Package: libnx-X11
Version: 2.3.5
Setup:
- x2goserver in a debian testing machine.
- x2goclient in a windows machine.
- Create a session with a virtual desktop.
- Run gedit in the session created in 3.
- Create a session in windows launching only xterm.
- Run gedit from the console created in 5.
- Create a session in windows launching only gedit.
Results:
- Steps from Setup 3, 4 and 5 work fine.
- Steps from Setup 6 and 7 crash (close the session).
A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT.
Running x2goagent with a debugger gives the following backtrace:
*(gdb) backtrace* #0 _XData32 (dpy=dpy@entry=0xf591b0, data=data@entry=0x163c2c4, len=len@entry=18652) at XlibInt.c:3775 #1 0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized out>, property=<optimized out>, type=6, format=<optimized out>, mode=<optimized out>, data=0x163c2c4 "\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035", nelements=4663) at ChProp.c:85 #2 0x00000000004b1e37 in nxagentExportProperty (pWin=0x20, property=*4663*, type=23315140, format=4669, mode=32, nUnits=*4663*, value=0x15fc2e0) at Rootless.c:763 #3 0x000000000042222a in ProcChangeProperty (client=0xf591b0) at X/NXproperty.c:331 #4 0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748
Looking at the highlighted values, it seems that gedit is sending a malformed ChangeProperty request, and rootless is failing to process it.
Specifically the segment between lines 735-780, tries to set a property that is bigger than the maximum size required, but because it's a malformed request it ends up writing in memory outside the boundaries of the output buffer.
Alternatives:
- Ensure that nxagentExportProperty never writes beyond the boundaries of the output buffer.
- Resize the output buffer to match the required size (ProcChangeProperty seems to do something similar).
- Ignore big requests (see attached patch).
--
Control: tags -1 patch Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/82
Hi Camilo,
On Do 02 Jul 2015 08:21:22 CEST, Camilo Alejandro Arboleda wrote:
Your bug report has just been moved [1] to the new upstream location
of nx-libs on Github.
Looking at the highlighted values, it seems that gedit is sending a malformed ChangeProperty request, and rootless is failing to process it.
Is it really a malformed request or a problem with broken BIG-REQUESTS
support [2] in libXcomp3 (aka nxcomp)?
Is option 3. really the optimal approach? It feels like option 2.
would be the way to go here...
Please continue, if possible for you, this discussion on Github.
Mike
[1] https://github.com/ArcticaProject/nx-libs/issues/82 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766299
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40...
Processing control commands:
-- 900: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=900 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Camilo Alejandro Arboleda -
Mike Gabriel -
owner@bugs.x2go.org