Bug 1423374

Summary: gnome-shell crashes with signal 11 due to NULL value passed to _clutter_input_device_reset_scroll_info()
Product: Red Hat Enterprise Linux 7 Reporter: Jos Collin <jcollin>
Component: mutterAssignee: Carlos Garnacho <cgarnach>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.2CC: cgarnach, chorn, cww, knoha, mclasen, otaylor, peter.hutterer, qguo, rick.beldin, shane.seymour, stanislav.moravec, tpelka, vanhoof, yuokada
Target Milestone: rc   
Target Release: 7.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: mutter-3.28.2-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:19:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1473733, 1546815, 1571842, 1609081    

Description Jos Collin 2017-02-17 07:14:19 UTC 
Description of problem:
Gnome session hung and gnome-shell dumped a core. The crash is because of null in source_device passed to _clutter_input_device_reset_scroll_info() in clutter-device-manager-xi2.c.

Version-Release number of selected component (if applicable):
1.20.0 and higher.

How reproducible:
One time occurrence only. Steps Not provided by the customer.

Actual results:
Gnome session hung and gnome-shell dumped a core.

Expected results:
The NULL values to be checked in clutter-device-manager-xi2.c, which resolves the problem.

Additional info:
I have created a patch in the upstream: https://bugzilla.gnome.org/show_bug.cgi?id=778807. I'm working on the patch for RHEL 7.2.
Comment 1 Jos Collin 2017-02-17 13:20:03 UTC 
(In reply to Jos Collin from comment #0)

> I'm working on the patch for RHEL 7.2.
Please ignore this statement in the above Additional info.
Comment 21 Jos Collin 2017-10-16 11:58:37 UTC 
@Keigo We have already discussed this via email how to proceed.
Comment 28 Keigo Noha 2018-02-22 08:10:08 UTC 
Hello Owen,

Today, we have a bi-weekly meeting with HPE-Japan.
In this meeting, we think the code in the clutter doesn't follow an usual practice, NULL check.

From gnome developer guide, g_hash_table_lookup() will return NULL if the key is not found.

c.f. https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-lookup
~~~
g_hash_table_lookup ()

gpointer
g_hash_table_lookup (GHashTable *hash_table,
                     gconstpointer key);

Looks up a key in a GHashTable. Note that this function cannot distinguish between a key that is not present and one which is present and has the value NULL. If you need this distinction, use g_hash_table_lookup_extended().

Parameters
hash_table : a GHashTable
key : the key to look up
	 
Returns
the associated value, or NULL if the key is not found. 
~~~

In clutter code, there are so many places which doesn't check whether the pointer is NULL or not.

HPE and I think that the code should have NULL check code like fopen(), malloc() in C code to confirm whether the function returns expected pointer or not before pass it to latter part of the code.

Current code looks too optimistic regarding the return value of g_has_table_lookup().

Actually, NULL reference check in another part of the function, clutter_device_manager_xi2_translate_event() was merged.
c.f. https://bugzilla.gnome.org/review?bug=678439&attachment=216819

So, we think that introducing null check for every g_has_table_lookup() looks usual fix.
How do you think about it?
Comment 46 errata-xmlrpc 2018-10-30 10:19:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140