Bug 975171

Summary: gnome-shell: screen magnifier can cause crash with Cogl error
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: gnome-shellAssignee: Owen Taylor <otaylor>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: admiller, drago01, fmuellner, otaylor, samkraju, vdanen, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: clutter-1.14.4-4.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-29 18:40:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 972628    
Attachments:
Description Flags
Patch none

Description Florian Weimer 2013-06-17 18:30:09 UTC
Description of problem:

When the screen magnification exceeds some limit (perhaps hardware-related), GNOME Shell exits with a crash in Cogl:

Jun 17 19:44:41 oldenburg.str.redhat.com /etc/gdm/Xsession[1146]: (gnome-shell:1402): Cogl-ERROR **: Couldn't find suitable slicing geometry for given size
Jun 17 19:44:41 oldenburg.str.redhat.com kernel: traps: gnome-shell[1402] trap int3 ip:386ca4ee0d sp:7fffe9d41820 error:0

The magnification is saved in the configuration and prevents future logins.

Version-Release number of selected component (if applicable):

gnome-shell-3.8.3-2.fc19.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Press Super-Alt-8.
2. Press Super-Alt-+ repeatedly.

Actual results:

GNOME Shell crashes.

Expected results:

GNOME Shell continues to run, possibly signaling somehow that zooming in further is not possible.

Comment 1 Florian Weimer 2013-06-18 13:43:53 UTC
This also affects the locked screen and gdm.  gdm also persists the setting, effectively preventing graphical login even across reboots (so it is a kind of denial-of-service issue).

The fix/workaround is to delete /var/lib/gdm/.config/dconf/user or ~/.config/dconf/user for affected users.

Comment 2 Vincent Danen 2013-06-19 15:20:47 UTC
I'm not sure I would call this a security issue.  You need to have local/physical access to do this, which means you can do other things as well (perhaps not persistent in this way, but would still be considered a denial of service).  Does the gdm persistence prevent you from logging into any other desktop manager?  I.e. does this make gdm itself crash, or just when you attempt to login does it crash?

Comment 3 Florian Weimer 2013-06-19 15:40:08 UTC
(In reply to Vincent Danen from comment #2)
> I'm not sure I would call this a security issue.  You need to have
> local/physical access to do this, which means you can do other things as
> well (perhaps not persistent in this way, but would still be considered a
> denial of service).  Does the gdm persistence prevent you from logging into
> any other desktop manager?  I.e. does this make gdm itself crash, or just
> when you attempt to login does it crash?

gdm itself crashes before the user selection dialog comes up.  It's also possible to do this when the screen is locked and a user is logged in.  When GNOME Shell crashes, the unlocked screen contents is briefly visible (without the need for entering a password).

This does not appear to be hardware-dependent by the way, I can reproduce it in a VM.

Comment 4 Vincent Danen 2013-06-24 20:27:06 UTC
GDM crashing when it comes up is pretty bad.  Not so concerned about the contents being briefly available -- there are plenty of ways to get a glimpse of a desktop when it's supposed to be locked, but the GDM crashing definitely makes it persistent.

In light of the above, I'd consider this a low-impact security flaw with a CVSSv2 of 2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P.

Does this just affect F19, or are earlier versions affected?  Do we know if this is Fedora-specific or whether it affects upstream as well?

Comment 5 Florian Weimer 2013-06-25 08:46:57 UTC
(In reply to Vincent Danen from comment #4)
> Does this just affect F19, or are earlier versions affected?

At release, Fedora 18 did not map the zoom in/zoom out short cuts.  They were later added as new defaults in gnome-settings-daemon, but they do not seem to work in GDM or the lock screen yet.  Fedora 18 also does not crash when zooming too far.  So I would say Fedora 18 is not affected.

> Do we know if this is Fedora-specific or whether it affects upstream as well?

Fedora is generally very close to GNOME upstream.

The actual crash might have been introduced by this patch:

<https://mail.gnome.org/archives/commits-list/2013-January/msg00229.html>

(This is consistent with GNOME 3.6/Fedora 18 not crashing.)

I'll test various Cogl debugging flags (in particular, disable-atlas) and report back if they make a difference.

Comment 6 Florian Weimer 2013-06-25 09:07:31 UTC
(In reply to Florian Weimer from comment #5)
> I'll test various Cogl debugging flags (in particular, disable-atlas) and
> report back if they make a difference.

No luck there.  gnome-shell still crashes.

Comment 7 drago01 2013-06-25 13:11:41 UTC
Does this: http://koji.fedoraproject.org/koji/taskinfo?taskID=5539458 help? (still building)

Comment 8 drago01 2013-06-25 13:55:07 UTC
Created attachment 765098 [details]
Patch

Comment 9 drago01 2013-06-25 18:30:58 UTC
I have pushed the patch (sightly modified) upstream now. Testing still appreciated.

Comment 10 Florian Weimer 2013-06-26 05:34:03 UTC
(In reply to drago01 from comment #7)
> Does this: http://koji.fedoraproject.org/koji/taskinfo?taskID=5539458 help?
> (still building)

Hmm, this is clutter-1.12.2, but F19 is already at clutter-1.14.4.

Comment 11 drago01 2013-06-26 07:34:36 UTC
(In reply to Florian Weimer from comment #10)
> (In reply to drago01 from comment #7)
> > Does this: http://koji.fedoraproject.org/koji/taskinfo?taskID=5539458 help?
> > (still building)
> 
> Hmm, this is clutter-1.12.2, but F19 is already at clutter-1.14.4.

Sorry wrong branch, test this one: http://koji.fedoraproject.org/koji/taskinfo?taskID=5545199

Comment 12 drago01 2013-06-26 08:30:49 UTC
(In reply to drago01 from comment #11)
> (In reply to Florian Weimer from comment #10)
> > (In reply to drago01 from comment #7)
> > > Does this: http://koji.fedoraproject.org/koji/taskinfo?taskID=5539458 help?
> > > (still building)
> > 
> > Hmm, this is clutter-1.12.2, but F19 is already at clutter-1.14.4.
> 
> Sorry wrong branch, test this one:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=5545199

OK I have managed to reproduce the bug. The fix does indeed work here.

Comment 13 Fedora Update System 2013-06-26 08:43:31 UTC
clutter-1.14.4-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/clutter-1.14.4-4.fc19

Comment 14 Fedora Update System 2013-06-26 17:06:00 UTC
Package clutter-1.14.4-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing clutter-1.14.4-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11703/clutter-1.14.4-4.fc19
then log in and leave karma (feedback).

Comment 15 Vincent Danen 2013-06-26 17:41:01 UTC
So this issue is actually in the clutter package?  Probably introduced in 1.14 as F18 has 1.12?  I'd like to file a CVE bug and get one assigned, but knowing the appropriate package name and (as much as is reasonable) when it was introduced would be great.

Comment 16 drago01 2013-06-26 17:53:23 UTC
(In reply to Vincent Danen from comment #15)
> So this issue is actually in the clutter package?  Probably introduced in
> 1.14 as F18 has 1.12?  I'd like to file a CVE bug and get one assigned, but
> knowing the appropriate package name and (as much as is reasonable) when it
> was introduced would be great.

This is cogl-1.14 accidentally breaking API, it now lazily allocates textures clutter expected to get NULL as return value when it asks for a new texture. As the allocation happens later it gets back a valid handle. The fix is to explicitly allocate the texture in clutter. 

So in short cogl broke ABI caused clutter to crash which is used by gnome-shell. Not sure about the CVE thing. Because the clutter bug does not look like a security bug. The gnome-shell crash triggered by clutter is.

clutter-1.12 is not affected because it uses cogl-1.12 which does not have this change.

Florian already linked to the cogl change that caused all this. As to when it got into a package I don't know should be traceable by checking which release introduced that commit and when it got into Fedora.

Comment 17 Fedora Update System 2013-06-29 18:40:05 UTC
clutter-1.14.4-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.