Bug 570089

Summary: Use Firefox 3.6 to visit a web site crash the X
Product: Red Hat Enterprise Linux 5 Reporter: John Lau <jlau>
Component: xorg-x11-serverAssignee: Adam Jackson <ajax>
Status: CLOSED DUPLICATE QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: airlied, eteo, jlieskov, krh, ofourdan, security-response-team, spoyarek, taviso
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-15 13:29:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Lau 2010-03-03 09:10:16 UTC 
Description of problem:

When I use Firefox 3.6 (download from www.mozilla.com/firefox/) on RHEL5.4 and visit some sites (For example, this one: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5.b1/html/Technical_Notes/Known_Issues-kexec-tools.html) will crash the whole X. And this is error log in Xorg.0.log:
------------
Backtrace:
0: /usr/bin/Xorg(xf86SigHandler+0x81) [0x80d1bb1]
1: [0xb3b420]
2: /usr/lib/xorg/modules/libfb.so(fbCompositeSrc_8888x8888mmx+0x162) [0x343212]
3: /usr/lib/xorg/modules/libfb.so(fbComposite+0x57b) [0x3334fb]
4: /usr/lib/xorg/modules/libxaa.so(XAAComposite+0x1db) [0xe98eeb]
5: /usr/lib/xorg/modules/drivers/intel_drv.so(i830_xaa_composite+0x148) [0x6ad5f8]
6: /usr/bin/Xorg [0x816aa46]
7: /usr/bin/Xorg [0x81673b6]
8: /usr/bin/Xorg(CompositePicture+0x153) [0x8154503]
9: /usr/bin/Xorg [0x815a34f]
10: /usr/bin/Xorg [0x81576c5]
11: /usr/bin/Xorg(Dispatch+0x19a) [0x80894fa]
12: /usr/bin/Xorg(main+0x485) [0x8070755]
13: /lib/libc.so.6(__libc_start_main+0xdc) [0x125e9c]
14: /usr/bin/Xorg(FontFileCompleteXLFD+0x1fd) [0x806fa51]

Fatal server error:
Caught signal 11.  Server aborting

(II) AIGLX: Suspending AIGLX clients for VT switch
(II) intel(0): xf86UnbindGARTMemory: unbind key 0
(II) intel(0): xf86UnbindGARTMemory: unbind key 1
(II) intel(0): xf86UnbindGARTMemory: unbind key 2
(II) intel(0): xf86UnbindGARTMemory: unbind key 3
(II) intel(0): xf86UnbindGARTMemory: unbind key 4
------------

I have updated all related packages to latest version but the problem still happened and reproductable. 

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg-1.1.1-48.67.el5_4.1

How reproducible:
Always.

Steps to Reproduce:
1. Start the Firefox 3.6
2. Go to http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5.b1/html/Technical_Notes/Known_Issues-kexec-tools.html
3. X crash and restart
  
Actual results:
X crash and restart

Expected results:
X shouldn't crash.
Comment 2 Tavis Ormandy 2010-03-18 06:01:38 UTC 
Scary, this bug affected me today. I can reproduce this bug with the URL specified. This obviously has security implications, and seems like it could be a remote root vulnerability.

(gdb) bt
#0  0x00839410 in __kernel_vsyscall ()
#1  0x00c1fdf0 in raise () from /lib/libc.so.6
#2  0x00c21701 in abort () from /lib/libc.so.6
#3  0x080a2e85 in ddxGiveUp () at xf86Init.c:1261
#4  0x081bbe93 in AbortServer () at log.c:408
#5  0x081bc426 in FatalError (f=0x81cd800 "Caught signal %d.  Server aborting\n") at log.c:554
#6  0x080d1c20 in xf86SigHandler (signo=11) at xf86Events.c:1484
#7  <signal handler called>
#8  fbCompositeSrc_8888x8888mmx (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=2607, xMask=0, yMask=0, xDst=710, yDst=2420, width=500, 
    height=52057) at fbmmx.c:1312
#9  0x001874fb in fbComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=1767, xMask=0, yMask=0, xDst=710, yDst=0, width=500, 
    height=1016) at fbpict.c:1299
#10 0x0032ceeb in XAAComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, 
    height=1016) at xaaPict.c:536
#11 0x005285f8 in i830_xaa_composite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, 
    width=500, height=1016) at i830_xaa.c:873
#12 0x0816aa46 in cwComposite (op=3 '\003', pSrcPicture=0x8e76278, pMskPicture=0x0, pDstPicture=0x8e3ec40, xSrc=0, ySrc=-153, xMsk=0, yMsk=0, xDst=710, 
    yDst=0, width=500, height=1016) at cw_render.c:275
#13 0x081673b6 in damageComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, 
    height=1016) at damage.c:541
#14 0x08154503 in CompositePicture (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, 
    height=1016) at picture.c:1789
#15 0x0815a34f in ProcRenderComposite (client=0x8e05e18) at render.c:758
#16 0x081576c5 in ProcRenderDispatch (client=0x1e00) at render.c:2005
#17 0x080894fa in Dispatch () at dispatch.c:459
#18 0x08070755 in main (argc=10, argv=0xbf9ad824, envp=Cannot access memory at address 0x1e08
) at main.c:447
(gdb) frame 8
#8  fbCompositeSrc_8888x8888mmx (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=2607, xMask=0, yMask=0, xDst=710, yDst=2420, width=500, 
    height=52057) at fbmmx.c:1312
1312                __m64 vs = *(__m64 *)(src + 0);
(gdb) x/i $pc
0x197273 <fbCompositeSrc_8888x8888mmx+451>:     movq   (%eax),%mm4
(gdb) p/x $eax
$1 = 0xaf169000

(Question: is ySrc=-153 in frame14 expected?)

Temporary workaround (at the expense of losing xrender):

Section "Extensions"
    Option "RENDER" "disable"
EndSection

in /etc/X11/xorg.conf.

00:02.0 VGA compatible controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)
00:02.1 Display controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)

$ rpm -qf /usr/lib/xorg/modules/drivers/intel_drv.so
xorg-x11-drv-i810-1.6.5-9.25.el5
Comment 3 Eugene Teo (Security Response) 2010-03-18 06:24:15 UTC 
Tavis, thanks for the heads-up.
Comment 6 Tomas Hoger 2010-03-23 13:34:30 UTC 
Similar report - bug #498500.
Comment 7 Olivier Fourdan 2010-03-23 14:32:34 UTC 
bug #495733 looks also similar
Comment 8 Olivier Fourdan 2010-03-29 13:39:03 UTC 
The fix proposed in https://bugzilla.redhat.com/show_bug.cgi?id=495733#c15 (ie attachment https://bugzilla.redhat.com/attachment.cgi?id=403292) should fix this bug as well (at least it does in my tests).
Comment 9 Tavis Ormandy 2010-03-29 17:40:19 UTC 
Patch works here as well Olivier, Thanks.

That must have been tough to spot, very cool.
Comment 10 Tomas Hoger 2010-04-15 13:29:06 UTC 

*** This bug has been marked as a duplicate of bug 495733 ***