Ubuntu
eglibc package

X crashed with SIGBUS in __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:820

Bug #863761 reported by Steve Langasek
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Invalid
High
Unassigned
xserver-xorg-video-intel (Ubuntu)
Expired
High
Unassigned

Bug Description

Using a specially-crafted image... or an accidentally crafted one, such as <http://bootie.daviey.com/~dave/voodoo-oneiric-20110930-3.png>, X crashes when using the intel driver on an ssse3-capable system.

Here is a hard-won backtrace of the issue (hard-won, given that X crashes do not get captured by apport):

Program received signal SIGBUS, Bus error.
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:820
820 ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
        in ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S
(gdb) bt
#0 __memcpy_ssse3_back ()
    at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:820
#1 0x00007fd96e0fa306 in intel_uxa_pixmap_put_image (pixmap=<optimized out>,
    src=<optimized out>, src_pitch=25220, x=<optimized out>,
    y=<optimized out>, w=<optimized out>, h=10)
    at /usr/include/bits/string3.h:52
#2 0x00007fd96e0fbef7 in intel_uxa_put_image (pixmap=0x3b42d30, x=0, y=0,
    w=<optimized out>, h=10, src=0x40d5e08 "\377\377\377", src_pitch=25220)
    at ../../src/intel_uxa.c:806
#3 0x00007fd96e111f34 in uxa_do_put_image (src_stride=25220,
    bits=0x40d5e08 "\377\377\377", format=2, h=10, w=6305, y=<optimized out>,
    x=<optimized out>, pGC=0x3b48040, pDrawable=0x3b42d30,
    depth=<optimized out>) at ../../uxa/uxa-accel.c:164
#4 uxa_put_image (pDrawable=0x3b42d30, pGC=0x3b48040, depth=<optimized out>,
    x=0, y=0, w=6305, h=10, leftPad=0, format=2, bits=0x40d5e08 "\377\377\377")
    at ../../uxa/uxa-accel.c:202
#5 0x00000000004e083c in damagePutImage (pDrawable=0x3b42d30, pGC=0x3b48040,
    depth=24, x=0, y=0, w=6305, h=10, leftPad=0, format=2,
    pImage=0x40d5e08 "\377\377\377") at ../../../miext/damage/damage.c:878
#6 0x000000000042c87e in ProcPutImage (client=<optimized out>)
    at ../../dix/dispatch.c:1986
#7 0x000000000042fb89 in Dispatch () at ../../dix/dispatch.c:431
#8 0x00000000004232fe in main (argc=8, argv=<optimized out>,
    envp=<optimized out>) at ../../dix/main.c:287
(gdb)

I've marked this as a security issue since it allows triggering a crash of the desktop remotely through a web browser (but note, the image *also* causes a crash when displayed with eog!). However, a SIGBUS seems unlikely to result in privilege escalation.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libc6 2.13-20ubuntu3
ProcVersionSignature: Ubuntu 3.0.0-11.18-generic 3.0.4
Uname: Linux 3.0.0-11-generic x86_64
ApportVersion: 1.23-0ubuntu2
Architecture: amd64
Date: Fri Sep 30 18:08:05 2011
InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.1)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: eglibc
UpgradeStatus: Upgraded to oneiric on 2011-09-23 (7 days ago)

Revision history for this message
Steve Langasek (vorlon) wrote :
Changed in eglibc (Ubuntu):
importance: Undecided → High
Revision history for this message
Steve Langasek (vorlon) wrote :

On a different machine with an older Intel chipset (i945 IIRC), this bug is not reproducible. I don't know if it's due to different instruction set support or a different codepath in the X driver.

Changed in xserver-xorg-video-intel (Ubuntu):
importance: Undecided → High
Marc Deslauriers (mdeslaur)
visibility: private → public
visibility: private → public
bugbot (bugbot)
tags: added: crash
Jamie Strandboge (jdstrand)
Changed in xserver-xorg-video-intel (Ubuntu):
status: New → Confirmed
Changed in eglibc (Ubuntu):
status: New → Confirmed
Revision history for this message
Bryce Harrington (bryce) wrote :

Hey vorlon,

Hi, thanks for reporting this issue during the development period of
Ubuntu.

I notice there's not been further comments to the bug report since the
release came out, would you mind updating us on the status of it in the
release?

Are you still able to reproduce the issue? If not, do you think the bug
report can be closed, or do you think we should continue tracking it?

Changed in xserver-xorg-video-intel (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Papamatti2 (papamatti2) wrote :

Perhaps it is a duplicate of bug #877731 ?

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 863761] Re: X crashed with SIGBUS in __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:820

On Tue, Nov 15, 2011 at 04:58:39AM -0000, Papamatti2 wrote:
> Perhaps it is a duplicate of bug #877731 ?

No.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
Matthias Klose (doko) wrote :

could you recheck with the eglibc 2.15 packages from the ubuntu-toolchain-r/test PPA?

Bryce Harrington (bryce)
Changed in xserver-xorg-video-intel (Ubuntu):
status: Incomplete → New
status: New → Incomplete
Revision history for this message
Bryce Harrington (bryce) wrote :

We're closing this bug since there has not been a response from the original reporter. However, the issue still exists please feel free to reopen with the requested information. If you're not the original reporter, we'd prefer you file a new bug report.

Some tips:

  * Report X.org bugs via the command: `ubuntu-bug xorg`

  * Test against the latest development Ubuntu. http://cdimage.ubuntu.com/daily-live/
    Bugs marked as affecting the development version tend to get priority attention.

  * The `xdiagnose` utility has functionality for enabling debugging and
    analyzing a few common X problems.

  * Tag your bugs with the Ubuntu versions you have reproduced the issue in.

  * See https://wiki.ubuntu.com/X/Reporting for tips on writing good bug reports.

Changed in xserver-xorg-video-intel (Ubuntu):
status: Incomplete → Expired
Marc Deslauriers (mdeslaur)
Changed in eglibc (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.