X crashed with SIGBUS in __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:820
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eglibc (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
xserver-xorg-video-intel (Ubuntu) |
Expired
|
High
|
Unassigned |
Bug Description
Using a specially-crafted image... or an accidentally crafted one, such as <http://
Here is a hard-won backtrace of the issue (hard-won, given that X crashes do not get captured by apport):
Program received signal SIGBUS, Bus error.
__memcpy_ssse3_back () at ../sysdeps/
820 ../sysdeps/
in ../sysdeps/
(gdb) bt
#0 __memcpy_ssse3_back ()
at ../sysdeps/
#1 0x00007fd96e0fa306 in intel_uxa_
src=<optimized out>, src_pitch=25220, x=<optimized out>,
y=<optimized out>, w=<optimized out>, h=10)
at /usr/include/
#2 0x00007fd96e0fbef7 in intel_uxa_put_image (pixmap=0x3b42d30, x=0, y=0,
w=<optimized out>, h=10, src=0x40d5e08 "\377\377\377", src_pitch=25220)
at ../../src/
#3 0x00007fd96e111f34 in uxa_do_put_image (src_stride=25220,
bits=0x40d5e08 "\377\377\377", format=2, h=10, w=6305, y=<optimized out>,
x=<optimized out>, pGC=0x3b48040, pDrawable=
depth=
#4 uxa_put_image (pDrawable=
x=0, y=0, w=6305, h=10, leftPad=0, format=2, bits=0x40d5e08 "\377\377\377")
at ../../uxa/
#5 0x00000000004e083c in damagePutImage (pDrawable=
depth=24, x=0, y=0, w=6305, h=10, leftPad=0, format=2,
pImage=
#6 0x000000000042c87e in ProcPutImage (client=<optimized out>)
at ../../dix/
#7 0x000000000042fb89 in Dispatch () at ../../dix/
#8 0x00000000004232fe in main (argc=8, argv=<optimized out>,
envp=<optimized out>) at ../../dix/
(gdb)
I've marked this as a security issue since it allows triggering a crash of the desktop remotely through a web browser (but note, the image *also* causes a crash when displayed with eog!). However, a SIGBUS seems unlikely to result in privilege escalation.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libc6 2.13-20ubuntu3
ProcVersionSign
Uname: Linux 3.0.0-11-generic x86_64
ApportVersion: 1.23-0ubuntu2
Architecture: amd64
Date: Fri Sep 30 18:08:05 2011
InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.1)
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: eglibc
UpgradeStatus: Upgraded to oneiric on 2011-09-23 (7 days ago)
visibility: | private → public |
visibility: | private → public |
tags: | added: crash |
Changed in xserver-xorg-video-intel (Ubuntu): | |
status: | New → Confirmed |
Changed in eglibc (Ubuntu): | |
status: | New → Confirmed |
Changed in xserver-xorg-video-intel (Ubuntu): | |
status: | Incomplete → New |
status: | New → Incomplete |
Changed in eglibc (Ubuntu): | |
status: | Confirmed → Invalid |
On a different machine with an older Intel chipset (i945 IIRC), this bug is not reproducible. I don't know if it's due to different instruction set support or a different codepath in the X driver.