Bug 1947285
| Summary: | [abrt] xclip: doOut(): xclip killed by SIGSEGV | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vadim Raskhozhev <iamdexpl> | ||||||||||||||||||||||||
| Component: | xclip | Assignee: | Tom "spot" Callaway <spotrh> | ||||||||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||||||||||
| Version: | 34 | CC: | doug.hs, junk, loganjerry, spotrh, telometto | ||||||||||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||||
| URL: | https://retrace.fedoraproject.org/faf/reports/bthash/0019be752b9ec2a8dcf260b83424c5309e4598e1 | ||||||||||||||||||||||||||
| Whiteboard: | abrt_hash:5514a44e649a950a4b30398809779d4b99f49e00;VARIANT_ID=server; | ||||||||||||||||||||||||||
| Fixed In Version: | xclip-0.13-14.git11cba61.fc34 | Doc Type: | If docs needed, set a value | ||||||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||||||||||
| Last Closed: | 2021-06-19 01:08:28 UTC | Type: | --- | ||||||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||||
|
Description
Vadim Raskhozhev
2021-04-08 07:20:04 UTC
Created attachment 1770150 [details]
File: backtrace
Created attachment 1770151 [details]
File: core_backtrace
Created attachment 1770152 [details]
File: cpuinfo
Created attachment 1770153 [details]
File: dso_list
Created attachment 1770154 [details]
File: environ
Created attachment 1770155 [details]
File: exploitable
Created attachment 1770156 [details]
File: limits
Created attachment 1770157 [details]
File: maps
Created attachment 1770158 [details]
File: mountinfo
Created attachment 1770159 [details]
File: open_fds
Created attachment 1770160 [details]
File: proc_pid_status
*** Bug 1953239 has been marked as a duplicate of this bug. *** *** Bug 1957717 has been marked as a duplicate of this bug. *** Similar problem has been detected: Crashed while being used by the 'pass' command to copy a password to the clipboard. It seems to happen quite often. reporter: libreport-2.14.0 backtrace_rating: 4 cgroup: 0::/user.slice/user-1000.slice/user/app.slice/app-org.gnome.Terminal.slice/vte-spawn-5b97fc85-6dae-494a-bad8-09f2730a0f4f.scope cmdline: xclip -o -selection clipboard crash_function: doOut executable: /usr/bin/xclip journald_cursor: s=bf0f7f25f909437689c023348b4cad43;i=445d;b=2a9a594d9bee4e8c9c7a23330907a5a7;m=13987a66e;t=5c1c01daa3a69;x=70d90cadffd0c2d6 kernel: 5.11.17-300.fc34.x86_64 package: xclip-0.13-13.git11cba61.fc34 reason: xclip killed by SIGSEGV rootdir: / runlevel: N 5 type: CCpp uid: 1000 With debuginfo installed, gdb says:
#0 0x00007fb6d4d22789 in __GI___libc_free (mem=0x38000000380) at malloc.c:3288
#1 0x00005612cd95459d in doOut (win=10485761) at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:748
#2 main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:974
so a bad pointer has been passed to free(). Line 748 of xclip.c is:
free(sel_buf);
The question is how sel_buf could get a bad pointer. On line 717, sel_buf is declared but not initialized, so it contains random stack bytes. We take the "else" branch on line 724, so sel_buf remains uninitialized. A pointer to sel_buf is passed to xcout() on line 731. Now look at the code for xcout (xclib.c, line 141). The value of *context is XCLIB_XCOUT_NONE and the value of *len is 0, so xcout does not change the value of *txt. Now, back in doOut(), we still have random stack bytes in sel_buf, but we pass those random stack bytes to free() on line 748 of xclip.c.
Fix: initialize sel_buf to NULL, and change "free(sel_buf)" to "if (sel_buf != NULL) free(sel_buf);".
The xcmemzero() call on line 746 of xclip.c should also be guarded with "if (sel_buf != NULL)". Looks correct to me, thank you Jerry. Would you like to make a PR for this to go upstream? If not, I will do it on your behalf. FEDORA-2021-cdd942c6d4 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4 Here's the PR: https://github.com/astrand/xclip/pull/121 FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cdd942c6d4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |