Xorg crashed with SIGABRT in memcpy() via cirRefreshArea() under KVM virtual machine
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xserver-xorg-video-cirrus (Ubuntu) |
Fix Released
|
Medium
|
Maarten Lankhorst | ||
Bug Description
[Impact]
* Fixes a null pointer dereference when shadowfb is out of bounds, in a similar way to other ddx drivers.
[Test Case]
* Start virt-manager, create quantal-amd64 vm, make sure cirrus is used as video driver
* Perform a fresh install of Quantal 64bit (I used an iso image)
- I used default options within the install
* log in
* start a terminal via unity (I did that by searching for terminal in unity)
* ctrl-alt-down (to switch virtual desktop in the VM)
<X crashes and returns you to lightdm login>
[Regression Potential]
* Low, changes are limited to the shadowfb code paths. Since it limits the width/height of the memcpy's performed and nothing else I either expect the bug not to be fixed, or not make it worse at least. Still I'll keep watching cirrus bug reports to see if any new ones have been introduced by the fix.
[Other Info]
* I upstreamed the bug fix and did a new release for cirrus. Raring already has the bug fixed, no new bug reports have popped up yet about it.
[Original bug report]
No login possible on KVM-based virtual machine (with virt-manager) and network settings
Source device: Host device eth2 : macvtap
Device model: virtio
Source mode: VEPA
With source mode set to "Default" it works.
ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: xserver-xorg-core 2:1.12.
ProcVersionSign
Uname: Linux 3.5.0-13-generic x86_64
ApportVersion: 2.5.1-0ubuntu3
Architecture: amd64
CrashCounter: 1
CurrentDmesg:
[ 3.809292] init: plymouth-stop pre-start process (1197) terminated with status 1
[ 5.314446] hda-intel: Invalid position buffer, using LPIB read method instead.
[ 9.269441] hda-intel: IRQ timing workaround is activated for card #0. Suggest a bigger bdl_pos_adj.
Date: Wed Aug 29 22:04:57 2012
DistUpgraded: Fresh install
DistroCodename: quantal
DistroVariant: ubuntu
ExecutablePath: /usr/bin/Xorg
GraphicsCard:
Cirrus Logic GD 5446 [1013:00b8] (prog-if 00 [VGA controller])
Subsystem: Red Hat, Inc Device [1af4:1100]
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: Bochs Bochs
ProcCmdline: /usr/bin/X :0 -core -auth /var/run/
ProcEnviron:
ProcKernelCmdLine: BOOT_IMAGE=
Signal: 6
SourcePackage: xorg-server
StacktraceTop:
?? () from /lib/x86_
cirRefreshArea () from /usr/lib/
?? () from /usr/lib/
?? ()
?? ()
Title: Xorg crashed with SIGABRT in cirRefreshArea()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
dmi.bios.date: 01/01/2007
dmi.bios.vendor: Bochs
dmi.bios.version: Bochs
dmi.chassis.type: 1
dmi.chassis.vendor: Bochs
dmi.modalias: dmi:bvnBochs:
dmi.product.name: Bochs
dmi.sys.vendor: Bochs
version.compiz: compiz 1:0.9.8+
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.38-0ubuntu2
version.
version.
version.
version.
version.
version.
version.
version.
Related branches
summary: |
- Xorg crashed with SIGABRT in memcpy() + Xorg crashed with SIGABRT in memcpy() via cirRefreshArea() |
summary: |
- Xorg crashed with SIGABRT in memcpy() via cirRefreshArea() + Xorg crashed with SIGABRT in memcpy() via cirRefreshArea() under KVM + virtual machine |
affects: | xorg-server (Ubuntu) → xserver-xorg-video-cirrus (Ubuntu) |
tags: | added: raring |
Changed in xserver-xorg-video-cirrus (Ubuntu): | |
status: | Incomplete → New |
Changed in xserver-xorg-video-cirrus (Ubuntu): | |
status: | New → Incomplete |
Changed in xserver-xorg-video-cirrus (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in xserver-xorg-video-cirrus (Ubuntu): | |
assignee: | nobody → Maarten Lankhorst (mlankhorst) |
status: | Triaged → In Progress |
description: | updated |
StacktraceTop: 8eee4, __dest= 0x7fa490152ed4) at /usr/include/ x86_64- linux-gnu/ bits/string3. h:52 39a0) at ../../src/ cir_shadow. c:36 29c20, pDst=0x7fa496cc 0740, pGC=0x7fa496c1a9a0, srcx=<optimized out>, srcy=<optimized out>, width=<optimized out>, height=1, dstx=0, dsty=0) at ../../. ./../hw/ xfree86/ shadowfb/ shadow. c:618 0x7fa4965680f0) at ../../dix/ dispatch. c:1622 dispatch. c:428
memcpy (__len=3, __src=0x7fa4915
cirRefreshArea (pScrn=<optimized out>, num=<optimized out>, pbox=0x7fff66a9
ShadowCopyArea (pSrc=0x7fa496d
ProcCopyArea (client=
Dispatch () at ../../dix/