[X2Go-Dev] Bug#900: Gedit, gnome-terminal and others crash in rootless mode

Camilo Alejandro Arboleda camilo at ieee.org
Thu Jul 2 08:21:22 CEST 2015 

Package: libnx-X11

Version: 2.3.5

Setup:

 1. x2goserver in a debian testing machine.
 2. x2goclient in a windows machine.
 3. Create a session with a virtual desktop.
 4. Run gedit in the session created in 3.
 5. Create a session in windows launching only xterm.
 6. Run gedit from the console created in 5.
 7. Create a session in windows launching only gedit.

Results:

 1. Steps from Setup 3, 4 and 5 work fine.
 2. Steps from Setup 6 and 7 crash (close the session).


A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT.

Running x2goagent with a debugger gives the following backtrace:

*(gdb) backtrace*
#0  _XData32 (dpy=dpy at entry=0xf591b0, data=data at entry=0x163c2c4,
len=len at entry=18652) at XlibInt.c:3775
#1  0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized
out>, property=<optimized out>, type=6, format=<optimized out>,
mode=<optimized out>,
    data=0x163c2c4
"\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035",
nelements=4663) at ChProp.c:85
#2  0x00000000004b1e37 in nxagentExportProperty (pWin=0x20,
property=*4663*, type=23315140, format=4669, mode=32, nUnits=*4663*,
value=0x15fc2e0) at Rootless.c:763
#3  0x000000000042222a in ProcChangeProperty (client=0xf591b0) at
X/NXproperty.c:331
#4  0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748

Looking at the highlighted values, it seems that gedit is sending a
malformed ChangeProperty request, and rootless is failing to process it.

Specifically the segment between lines 735-780, tries to set a property
that is bigger than the maximum size required, but because it's a
malformed request it ends up writing in memory outside the boundaries of
the output buffer.

Alternatives:

 1. Ensure that nxagentExportProperty never writes beyond the boundaries
    of the output buffer.
 2. Resize the output buffer to match the required size
    (ProcChangeProperty seems to do something similar).
 3. Ignore big requests (see attached patch).


-- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150702/95d0267c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fail_on_big_requests.patch
Type: text/x-patch
Size: 1353 bytes
Desc: not available
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150702/95d0267c/attachment-0001.bin>

More information about the x2go-dev mailing list