"
[Message part 1 (text/plain, inline)]
Package: libnx-X11

Version: 2.3.5

Setup:

 1. x2goserver in a debian testing machine.
 2. x2goclient in a windows machine.
 3. Create a session with a virtual desktop.
 4. Run gedit in the session created in 3.
 5. Create a session in windows launching only xterm.
 6. Run gedit from the console created in 5.
 7. Create a session in windows launching only gedit.

Results:

 1. Steps from Setup 3, 4 and 5 work fine.
 2. Steps from Setup 6 and 7 crash (close the session).


A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT.

Running x2goagent with a debugger gives the following backtrace:

*(gdb) backtrace*
#0  _XData32 (dpy=dpy@entry=0xf591b0, data=data@entry=0x163c2c4,
len=len@entry=18652) at XlibInt.c:3775
#1  0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized
out>, property=<optimized out>, type=6, format=<optimized out>,
mode=<optimized out>,
    data=0x163c2c4
"\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035",
nelements=4663) at ChProp.c:85
#2  0x00000000004b1e37 in nxagentExportProperty (pWin=0x20,
property=*4663*, type=23315140, format=4669, mode=32, nUnits=*4663*,
value=0x15fc2e0) at Rootless.c:763
#3  0x000000000042222a in ProcChangeProperty (client=0xf591b0) at
X/NXproperty.c:331
#4  0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748

Looking at the highlighted values, it seems that gedit is sending a
malformed ChangeProperty request, and rootless is failing to process it.

Specifically the segment between lines 735-780, tries to set a property
that is bigger than the maximum size required, but because it's a
malformed request it ends up writing in memory outside the boundaries of
the output buffer.

Alternatives:

 1. Ensure that nxagentExportProperty never writes beyond the boundaries
    of the output buffer.
 2. Resize the output buffer to match the required size
    (ProcChangeProperty seems to do something similar).
 3. Ignore big requests (see attached patch).


-- 

[Message part 2 (text/html, inline)]
[fail_on_big_requests.patch (text/x-patch, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Oct 30 12:56:49 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.