Bug 1222442

> #2  0x00007f63b2228917 abort (libc.so.6 + 0x28917)

Aborts usually have a preceding error message. Depending on the used display manager that should be somewhere in ~/.local or /var/log/Xorg.*.log

I need to make it crash again to generate a Xorg log with more info.
I will do that later as I need my laptop functioning at the moment.
I am also a bit wary of making it crash again as it drops me to the vconsole with no key working (out of 3 crashes, this happened twice), and I have to do an unclean shutdown of the laptop long-pressing its power button.
For info, I am starting Xorg with startx which is unusual.

Also of note, there is a coredump that as generated (in only 1 of the 3 crashes) but coredumpctl says it is inaccessible while the file exists:

  Storage: /var/lib/systemd/coredump/core.Xorg\x2ebin.1000.140a9d06219f4ea99ea51127a7f00da7.11338.1712563570000000.zst (inaccessible)
       Message: Process 11338 (Xorg.bin) of user 1000 dumped core.
                
                Stack trace of thread 11338:
                #0  0x00007f63b22949ec __pthread_kill_implementation (libc.so.6 + 0x949ec)
                #1  0x00007f63b2241176 raise (libc.so.6 + 0x41176)
                #2  0x00007f63b2228917 abort (libc.so.6 + 0x28917)
                #3  0x0000555e1e464efc n/a (/usr/bin/Xorg.bin + 0x1dbefc)
                #4  0x00007ffee9bf4ba0 n/a (n/a + 0x0)
                ELF object binary architecture: AMD x86-64



The filename has a weird escaped character with \x, but the file do exist:

/var/log> ll  /var/lib/systemd/coredump/core.Xorg\\x2ebin.1000.140a9d06219f4ea99ea51127a7f00da7.11338.1712563570000000.zst 
-rw-r----- 1 root root 6.1M Apr  8 10:06 '/var/lib/systemd/coredump/core.Xorg\x2ebin.1000.140a9d06219f4ea99ea51127a7f00da7.11338.1712563570000000.zst'

No idea. First bisect to test here (still building)

-------------------------------------------------------------------
Mon Apr  8 09:32:11 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- git bisect between 21.1.11 and 21.1.12
  Bisecting: 4 revisions left to test after this (roughly 2 steps)
  [5ca3a95135d9c89753e2af19da5a2615ea2be1c3] Xext: SProcSyncCreateFence needs to swap drawable id too

--> https://build.opensuse.org/project/show/home:sndirsch:branches:X11:XOrg

Stefan, your package is not crashing (manually installed xorg-x11-server-21.1.11-749.1.x86_64.rpm)

I have also switched to using to regular SDDM for troubleshooting with the advantage of being dropped to the SDDM login when it crashes (rather than having to hard reboot due to the issue I mentioned).

Here's the relevant crash lines in Xorg.0.log:

[   126.867] (EE) 
[   126.867] (EE) Backtrace:
[   126.867] (EE) 0: /usr/bin/Xorg.bin (xorg_backtrace+0x7e) [0x56165c485b8e]
[   126.868] (EE) 1: /usr/bin/Xorg.bin (0x56165c2af000+0x1df5f9) [0x56165c48e5f9]
[   126.868] (EE) 2: /lib64/libc.so.6 (0x7f908e600000+0x41240) [0x7f908e641240]
[   126.868] (EE) 3: /lib64/libc.so.6 (0x7f908e600000+0x949ec) [0x7f908e6949ec]
[   126.868] (EE) 4: /lib64/libc.so.6 (gsignal+0x18) [0x7f908e641176]
[   126.868] (EE) 5: /lib64/libc.so.6 (abort+0xd9) [0x7f908e628917]
[   126.868] (EE) 6: /lib64/libc.so.6 (0x7f908e600000+0x297e8) [0x7f908e6297e8]
[   126.868] (EE) 7: /lib64/libc.so.6 (0x7f908e600000+0x9f3c7) [0x7f908e69f3c7]
[   126.868] (EE) 8: /lib64/libc.so.6 (malloc+0x2fe) [0x7f908e6a3cdc]
[   126.868] (EE) 9: /usr/bin/Xorg.bin (0x56165c2af000+0x13536d) [0x56165c3e436d]
[   126.868] (EE) 10: /usr/bin/Xorg.bin (0x56165c2af000+0x140b8a) [0x56165c3efb8a]
[   126.868] (EE) 11: /usr/bin/Xorg.bin (0x56165c2af000+0x4d707) [0x56165c2fc707]
[   126.868] (EE) 12: /lib64/libc.so.6 (0x7f908e600000+0x2a1f0) [0x7f908e62a1f0]
[   126.868] (EE) 13: /lib64/libc.so.6 (__libc_start_main+0x8b) [0x7f908e62a2b9]
[   126.868] (EE) 14: /usr/bin/Xorg.bin (_start+0x27) [0x56165c2fca35]
[   126.868] (EE) 
[   126.868] (EE) 
Fatal server error:
[   126.868] (EE) Caught signal 6 (Aborted). Server aborting

Thanks. Next bisect to test here (still building)

-------------------------------------------------------------------
Mon Apr  8 10:45:01 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- git bisect between 21.1.11 and 21.1.12 (continued)
  Bisecting: 2 revisions left to test after this (roughly 1 step)
  [cea92ca78f900bfb4c9a5540dfd631e065b9151b] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply

No crash again with this new version (750)

Thanks. Next bisect to test here (still building)

-------------------------------------------------------------------
Mon Apr  8 13:30:47 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- git bisect between 21.1.11 and 21.1.12 (continued)
  Bisecting: 0 revisions left to test after this (roughly 1 step)
  [1173156404be826f50f453ca11bda28ccb5a5268] render: fix refcounting of glyphs during ProcRenderAddGlyphs

This one (751) is crashing.

Thanks. Last bisect to test here (still building)

-------------------------------------------------------------------
Mon Apr  8 14:39:44 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- git bisect between 21.1.11 and 21.1.12 (continued)
  Bisecting: 0 revisions left to test after this (roughly 0 steps)
  [0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply

Last one (752) does not crash.

I could test that both Android Studio Koala and Iguana crash, but not Intellij IDEA community. Weird issue for sure.

^ meant "both Android Studio Koala and Iguana make Xorg crash".

git bisect good
1173156404be826f50f453ca11bda28ccb5a5268 is the first bad commit
commit 1173156404be826f50f453ca11bda28ccb5a5268
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jan 30 13:13:35 2024 +1000

    render: fix refcounting of glyphs during ProcRenderAddGlyphs
    
    Previously, AllocateGlyph would return a new glyph with refcount=0 and a
    re-used glyph would end up not changing the refcount at all. The
    resulting glyph_new array would thus have multiple entries pointing to
    the same non-refcounted glyphs.
    
    AddGlyph may free a glyph, resulting in a UAF when the same glyph
    pointer is then later used.
    
    Fix this by returning a refcount of 1 for a new glyph and always
    incrementing the refcount for a re-used glyph, followed by dropping that
    refcount back down again when we're done with it.
    
    CVE-2024-31083, ZDI-CAN-22880
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
    (cherry picked from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)

 render/glyph.c    |  5 +++--
 render/glyphstr.h |  2 ++
 render/render.c   | 15 +++++++++++----
 3 files changed, 16 insertions(+), 6 deletions(-)

(In reply to Michael Pujos from comment #11)
> Last one (752) does not crash.
> 
> I could test that both Android Studio Koala and Iguana crash, but not
> Intellij IDEA community. Weird issue for sure.

Now I'm totally confused. You say it doesn't crash, but then that it does crash  with Koala and Iguana. But not with Intellij IDEA community. For which programs were the previous results? Results need to be consistent.

(In reply to Michael Pujos from comment #12)
> ^ meant "both Android Studio Koala and Iguana make Xorg crash".

I think that Xorg crashes here and not the user application was clear anyway.

Of course I cannot just revert a security patch ...

I mean that I have this issue only with Android Studio (Koala and Iguana) but not Intellij IDEA Community edition. To make it 100% clear:

- Android Studio (both Koala and Iguana) makes Xorg crash only with test build version 751 (and of course the currently TW xorg version)
- Intellij IDEA Community edition never cause Xorg to crash


I also tested Intellij IDEA because Android Studio is based on it.

Thanks. This makes it consistent again. I will do a last step, i.e. go back to the original tarball and revert this one patch. And let you test this as well.
Just to double check it's this one commit.

Please test to double check if the patch is really the culprit. Packages are still rebuilding though.

-------------------------------------------------------------------
Mon Apr  8 17:06:12 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- back to 21.1.12 tarball
- reverse apply 
  U_render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch to
  fix regression caused by security fix for CVE-2024-31083 (bsc#1222312,
  boo#1222442)

>I am also a bit wary of making it crash again as it drops me to the vconsole with no key working 

Start sshd, and use it to issue safe reboots or e.g. `systemctl restart xdm` to just restart Xorg.

(In reply to Stefan Dirsch from comment #18)
> Please test to double check if the patch is really the culprit. Packages are
> still rebuilding though.
> 

Confirming that package is fine and does not crash.
Should I report that issue to the xorg issue tracker  ? Maybe they will have a hint about what it could be or an idea how to further debug it ?




(In reply to Jan Engelhardt from comment #19)
> 
> Start sshd, and use it to issue safe reboots or e.g. `systemctl restart xdm`
> to just restart Xorg.

That's what I would usually do, but do not have access to a separate PC at the moment. Anyway, I switched to using SDDM instead of startx (which is unusual, not recommended, etc) and it recovers nicely on Xorg crash (back to SDDM login).

(In reply to Michael Pujos from comment #20)
> (In reply to Stefan Dirsch from comment #18)
> > Please test to double check if the patch is really the culprit. Packages are
> > still rebuilding though.
> > 
> 
> Confirming that package is fine and does not crash.
> Should I report that issue to the xorg issue tracker  ? Maybe they will have
> a hint about what it could be or an idea how to further debug it ?

It would be perfect if you could do this, since only you can reproduce the issue.
I would subscribe to the issue then. I could apply patches and build packages for testing if needed.

I could finally get a detailed stack trace in gdb:


#0  0x00007f03c5c949ec in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007f03c5c41176 in raise () at /lib64/libc.so.6
#2  0x00007f03c5c28917 in abort () at /lib64/libc.so.6
#3  0x0000561d2962eefc in OsAbort () at ../../os/utils.c:1361
#4  0x0000561d2962ff5f in AbortServer () at ../../os/log.c:879
#5  FatalError (f=f@entry=0x561d2965b308 "Caught signal %d (%s). Server aborting\n") at ../../os/log.c:1017
#6  0x0000561d29632652 in OsSigHandler (unused=<optimized out>, sip=<optimized out>, signo=6) at ../../os/osinit.c:156
#7  OsSigHandler (signo=6, sip=<optimized out>, unused=<optimized out>) at ../../os/osinit.c:110
#8  0x00007f03c5c41240 in <signal handler called> () at /lib64/libc.so.6
#9  0x00007f03c5c949ec in __pthread_kill_implementation () at /lib64/libc.so.6
#10 0x00007f03c5c41176 in raise () at /lib64/libc.so.6
#11 0x00007f03c5c28917 in abort () at /lib64/libc.so.6
#12 0x00007f03c5c297e8 in _IO_peekc_locked.cold () at /lib64/libc.so.6
#13 0x00007f03c5c9f3c7 in  () at /lib64/libc.so.6
#14 0x00007f03c5ca3cdc in malloc () at /lib64/libc.so.6
#15 0x0000561d2958836d in AllocateGlyph (gi=0x561d2b58339c, fdepth=<optimized out>) at ../../render/glyph.c:355
#16 0x0000561d29593b8a in ProcRenderAddGlyphs (client=<optimized out>) at ../../render/render.c:1085
#17 0x0000561d294a0707 in Dispatch () at ../../dix/dispatch.c:550
#18 dix_main (envp=<optimized out>, argv=0x7fffca74c508, argc=<optimized out>) at ../../dix/main.c:276
#19 main (argc=<optimized out>, argv=0x7fffca74c508, envp=<optimized out>) at ../../dix/stubmain.c:34
(gdb) frame 15
#15 0x0000561d2958836d in AllocateGlyph (gi=0x561d2b58339c, fdepth=<optimized out>) at ../../render/glyph.c:355
355	    glyph = (GlyphPtr) malloc(size);


So it is crashing in malloc() triggered from AllocateGlyph().
Would not be surprised it is caused by a double free() or something caused by the relevant CVE patch.

Will open a bug on the Xorg bug tracker.

Urgh. Just as I was about to open a bug report, this commit from 1h ago likely fixes that issue:

https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc0168a7b978be4c3447650b04

Can you generate a new test version with it ?

And it had been reported but I totally missed it because of the title not mentioning Android Studio / Jetbrain / Intellij:

https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659

Thanks a lot finding this!

Please test to check if the patch is really fixing it. Packages are still rebuilding though.

-------------------------------------------------------------------
Tue Apr  9 09:35:08 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
  * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, 
    boo#1222442, gitlab xserver issue #1659)
- no longer reverse apply 
  U_render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch

Confirming new patched version does not crash.

Since this bug cannot be left unpatched, it seems that there will be new official versions for xorg-xserver and xwayland so maybe it is best to wait for that ? :

https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests

Thanks for confirmation. The remaining stuff needs to be done by me I'm afraid.

This is an autogenerated message for OBS integration:
This bug (1222442) was mentioned in
https://build.opensuse.org/request/show/1166666 Factory / xorg-x11-server

Closing as fixed.

SUSE-SU-2024:1265-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33215](https://smelt.suse.de/incident/33215/)
Sources used:
openSUSE Leap 15.4 (src):
 xwayland-21.1.4-150400.3.36.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xwayland-21.1.4-150400.3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1264-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33216](https://smelt.suse.de/incident/33216/)
Sources used:
openSUSE Leap 15.5 (src):
 xwayland-22.1.5-150500.7.22.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 xwayland-22.1.5-150500.7.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1263-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1222312, 1222442
CVE References: CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33344](https://smelt.suse.de/incident/33344/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 xorg-x11-server-1.19.6-10.74.1
SUSE Linux Enterprise Server 12 SP5 (src):
 xorg-x11-server-1.19.6-10.74.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 xorg-x11-server-1.19.6-10.74.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 xorg-x11-server-1.19.6-10.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1262-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33214](https://smelt.suse.de/incident/33214/)
Sources used:
openSUSE Leap 15.5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1
Basesystem Module 15-SP5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1
Development Tools Module 15-SP5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1261-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33212](https://smelt.suse.de/incident/33212/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Enterprise Storage 7.1 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1260-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33213](https://smelt.suse.de/incident/33213/)
Sources used:
openSUSE Leap 15.4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Proxy 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Retail Branch Server 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Server 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

This is an autogenerated message for OBS integration:
This bug (1222442) was mentioned in
https://build.opensuse.org/request/show/1186897 Factory / xwayland

This is an autogenerated message for OBS integration:
This bug (1222442) was mentioned in
https://build.opensuse.org/request/show/1187080 Factory / xwayland