Ubuntu
xdg-desktop-portal-gnome package

xdg-desktop-portal-gnome crashed with SIGSEGV in fast_validate()

Bug #2012341 reported by Alex Murray
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xdg-desktop-portal-gnome (Ubuntu)
Fix Released
Medium
Iain Lane
Lunar
Fix Released
Medium
Iain Lane

Bug Description

[ Description ]

Screen sharing via the GNOME portal is often crashing due to a use-after-free.

[ Fix ]

An upstream cherry-pick (https://gitlab.gnome.org/GNOME/xdg-desktop-portal-gnome/-/commit/a46d3b338ed362e6dfad359db3d9a505bff0dc9c) which takes a local copy of the data which can be freed.

[ Test case ]

One way which works for me:

0. Be on GNOME, have a few different programs open (wayland ones, X ones, snaps, not snaps).
1. Open firefox, visit https://meet.jit.si.
2. Start a meeting with yourself.
3. Share a window into the meeting. You should get the portal dialog asking you which window to share. Pick any one and share it to the chat.
4. If the bug happens, the window will not be shared, and you should see a crash if you look in `journalctl --user-unit=xdg-desktop-portal-gnome.service`.

It doesn't happen every single time. If you don't see the bug, repeat step 3 a few times choosing different windows and with different timings (wait a few seconds to select the window or do it really fast).

If the bug is fully fixed, you shouldn't see this crash happen at all even after trying lots of times.

Make sure you can reproduce the bug before applying the new package, so you can be more confident it's fixed.

When the crash happens, you see messages in the journal like:

Apr 13 22:33:14 florence xdg-desktop-por[19182]: g_variant_new_string: assertion 'string != NULL' failed
Apr 13 22:33:16 florence systemd[2468]: xdg-desktop-portal-gnome.service: Main process exited, code=dumped, status=11/SEGV

[ What could go wrong? ]

The patch introduces new `dup` and `free` functions for a couple of structs. They are fairly simple but if there's a bug there it could lead to a leak or a different crash.

[ Original Description ]

Tried to share a window under Wayland with obs-studio (installed from a deb) and apport popped up saying xdg-desktop-portal-gnome had crashed.

ProblemType: Crash
DistroRelease: Ubuntu 23.04
Package: xdg-desktop-portal-gnome 44~beta-1ubuntu1
ProcVersionSignature: Ubuntu 6.1.0-16.16-generic 6.1.6
Uname: Linux 6.1.0-16-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 21 16:25:47 2023
ExecutablePath: /usr/libexec/xdg-desktop-portal-gnome
InstallationDate: Installed on 2021-08-03 (595 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Alpha amd64 (20210802)
ProcCmdline: /usr/libexec/xdg-desktop-portal-gnome
ProcEnviron:
 LANG=en_AU.UTF-8
 LANGUAGE=en_AU:en
 PATH=(custom, user)
 SHELL=/bin/bash
 XDG_RUNTIME_DIR=<set>
SegvAnalysis:
 Segfault happened at: 0x7f67fd7a94a0 <g_utf8_validate+16>: movzbl (%rdi),%eax
 PC (0x7f67fd7a94a0) ok
 source "(%rdi)" (0xa489eeb5ba526c40) not located in a known VMA region (needed readable region)!
 destination "%eax" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: xdg-desktop-portal-gnome
StacktraceTop:
 g_utf8_validate () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
 g_variant_new_string () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
 () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
 () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
 g_variant_new_va () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
Title: xdg-desktop-portal-gnome crashed with SIGSEGV in g_utf8_validate()
UpgradeStatus: Upgraded to lunar on 2023-01-27 (52 days ago)
UserGroups: adm cdrom dip libvirt lpadmin lxd plugdev sambashare sbuild sudo
separator:

See original description
Revision history for this message
Alex Murray (alexmurray) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 fast_validate (str=<optimized out>) at ../../../glib/gutf8.c:1516
 g_utf8_validate (max_len=<optimized out>, end=<optimized out>, str=<optimized out>) at ../../../glib/gutf8.c:1699
 g_utf8_validate (str=0xa489eeb5ba526c40 <error: Cannot access memory at address 0xa489eeb5ba526c40>, max_len=-1, end=0x0) at ../../../glib/gutf8.c:1689
 g_variant_new_string (string=0xa489eeb5ba526c40 <error: Cannot access memory at address 0xa489eeb5ba526c40>) at ../../../glib/gvariant.c:1270
 g_variant_valist_new_nnp (str=0x7ffe9a4b41c8, ptr=0xa489eeb5ba526c40) at ../../../glib/gvariant.c:4870

tags: removed: need-amd64-retrace
Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in xdg-desktop-portal-gnome (Ubuntu):
importance: Undecided → Medium
summary: - xdg-desktop-portal-gnome crashed with SIGSEGV in g_utf8_validate()
+ xdg-desktop-portal-gnome crashed with SIGSEGV in fast_validate()
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xdg-desktop-portal-gnome (Ubuntu):
status: New → Confirmed
Revision history for this message
Iain Lane (laney) wrote :

I got this too. I think it's fixed by a46d3b338ed362e6dfad359db3d9a505bff0dc9c upstream. This is bad enough - it completely breaks screen sharing for me - that I think fixing in update/SRU rather than waiting for a point release would be warranted, will upload it.

I'll write my testcase in the description in a minute. Alex, if you could add your one too, that would be good for the SRU! Also if you could check if the package fixes it for you (it does for me).

information type: Private → Public
Changed in xdg-desktop-portal-gnome (Ubuntu Lunar):
status: Confirmed → In Progress
assignee: nobody → Iain Lane (laney)
Iain Lane (laney)
description: updated
Revision history for this message
Iain Lane (laney) wrote :

I've uploaded to the queue. It can be reviewed for potential unblocking if there's a respin, or it can stay there and be reviewed as an SRU, either way is okay with me.

Steve Langasek (vorlon)
Changed in xdg-desktop-portal-gnome (Ubuntu Lunar):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xdg-desktop-portal-gnome - 44~beta-1ubuntu2

---------------
xdg-desktop-portal-gnome (44~beta-1ubuntu2) lunar; urgency=medium

  * d/p/screencast-Duplicate-monitor-and-window-stream-info.patch:
    Cherry-pick. Fix use-after-free crash when window list changes between
    being shown and the user making their selection. (cherry picked from
    commit b87215b637799ef771289666bd57dd8bb71f7061 in debian/master / 44.0-1
    in experimental) (LP: #2012341)

 -- Iain Lane <email address hidden> Sun, 16 Apr 2023 21:08:30 +0100

Changed in xdg-desktop-portal-gnome (Ubuntu Lunar):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.