Ubuntu
xwayland package

Segfaults and assertion failures in Xorg's render/glyph.c

Bug #2060354 reported by Nazar Mokrynskyi
350
This bug affects 18 people
Affects Status Importance Assigned to Milestone
X.Org X server
Fix Released
Unknown
xorg-server (Ubuntu)
Triaged
High
Unassigned
Focal
Fix Released
High
Unassigned
Jammy
Fix Released
High
Unassigned
Mantic
Fix Released
High
Unassigned
Noble
Triaged
High
Unassigned
xwayland (Ubuntu)
Triaged
High
Unassigned
Jammy
Fix Released
High
Unassigned
Mantic
Fix Released
High
Unassigned
Noble
Triaged
High
Unassigned

Bug Description

I just upgraded xserver-xorg-core and xserver-common to 2:21.1.4-2ubuntu1.7-22.04.9 and when starting IntelliJ IDEA Ultimate EAP (downloaded from JerBrains website) Xorg server crashes with segfault:

X.Org X Server 1.21.1.4
X Protocol Version 11, Revision 0
Current Operating System: Linux nazar-pc 6.8.4-x64v4-xanmod1 #0~20240404.gdb9d4f4 SMP PREEMPT_DYNAMIC Thu Apr 4 20:28:35 UTC x86_64
Kernel command line: BOOT_IMAGE=/root/boot/vmlinuz-6.8.4-x64v4-xanmod1 root=UUID=5170aca4-061a-4c6c-ab00-bd7fc8ae6030 ro rootflags=subvol=root nosplash amd_iommu=on intel_iommu=on libahci.ignore_sss=1 fastboot
xorg-server 2:21.1.4-2ubuntu1.7~22.04.9 (For technical support please see http://www.ubuntu.com/support)
Current version of pixman: 0.40.0
 Before reporting problems, check http://wiki.x.org
 to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
 (++) from command line, (!!) notice, (II) informational,
 (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Sat Apr 6 15:28:18 2024
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
malloc(): unaligned tcache chunk detected
(EE)
(EE) Backtrace:
(EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x139) [0x5def21b09ab9]
(EE) 1: /lib/x86_64-linux-gnu/libc.so.6 (__sigaction+0x50) [0x7ec01c442520]
(EE) 2: /lib/x86_64-linux-gnu/libc.so.6 (pthread_kill+0x12c) [0x7ec01c4969fc]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (raise+0x16) [0x7ec01c442476]
(EE) 4: /lib/x86_64-linux-gnu/libc.so.6 (abort+0xd3) [0x7ec01c4287f3]
(EE) 5: /lib/x86_64-linux-gnu/libc.so.6 (__fsetlocking+0x426) [0x7ec01c489676]
(EE) 6: /lib/x86_64-linux-gnu/libc.so.6 (timer_settime+0x2cc) [0x7ec01c4a0cfc]
(EE) 7: /lib/x86_64-linux-gnu/libc.so.6 (malloc+0x33c) [0x7ec01c4a53dc]
(EE) 8: /usr/lib/xorg/Xorg (SetGlyphPicture+0x15d) [0x5def21a6311d]
(EE) 9: /usr/lib/xorg/Xorg (AddTraps+0x347a) [0x5def21a6b8da]
(EE) 10: /usr/lib/xorg/Xorg (SendErrorToClient+0x365) [0x5def21993635]
(EE) 11: /usr/lib/xorg/Xorg (InitFonts+0x3c4) [0x5def219976b4]
(EE) 12: /lib/x86_64-linux-gnu/libc.so.6 (__libc_init_first+0x90) [0x7ec01c429d90]
(EE) 13: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0x80) [0x7ec01c429e40]
(EE) 14: /usr/lib/xorg/Xorg (_start+0x25) [0x5def21980605]
(EE)
(EE)
Fatal server error:
(EE) Caught signal 6 (Aborted). Server aborting
(EE)
(EE)
Please consult the The X.Org Foundation support
  at http://wiki.x.org
 for help.
(EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
(EE)
(II) AIGLX: Suspending AIGLX clients for VT switch
(EE) Server terminated with error (1). Closing log file.

Downgraded to 2:21.1.3-2ubuntu2 for now and it works. Looks like security backports were done incorrectly.

CVE References

Nazar Mokrynskyi (nazar-pc)
affects: xserver-xorg-driver-vesa → xorg-server (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xorg-server (Ubuntu):
status: New → Confirmed
Revision history for this message
Javier Noval (javiernoval) wrote :

In my case (Android Studio 2023.2.1, also based on IntelliJ, on a fully-updated Jammy), with the editor antialiasing set to "grayscale", the crash is 100% reproducible (same stacktrace) as soon as any file is opened. The default setting, "subpixel", doesn't seem to cause any issues.

Revision history for this message
Axenic (axenic) wrote (last edit ):

In my case the crash happens randomly, when I'm working with NetBeans 21. I didn't any programs upgrade. Last update of NetBeans was 21 February 2024.

My log lile:
[ 356.402] (EE)
[ 356.402] (EE) Backtrace:
[ 356.403] (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x13c) [0x5594ee295fdc]
[ 356.404] (EE) 1: /lib/x86_64-linux-gnu/libpthread.so.0 (funlockfile+0x60) [0x7f37ec080420]
[ 356.405] (EE) 2: /lib/x86_64-linux-gnu/libc.so.6 (__libc_malloc+0x11e) [0x7f37ebf121fe]
[ 356.405] (EE) 3: /usr/lib/xorg/Xorg (SetGlyphPicture+0x15d) [0x5594ee201ced]
[ 356.405] (EE) 4: /usr/lib/xorg/Xorg (AddTraps+0x4b5a) [0x5594ee20bb5a]
[ 356.405] (EE) 5: /usr/lib/xorg/Xorg (SendErrorToClient+0x354) [0x5594ee134144]
[ 356.405] (EE) 6: /usr/lib/xorg/Xorg (InitFonts+0x3b4) [0x5594ee1381f4]
[ 356.406] (EE) 7: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x7f37ebe9c083]
[ 356.406] (EE) 8: /usr/lib/xorg/Xorg (_start+0x2e) [0x5594ee121ace]
[ 356.406] (EE)
[ 356.406] (EE) Segmentation fault at address 0x0
[ 356.406] (EE)
Fatal server error:
[ 356.406] (EE) Caught signal 11 (Segmentation fault). Server aborting
[ 356.406] (EE)
[ 356.406] (EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
[ 356.406] (EE) Please also check the log file at "/home/user-name/.local/share/xorg/Xorg.0.log" for additional information.
[ 356.406] (EE)
[ 356.406] (II) AIGLX: Suspending AIGLX clients for VT switch
[ 356.425] (EE) Server terminated with error (1). Closing log file.

Revision history for this message
Axenic (axenic) wrote (last edit ):
Download full text (6.4 KiB)

A new symptom. While I'm working with NetBeans the system very often freezes randomly. Only reboot helps. I see next data in log:
[ 235.747] (EE) BUG: triggered 'if (glyph->refcnt == 0)'
[ 235.748] (EE) BUG: ../../../../render/glyph.c:252 in FreeGlyph()
[ 235.748] (EE)
[ 235.748] (EE) Backtrace:
[ 235.748] (EE) 0: /usr/lib/xorg/Xorg (AddTraps+0x4e3b) [0x5590352dce3b]
[ 235.748] (EE) 1: /usr/lib/xorg/Xorg (SendErrorToClient+0x354) [0x559035205144]
[ 235.748] (EE) 2: /usr/lib/xorg/Xorg (InitFonts+0x3b4) [0x5590352091f4]
[ 235.749] (EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x7f6d6bb0c083]
[ 235.749] (EE) 4: /usr/lib/xorg/Xorg (_start+0x2e) [0x5590351f2ace]
[ 235.749] (EE)
[ 235.749] (EE) BUG: triggered 'if (glyph->refcnt == 0)'
[ 235.749] (EE) BUG: ../../../../render/glyph.c:252 in FreeGlyph()
[ 235.749] (EE)
[ 235.749] (EE) Backtrace:
[ 235.749] (EE) 0: /usr/lib/xorg/Xorg (AddTraps+0x4e3b) [0x5590352dce3b]
[ 235.749] (EE) 1: /usr/lib/xorg/Xorg (SendErrorToClient+0x354) [0x559035205144]
[ 235.749] (EE) 2: /usr/lib/xorg/Xorg (InitFonts+0x3b4) [0x5590352091f4]
[ 235.750] (EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x7f6d6bb0c083]
[ 235.750] (EE) 4: /usr/lib/xorg/Xorg (_start+0x2e) [0x5590351f2ace]
[ 235.750] (EE)
[ 235.750] (EE)
[ 235.750] (EE) Backtrace:
[ 235.751] (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x13c) [0x559035366fdc]
[ 235.751] (EE) 1: /lib/x86_64-linux-gnu/libpthread.so.0 (funlockfile+0x60) [0x7f6d6bcf0420]
[ 235.752] (EE) 2: /lib/x86_64-linux-gnu/libc.so.6 (gsignal+0xcb) [0x7f6d6bb2b00b]
[ 235.752] (EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (abort+0x12b) [0x7f6d6bb0a859]
[ 235.753] (EE) 4: /lib/x86_64-linux-gnu/libc.so.6 (__fsetlocking+0x42e) [0x7f6d6bb7526e]
[ 235.754] (EE) 5: /lib/x86_64-linux-gnu/libc.so.6 (pthread_attr_setschedparam+0x54c) [0x7f6d6bb7d2fc]
[ 235.754] (EE) 6: /lib/x86_64-linux-gnu/libc.so.6 (pthread_attr_setschedparam+0xd28) [0x7f6d6bb7dad8]
[ 235.755] (EE) 7: /lib/x86_64-linux-gnu/libc.so.6 (pthread_attr_setschedparam+0x2230) [0x7f6d6bb7efe0]
[ 235.755] (EE) 8: /lib/x86_64-linux-gnu/libc.so.6 (pthread_attr_setschedparam+0x4172) [0x7f6d6bb80f22]
[ 235.756] (EE) 9: /lib/x86_64-linux-gnu/libc.so.6 (realloc+0x2d6) [0x7f6d6bb83156]
[ 235.756] (EE) 10: /usr/lib/xorg/Xorg (ReadRequestFromClient+0x4ab) [0x559035365e8b]
[ 235.757] (EE) 11: /usr/lib/xorg/Xorg (SendErrorToClient+0x2ed) [0x5590352050dd]
[ 235.757] (EE) 12: /usr/lib/xorg/Xorg (InitFonts+0x3b4) [0x5590352091f4]
[ 235.758] (EE) 13: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf3) [0x7f6d6bb0c083]
[ 235.758] (EE) 14: /usr/lib/xorg/Xorg (_start+0x2e) [0x5590351f2ace]
[ 235.759] (EE)
[ 235.759] (EE)
Fatal server error:
[ 235.759] (EE) Caught signal 6 (Aborted). Server aborting
[ 235.759] (EE)
[ 235.759] (EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
[ 235.760] (EE) Please also check the log file at "/home/axenic/.local/share/xorg/Xorg.0.log" for additional information.
[ 235.760] (EE)
[ 235.760] (II) AIGLX: Suspending AIGLX clients for VT switch

Or this:

[ 1036.7...

Read more...

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Sounds like CVE-2024-31083 mentioned in https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463 and fixed in Xorg 21.1.12.

information type: Public → Public Security
tags: added: jammy mantic noble
tags: added: fixed-in-xorg-21-1.12 fixed-upstream
tags: added: fixed-in-xorg-21.1.12
removed: fixed-in-xorg-21-1.12
summary: - Segfault in 2:21.1.4-2ubuntu1.7-22.04.9
+ Segfaults and assertion failures in Xorg's render/glyph.c
Daniel van Vugt (vanvugt)
Changed in xorg-server (Ubuntu):
importance: Undecided → High
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

It seems it's the *fix* for the CVE that's crashing in version 2:21.1.4-2ubuntu1.7~22.04.9 rather than the CVE itself.

https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.9

tags: removed: fixed-in-xorg-21.1.12 fixed-upstream mantic noble
tags: added: regression-update
no longer affects: xorg-server (Ubuntu Mantic)
no longer affects: xorg-server (Ubuntu Noble)
no longer affects: xorg-server (Ubuntu Jammy)
Revision history for this message
Tim Richardson (tim-richardson) wrote :

for what it's worth, JetBrains bug reports find that the problem is triggered by requesting grayscale anti-aliasing.

https://youtrack.jetbrains.com/issue/IDEA-350864/Idea.sh-abort-X-window

Revision history for this message
Derek Konigsberg (dkonigsberg) wrote :

I'm wondering if the anti-aliasing mode is a bit of a red hearing here, or only partially related.
In my case, the app that triggers this is CLion 2023.3. Except in my case, I can reproduce it consistently simply by *changing* the anti-aliasing setting between subpixel and grayscale (in *either* direction) and clicking "apply." But once I log back in and re-launch the app, the system works fine and doesn't crash (regardless of the setting).

Outside of that action, the bug behaves more like a time-bomb. There seems to be like a 5% chance that clicking the "debug" icon in the toolbar will take down my X session. Most of the time it works fine, until it doesn't.

Revision history for this message
Tim Richardson (tim-richardson) wrote :

Yeah, for me it crashed 100% of the time with no changes, and removing a configuration file (which among other things removed my non-default preference for grayscale antialias) completely stopped the crashing. This is in a kvm/qemu VM. So from my perspective, and from a few others users, it looks like the cause and a good workaround. But other people in the set of JetBrains tickets report intermittent, unpredictable crashing that doesn't benefit from such a settings change. I think think upstream is talking about race conditions.

So far in the bug report (the Ubuntu one) I don't understand what the proposed course of action is.

I think this is the upstream bug report: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659

Revision history for this message
Steve Beattie (sbeattie) wrote :

Are people seeing this issue with any other Ubuntu releases, which also received updates addressing CVE-2024-31083, or is this strictly affecting the version in 22.04/jammy?

It looks like https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476 has a proposed fix, in https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476.patch .

Revision history for this message
Steve Beattie (sbeattie) wrote :

The reproducer https://bugs.freedesktop.org/attachment.cgi?id=28621 from the original 2009 bug report https://bugs.freedesktop.org/show_bug.cgi?id=23286 does seem to work at triggering this issue, at least under Xwalyand.

Revision history for this message
Steve Beattie (sbeattie) wrote :

I have prepared test packages for ubuntu 22.04 LTS/jammy in the https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages PPA for both xorg-server:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/15921802/+listing-archive-extra

and for xwayland:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/15921798/+listing-archive-extra

I was able to reproduce the crash under Xwayland in a jammy vm with both intellij and the glyph_memleak.c reproducer, and using the proposed upstream patch seems to address the crash, but more testing is welcome.

Daniel van Vugt (vanvugt)
Changed in xorg-server (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Tim Richardson (tim-richardson) wrote (last edit ):

@sbeattie It's broken in mantic too. In xwayland, the window dies. in xorg, the session crashes, badly.

Revision history for this message
Tim Richardson (tim-richardson) wrote :

@sbeattie I tested the package you built for 22.04 and it fixes the problem for me.

Daniel van Vugt (vanvugt)
Changed in xwayland (Ubuntu):
status: New → Triaged
importance: Undecided → High
Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Focal):
importance: Undecided → High
status: New → In Progress
Changed in xorg-server (Ubuntu Jammy):
importance: Undecided → High
status: New → In Progress
Changed in xorg-server (Ubuntu Mantic):
importance: Undecided → High
status: New → In Progress
no longer affects: xwayland (Ubuntu Focal)
Changed in xwayland (Ubuntu Jammy):
importance: Undecided → High
status: New → In Progress
Changed in xwayland (Ubuntu Mantic):
importance: Undecided → High
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:21.1.7-3ubuntu2.9

---------------
xorg-server (2:21.1.7-3ubuntu2.9) mantic-security; urgency=medium

  * SECURITY REGRESSION: Avoid possible double-free
    - debian/patches/CVE-2024-31083-regression.patch:
      fix a regression caused for a double-free at the last
      changes fixed by CVE-2024-31083 (LP: #2060354)

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 09 Apr 2024 00:20:41 -0300

Changed in xorg-server (Ubuntu Mantic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xwayland - 2:22.1.1-1ubuntu0.13

---------------
xwayland (2:22.1.1-1ubuntu0.13) jammy-security; urgency=medium

  * SECURITY REGRESSION: Avoid possible double-free
    - debian/patches/CVE-2024-31083-regression.patch:
      fix a regression caused for a double-free at the last
      changes fixed by CVE-2024-31083 (LP: #2060354)

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 08 Apr 2024 22:13:22 -0300

Changed in xwayland (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:21.1.4-2ubuntu1.7~22.04.10

---------------
xorg-server (2:21.1.4-2ubuntu1.7~22.04.10) jammy-security; urgency=medium

  * SECURITY REGRESSION: Avoid possible double-free
    - debian/patches/CVE-2024-31083-regression.patch:
      fix a regression caused for a double-free at the last
      changes fixed by CVE-2024-31083 (LP: #2060354)

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 09 Apr 2024 00:18:52 -0300

Changed in xorg-server (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.20.13-1ubuntu1~20.04.17

---------------
xorg-server (2:1.20.13-1ubuntu1~20.04.17) focal-security; urgency=medium

  * SECURITY REGRESSION: Avoid possible double-free
    - debian/patches/CVE-2024-31083-regression.patch:
      fix a regression caused for a double-free at the last
      changes fixed by CVE-2024-31083 (LP: #2060354)

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 08 Apr 2024 22:36:10 -0300

Changed in xorg-server (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xwayland - 2:23.2.0-1ubuntu0.6

---------------
xwayland (2:23.2.0-1ubuntu0.6) mantic-security; urgency=medium

  * SECURITY REGRESSION: Fix for CVE-2024-31083 introduced a potential
    double-free error, causing X to crash
    - debian/patches/CVE-2024-31083-regression_fix-MR_1476.patch:
      render: Avoid possible double-free in ProcRenderAddGlyphs()
    - LP: #2060354

 -- Steve Beattie <email address hidden> Mon, 08 Apr 2024 20:37:39 -0700

Changed in xwayland (Ubuntu Mantic):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.