Bug 1423374 - gnome-shell crashes with signal 11 due to NULL value passed to _clutter_input_device_reset_scroll_info()
Summary: gnome-shell crashes with signal 11 due to NULL value passed to _clutter_input...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mutter
Version: 7.2
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: 7.3
Assignee: Carlos Garnacho
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1420851 1473733 1546815 1609081 1571842
TreeView+ depends on / blocked
 
Reported: 2017-02-17 07:14 UTC by Jos Collin
Modified: 2020-05-14 15:39 UTC (History)
14 users (show)

Fixed In Version: mutter-3.28.2-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:19:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 778807 0 Normal NEW x11/clutter-device-manager-xi2: Added checking for device and source_device are NULL 2021-02-21 12:58:41 UTC
Red Hat Knowledge Base (Solution) 2931371 0 None None None 2017-02-17 08:02:00 UTC
Red Hat Product Errata RHSA-2018:3140 0 None None None 2018-10-30 10:20:42 UTC

Description Jos Collin 2017-02-17 07:14:19 UTC
Description of problem:
Gnome session hung and gnome-shell dumped a core. The crash is because of null in source_device passed to _clutter_input_device_reset_scroll_info() in clutter-device-manager-xi2.c.

Version-Release number of selected component (if applicable):
1.20.0 and higher.

How reproducible:
One time occurrence only. Steps Not provided by the customer.

Actual results:
Gnome session hung and gnome-shell dumped a core.

Expected results:
The NULL values to be checked in clutter-device-manager-xi2.c, which resolves the problem.

Additional info:
I have created a patch in the upstream: https://bugzilla.gnome.org/show_bug.cgi?id=778807. I'm working on the patch for RHEL 7.2.

Comment 1 Jos Collin 2017-02-17 13:20:03 UTC
(In reply to Jos Collin from comment #0)

> I'm working on the patch for RHEL 7.2.
Please ignore this statement in the above Additional info.

Comment 21 Jos Collin 2017-10-16 11:58:37 UTC
@Keigo We have already discussed this via email how to proceed.

Comment 28 Keigo Noha 2018-02-22 08:10:08 UTC
Hello Owen,

Today, we have a bi-weekly meeting with HPE-Japan.
In this meeting, we think the code in the clutter doesn't follow an usual practice, NULL check.

From gnome developer guide, g_hash_table_lookup() will return NULL if the key is not found.

c.f. https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-lookup
~~~
g_hash_table_lookup ()

gpointer
g_hash_table_lookup (GHashTable *hash_table,
                     gconstpointer key);

Looks up a key in a GHashTable. Note that this function cannot distinguish between a key that is not present and one which is present and has the value NULL. If you need this distinction, use g_hash_table_lookup_extended().

Parameters
hash_table : a GHashTable
key : the key to look up
	 
Returns
the associated value, or NULL if the key is not found. 
~~~

In clutter code, there are so many places which doesn't check whether the pointer is NULL or not.

HPE and I think that the code should have NULL check code like fopen(), malloc() in C code to confirm whether the function returns expected pointer or not before pass it to latter part of the code.

Current code looks too optimistic regarding the return value of g_has_table_lookup().

Actually, NULL reference check in another part of the function, clutter_device_manager_xi2_translate_event() was merged.
c.f. https://bugzilla.gnome.org/review?bug=678439&attachment=216819

So, we think that introducing null check for every g_has_table_lookup() looks usual fix.
How do you think about it?

Comment 46 errata-xmlrpc 2018-10-30 10:19:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140


Note You need to log in before you can comment on or make changes to this bug.