"xauth generate" with large timeout triggers assertion

Bug #519049 reported by Courtney Bane on 2010-02-08
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
X.Org X server
Unknown
Unknown
xorg-server (Ubuntu)
High
Unassigned
Lucid
High
Unassigned

Bug Description

[Impact]
xauth is not commonly run by users, but applications should not be able to crash the X server. In the case of a guest session, although this does not allow the guest to terminate other users' sessions it leaves the system at a blank VT from which it is not obvious how to recover.

[Development]
The patch has also been applied to ubuntu-x git, and will be uploaded with 2:1.8.1.901-1ubuntu1.

[Patch]
The patch is taken from upstream's patchwork tracker: http://patchwork.freedesktop.org/patch/242/ . This patch replaces the existing 122_xext_fix_card32_overflow_in_xauth.patch added in 2:1.7.6-2ubuntu6, which was an earlier patch from the same mailing list thread.

[Test Case 1]
1. Update Lucid to the latest version. Reboot and log into Gnome
2. Open a gnome-terminal
3. Run “xauth generate $DISPLAY . timeout 99999999”
4. Xserver instantly crashes (and is restarted by display manager). It should not crash at this point.

[Test Case 2]
1. Update Lucid to the latest version. Reboot and log into Gnome
2. From the session menu select “Guest session”
2. In the new guest session, open a gnome-terminal
3. Run “xauth -i generate $DISPLAY . timeout 99999999”
4. Xserver instantly crashes, resulting in a black screen. After setting console to raw mode (Alt+SysRq+R) Ctrl+Alt+F7 (or possibly F8, F9, etc) will switch back to the original user's session.

[Regression Potential]
Low. The patch is small, just dropping the assert that causes the crash and ensuring the timeout values fit in the positive range of a CARD32 value.

There is a known problem with the patch when the epoch time is sufficiently far in the future that we can ignore it for now.
"""
When epoch time is GetTimeInMillis() -
(CARD32)(MAXINT), ie Sun Jan 10 2038 11:09:28 GMT+0530 (IST), security
authorization will expire with timeout reset to Zero.
"""

[Original Report]
Running "xauth generate" with a large timeout value (e.g., "xauth generate :0.0 . trusted timeout 99999999") causes the X server to crash with an assertion failure. Immediately upon running the command, the X server crashes, and after a few seconds, the login screen appears.

I have attached a full backtrace. Xorg.0.log and dmesg don't contain any relevant data.

SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed.

#3 0x0039f648 in *__GI___assert_fail (assertion=0x81e1ac0 "pAuth->timer == timer",
        file=0x81e1aaa "../../Xext/security.c", line=322, function=0x81e1e3a "SecurityAuthorizationExpired") at assert.c:81
        buf = 0x9f64128 "X: ../../Xext/security.c:322: SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed.\n"
#4 0x0815f5bc in SecurityAuthorizationExpired (timer=0x9ff7018, time=3179634, pval=0x6) at ../../Xext/security.c:322
        __PRETTY_FUNCTION__ = "SecurityAuthorizationExpired"
#5 0x081313c2 in TimerSet (timer=0x9ff7018, flags=<value optimized out>, millis=3179338,
     func=0x815f520 <SecurityAuthorizationExpired>, arg=0x9ee0c70) at ../../os/WaitFor.c:465
        prev = <value optimized out>
        now = 6
#6 0x0815f4f5 in SecurityStartAuthorizationTimer (pAuth=0x9ee0c70) at ../../Xext/security.c:353
#7 0x0815fa01 in ProcSecurityGenerateAuthorization (client=0x9dfa820) at ../../Xext/security.c:578
        pAuth = 0x9ee0c70
        err = <value optimized out>
        authId = 372
        rep = {type = 164 '\244', pad0 = 96 '`', sequenceNumber = 2079, length = 3221023496, authId = 0,
          dataLength = 4, pad1 = 0, pad2 = 165652512, pad3 = 0, pad4 = 165652512, pad5 = 162973096}
        trustLevel = 0
        group = 0
        timeout = 99999999
        values = <value optimized out>
        protoname = 0xa002584 "MIT-MAGIC-COOKIE-1"
        authdata_len = <value optimized out>
        pAuthdata = <value optimized out>
        eventMask = 0

lsb_release -rd:
Description: Ubuntu 9.10
Release: 9.10

apt-cache policy xserver-xorg-core:
xserver-xorg-core:
  Installed: 2:1.6.4-2ubuntu4.1
  Candidate: 2:1.6.4-2ubuntu4.1
  Version table:
 *** 2:1.6.4-2ubuntu4.1 0
        500 http://us.archive.ubuntu.com karmic-updates/main Packages
        500 http://security.ubuntu.com karmic-security/main Packages
        100 /var/lib/dpkg/status
     2:1.6.4-2ubuntu4 0
        500 http://us.archive.ubuntu.com karmic/main Packages

Courtney Bane (cbane) wrote :
Bryce Harrington (bryce) wrote :

Hi cbane,

Thanks for including the attached files. Could you also include your /var/log/Xorg.0.log (or Xorg.0.log.old) from after reproducing the issue?

Please attach the output of `lspci -vvnn` too.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: crash
tags: added: needs-xorglog
Changed in xorg-server (Ubuntu):
status: New → Incomplete
Courtney Bane (cbane) wrote :

As I mentioned in the original report, there is no relevant data in the Xorg log file. However, I've gone ahead and attached the log file from an Xorg instance killed with this problem.

Courtney Bane (cbane) wrote :

And here's the output from "lspci -vvnn".

Bryce Harrington (bryce) on 2010-03-10
tags: removed: needs-xorglog
Changed in xorg-server (Ubuntu):
status: Incomplete → Confirmed
Bryce Harrington (bryce) on 2010-03-10
affects: xorg-server (Ubuntu) → nvidia-graphics-drivers (Ubuntu)
Courtney Bane (cbane) wrote :

This is not a problem with the NVidia graphics driver. If you look at the backtrace I provided, you can see that the assertion failure occurs within Xorg's security extension (Xext/security.c). Specifically, you can see the assertion failure message in the backtrace: "X: ../../Xext/security.c:322: SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed." (entry #3 in the backtrace; the stuff that occurs after that is the implementation of the assertion failure).

Robert Hooker (sarvatt) on 2010-03-16
affects: nvidia-graphics-drivers (Ubuntu) → xorg-server (Ubuntu)
description: updated
Bryce Harrington (bryce) on 2010-03-17
affects: xorg-server (Ubuntu) → nvidia-graphics-drivers (Ubuntu)
Bryce Harrington (bryce) on 2010-03-17
affects: nvidia-graphics-drivers (Ubuntu) → xorg-server (Ubuntu)
Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
tags: added: omit
summary: - "xauth generate" with large timeout crashes X server
+ "xauth generate" with large timeout triggers assertion
description: updated
Bryce Harrington (bryce) wrote :

Not obvious why the pointers are mismatched in this case and trigger the assert.
This bug report is worth sending upstream.

description: updated
Changed in xorg-server (Ubuntu):
importance: Medium → High
Bryce Harrington (bryce) on 2010-03-17
tags: removed: omit
Courtney Bane (cbane) wrote :

I just opened a new bug at Xorg's bugzilla earlier this afternoon. Here's the link: https://bugs.freedesktop.org/show_bug.cgi?id=27134

Bryce Harrington (bryce) on 2010-03-18
tags: added: karmic
Bryce Harrington (bryce) wrote :

Thanks. The patch on the upstream bug report does not appear to have gone into the official tree, but it looks like a reasonably sane solution to me so I will include it in the lucid xserver.

Bryce Harrington (bryce) wrote :

[This is an automatic notification.]

Hi Courtney,

This bug was reported against an earlier version of Ubuntu, can you
test if it still occurs on Lucid?

Please note we also provide technical support for older versions of
Ubuntu, but not in the bug tracker. Instead, to raise the issue through
normal support channels, please see:

    http://www.ubuntu.com/support

If you are the original reporter and can still reproduce the issue on
Lucid, please run the following command to refresh the report:

  apport-collect 519049

If you are not the original reporter, please file a new bug report, so
we can work with you as the original reporter instead (you can reference
bug 519049 in your report if you think it may be related):

  ubuntu-bug xorg

If by chance you can no longer reproduce the issue on Lucid or if you
feel it is no longer relevant, please mark the bug report 'Fix Released'
or 'Invalid' as appropriate, at the following URL:

  https://bugs.launchpad.net/ubuntu/+bug/519049

Changed in xorg-server (Ubuntu):
status: Triaged → Incomplete
tags: added: needs-retested-on-lucid-by-june
Courtney Bane (cbane) wrote :

I'm still able to reproduce this on Lucid; I've attached an updated backtrace from that. However, the apport-collect command isn't working for me. When I run it, it prints the line "Package xorg-server not installed and no hook available, ignoring" twice, and pops up a dialog that says "No additional information collected."

Bryce Harrington (bryce) on 2010-05-21
tags: added: hardy
Changed in xorg-server (Ubuntu):
status: Incomplete → Triaged
description: updated
Changed in xorg-server (Ubuntu):
status: Triaged → Fix Committed
Changed in xorg-server (Ubuntu Lucid):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package xorg-server - 2:1.8.1.901-1ubuntu1

---------------
xorg-server (2:1.8.1.901-1ubuntu1) maverick; urgency=low

  [ Timo Aaltonen ]
  * Merged from Debian experimental, remaining changes:
    - rules, control:
      + Disable SELinux, libaudit-dev is not in main yet (LP 406226).
        Drop libaudit-dev from build-deps.
    - rules: Enable xcsecurity (LP 247537).
    - local/xvfb-run*: Add correct docs about error codes (LP 328205)
    - rules: Add --with-extra-module-dir to support GL alternatives.
    - control: Xvfb depends on xauth, x11-xkb-utils, recommends
      libgl1-mesa-dri. (LP 500102)
    - rules, local/64-xorg-xkb.rules: Don't use keyboard-configuration
      until it's available.
    - debian/patches:
      + 100_rethrow_signals.patch:
        When aborting, re-raise signals for apport
      + 109_fix-swcursor-crash.patch:
        Avoid dereferencing null pointer while reloading cursors during
        resume. (LP 371405)
      + 111_armel-drv-fallbacks.patch:
        Add support for armel driver fallbacks.
      + 121_only_switch_vt_when_active.diff:
        Add a check to prevent the X server from changing the VT when killing
        GDM from the console.
      + 122_xext_fix_card32_overflow_in_xauth.patch:
      + 157_check_null_modes.patch, 162_null_crtc_in_rotation.patch,
        166_nullptr_xinerama_keyrepeat.patch, 167_nullptr_xisbread.patch
        169_mipointer_nullptr_checks.patch,
        172_cwgetbackingpicture_nullptr_check.patch:
        Fix various segfaults in xserver by checking pointers for NULL
        values before dereferencing them.
      + 165_man_xorg_conf_no_device_ident.patch
        Correct man page
      + 168_glibc_trace_to_stderr.patch:
        Report abort traces to stderr instead of terminal
      + 184_virtual_devices_autodetect.patch:
        Use vesa for qemu device, which is not supported by cirrus
      + 187_edid_quirk_hp_nc8430.patch:
        Quirk for another LPL monitor (LP 380009)
      + 188_default_primary_to_first_busid.patch:
        Pick the first device and carry on (LP 459512)
      + 189_xserver_1.5.0_bg_none_root.patch:
        Create a root window with no background.
      + 190_cache-xkbcomp_output_for_fast_start_up.patch:
        Cache keyboard settings.
      + 191-Xorg-add-an-extra-module-path.patch:
        Add support for the alternatives module path.
      + 196_xvfb-fbscreeninit-handling.patch, 197_xvfb-randr.patch:
        Adds xrandr support to xvfb. (LP 516123)
      + 198_nohwaccess.patch:
        Adds a -nohwaccess argument to make X not access the hardware
        ports directly.
      + 200_randr-null.patch:
        Clarify a pointer initialization.
  * Dropped patches:
    - 106_nouveau_autodetect.patch: obsoleted by 15-nouveau.diff
    - 112_xaa-fbcomposite-fix-negative-size.patch: adopted by Debian
    - 113_quell_nouveau_aiglx.patch: obsoleted by 15-nouveau.diff
    - 115_xext_fix_cursor_ref_counting.patch: merged upstream
    - 116_fix_typos_in_swap_functions.patch: merged upstream
    - 118_xkb_fix_garbage_init.patch: merged upstream
    - 123_exa_sys_ptr_nullpointer_check.patch: merged upstream
    - 199_xfvb-help-typo.patch...

Read more...

Changed in xorg-server (Ubuntu):
status: Fix Committed → Fix Released

Accepted xorg-server into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed

Tested in Kubuntu. After installing the version from proposed, running the command no longer crashes X.

Martin Pitt (pitti) on 2010-06-10
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.7.6-2ubuntu7.1

---------------
xorg-server (2:1.7.6-2ubuntu7.1) lucid-proposed; urgency=low

  [Bryce Harrington]
  * Add 123_exa_sys_ptr_nullpointer_check.patch: Patch from upstream to
    verify a pointer is not NULL before dereferencing it. Fixes X
    segfault in miCopyRegion which occurs while using firefox (e.g. typing
    into fields in AOL). Issue found by Jerry Lamos.
    (LP: #539772)
  * Add 19-exa-handle-pixmap-create-destroy-in-lower-layers.diff: Patch
    from Debian to fix X segfault on mouse click in xfig, when pixmaps
    are created in the course of software fallbacks.
    (LP: #553647)
  * debian/rules: Don't reference the package uploader for support; instead point
    users to the standard Ubuntu support page.
    (LP: #589811)

  [Martin Pitt]
  * debian/local/64-xorg-xkb.rules: Ignore XKBMODEL=="SKIP" and
    XKBVARIANT=="U.S. English", which happen to get into
    /etc/default/console-setup in some cases like the VMWare automatic
    installer.
    (LP: #548891)

  [ Christopher James Halse Rogers ]
  * Update 122_xext_fix_card32_overflow_in_xauth.patch to most recent version
    on patchwork tracker. This one actually fixes the crash with xauth
    generate (LP: #519049)
 -- Christopher James Halse Rogers <email address hidden> Mon, 07 Jun 2010 12:56:54 +1000

Changed in xorg-server (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.