Bug 503384

Summary: free() of invalid pointer after "BOGUS LENGTH in write keyboard desc"
Product: [Fedora] Fedora Reporter: Lubomir Rintel <lkundrak>
Component: xorg-x11-serverAssignee: Peter Hutterer <peter.hutterer>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-02 22:34:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Rintel 2009-05-31 16:54:27 UTC 
Description of problem:

Xorg.0.log:
[xkb] BOGUS LENGTH in write keyboard desc, expected 6780, got 6796

The error message is produced by /usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c line 1396, 1409 frees an invalid pointer right away.

addr2line'd traceback:
/usr/src/debug/xorg-server-1.6.1.901/os/utils.c:1180
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:1410
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:5807
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:6690
/usr/src/debug/xorg-server-1.6.1.901/dix/dispatch.c:438
/usr/src/debug/xorg-server-1.6.1.901/dix/main.c:399

foun*** glibc detected *** /usr/bin/Xorg: double free or corruption (!prev): 0x0a6f2840 ***
======= Backtrace: =========
/lib/libc.so.6[0x18b231]
/usr/bin/Xorg(Xfree+0x21)[0x8130e21]
/usr/bin/Xorg[0x818b6fd]
/usr/bin/Xorg(ProcXkbGetKbdByName+0xe33)[0x81931a3]
/usr/bin/Xorg[0x8196c78]
/usr/bin/Xorg(Dispatch+0x347)[0x80864d7]
/usr/bin/Xorg(main+0x395)[0x806baf5]
/lib/libc.so.6(__libc_start_main+0xe6)[0x131a66]
/usr/bin/Xorg[0x806afa1]
======= Memory map: ========
00101000-00119000 r-xp 00000000 fd:03 7599       /lib/libaudit.so.0.0.0
00119000-0011a000 r--p 00017000 fd:03 7599       /lib/libaudit.so.0.0.0
0011a000-0011b000 rw-p 00018000 fd:03 7599       /lib/libaudit.so.0.0.0
0011b000-00286000 r-xp 00000000 fd:03 44443      /lib/libc-2.10.1.so
00286000-00287000 ---p 0016b000 fd:03 44443      /lib/libc-2.10.1.so
00287000-00289000 r--p 0016b000 fd:03 44443      /lib/libc-2.10.1.so
00289000-0028a000 rw-p 0016d000 fd:03 44443      /lib/libc-2.10.1.so
0028a000-0028d000 rw-p 0028a000 00:00 0
0028d000-002ab000 r-xp 00000000 fd:03 214673     /usr/lib/xorg/modules/extensions/libextmod.so
002ab000-002ad000 rw-p 0001d000 fd:03 214673     /usr/lib/xorg/modules/extensions/libextmod.so
002ad000-002b6000 r-xp 00000000 fd:03 22625      /usr/lib/libdrm.so.2.4.0
002b6000-002b7000 rw-p 00009000 fd:03 22625      /usr/lib/libdrm.so.2.4.0
002b7000-002bd000 r-xp 00000000 fd:03 76071      /usr/lib/libdrm_nouveau.so.1.0.0
002bd000-002be000 rw-p 00005000 fd:03 76071      /usr/lib/libdrm_nouveau.so.1.0.0
002be000-002c2000 r-xp 00000000 fd:03 81570      /usr/lib/xorg/modules/linux/libfbdevhw.so
002c2000-002c3000 rw-p 00003000 fd:03 81570      /usr/lib/xorg/modules/linux/libfbdevhw.so
002c5000-002c7000 r-xp 00000000 fd:03 78728      /lib/libcom_err.so.2.1
002c7000-002c8000 rw-p 00001000 fd:03 78728      /lib/libcom_err.so.2.1
002c8000-0032b000 r-xp 00000000 fd:03 214674     /usr/lib/xorg/modules/extensions/libglx.so
0032b000-0032e000 rw-p 00062000 fd:03 214674     /usr/lib/xorg/modules/extensions/libglx.so
0032e000-00380000 r-xp 00000000 fd:03 84958      /usr/lib/xorg/modules/drivers/nouveau_drv.so
d this on a vt:

Version-Release number of selected component (if applicable):

xorg-x11-server-Xorg-1.6.1.901-1.fc11.i586

How reproducible:

Just happened once. I recall using qemu then, typing on a keyboard, no idea if that's related.

Additional info:

Feel free to ask for more info if needed.
Comment 1 Peter Hutterer 2009-06-02 22:34:55 UTC 
Please test 1.6.1.901-2, the patch to fix this was merged there (provided you can reproduce the bug)

http://koji.fedoraproject.org/koji/buildinfo?buildID=103514

Marking as a duplicate of 456376.

*** This bug has been marked as a duplicate of bug 456376 ***