Bug 1947285 - [abrt] xclip: doOut(): xclip killed by SIGSEGV
Summary: [abrt] xclip: doOut(): xclip killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: xclip
Version: 34
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tom "spot" Callaway
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:5514a44e649a950a4b303988097...
: 1953239 1957717 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-08 07:20 UTC by Vadim Raskhozhev
Modified: 2021-06-19 01:08 UTC (History)
5 users (show)

Fixed In Version: xclip-0.13-14.git11cba61.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-19 01:08:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (18.61 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: core_backtrace (987 bytes, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: cpuinfo (2.44 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: dso_list (735 bytes, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: environ (3.92 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: exploitable (82 bytes, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: limits (1.29 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: maps (3.96 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: mountinfo (3.05 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: open_fds (205 bytes, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details
File: proc_pid_status (1.41 KB, text/plain)
2021-04-08 07:20 UTC, Vadim Raskhozhev
no flags Details

Description Vadim Raskhozhev 2021-04-08 07:20:04 UTC
Version-Release number of selected component:
xclip-0.13-12.git9344507.fc34

Additional info:
reporter:       libreport-2.14.0
backtrace_rating: 4
cgroup:         0::/user.slice/user-1000.slice/session-4.scope
cmdline:        xclip -o
crash_function: doOut
executable:     /usr/bin/xclip
journald_cursor: s=bbb366bf067646d1bc78eb643202b91b;i=8e36;b=a26f9653f4594f36a101721ee9ea5b69;m=8c329d2a1c;t=5bf70bd6339fb;x=dc4d7a8494370ac8
kernel:         5.11.10-300.fc34.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (1 frames)
 #1 doOut at /usr/src/debug/xclip-0.13-12.git9344507.fc34.x86_64/xclip.c:599

Comment 1 Vadim Raskhozhev 2021-04-08 07:20:08 UTC
Created attachment 1770150 [details]
File: backtrace

Comment 2 Vadim Raskhozhev 2021-04-08 07:20:09 UTC
Created attachment 1770151 [details]
File: core_backtrace

Comment 3 Vadim Raskhozhev 2021-04-08 07:20:10 UTC
Created attachment 1770152 [details]
File: cpuinfo

Comment 4 Vadim Raskhozhev 2021-04-08 07:20:11 UTC
Created attachment 1770153 [details]
File: dso_list

Comment 5 Vadim Raskhozhev 2021-04-08 07:20:12 UTC
Created attachment 1770154 [details]
File: environ

Comment 6 Vadim Raskhozhev 2021-04-08 07:20:14 UTC
Created attachment 1770155 [details]
File: exploitable

Comment 7 Vadim Raskhozhev 2021-04-08 07:20:15 UTC
Created attachment 1770156 [details]
File: limits

Comment 8 Vadim Raskhozhev 2021-04-08 07:20:16 UTC
Created attachment 1770157 [details]
File: maps

Comment 9 Vadim Raskhozhev 2021-04-08 07:20:17 UTC
Created attachment 1770158 [details]
File: mountinfo

Comment 10 Vadim Raskhozhev 2021-04-08 07:20:21 UTC
Created attachment 1770159 [details]
File: open_fds

Comment 11 Vadim Raskhozhev 2021-04-08 07:20:22 UTC
Created attachment 1770160 [details]
File: proc_pid_status

Comment 12 telometto 2021-04-24 23:18:24 UTC
*** Bug 1953239 has been marked as a duplicate of this bug. ***

Comment 13 L.L.Robinson 2021-05-06 10:51:35 UTC
*** Bug 1957717 has been marked as a duplicate of this bug. ***

Comment 14 Douglas 2021-05-07 22:38:28 UTC
Similar problem has been detected:

Crashed while being used by the 'pass' command to copy a password to the clipboard. It seems to happen quite often.

reporter:       libreport-2.14.0
backtrace_rating: 4
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/app-org.gnome.Terminal.slice/vte-spawn-5b97fc85-6dae-494a-bad8-09f2730a0f4f.scope
cmdline:        xclip -o -selection clipboard
crash_function: doOut
executable:     /usr/bin/xclip
journald_cursor: s=bf0f7f25f909437689c023348b4cad43;i=445d;b=2a9a594d9bee4e8c9c7a23330907a5a7;m=13987a66e;t=5c1c01daa3a69;x=70d90cadffd0c2d6
kernel:         5.11.17-300.fc34.x86_64
package:        xclip-0.13-13.git11cba61.fc34
reason:         xclip killed by SIGSEGV
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Comment 15 Jerry James 2021-06-10 15:04:39 UTC
With debuginfo installed, gdb says:

#0  0x00007fb6d4d22789 in __GI___libc_free (mem=0x38000000380) at malloc.c:3288
#1  0x00005612cd95459d in doOut (win=10485761) at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:748
#2  main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:974

so a bad pointer has been passed to free().  Line 748 of xclip.c is:

		    free(sel_buf);

The question is how sel_buf could get a bad pointer.  On line 717, sel_buf is declared but not initialized, so it contains random stack bytes.  We take the "else" branch on line 724, so sel_buf remains uninitialized.  A pointer to sel_buf is passed to xcout() on line 731.  Now look at the code for xcout (xclib.c, line 141).  The value of *context is XCLIB_XCOUT_NONE and the value of *len is 0, so xcout does not change the value of *txt.  Now, back in doOut(), we still have random stack bytes in sel_buf, but we pass those random stack bytes to free() on line 748 of xclip.c.

Fix: initialize sel_buf to NULL, and change "free(sel_buf)" to "if (sel_buf != NULL) free(sel_buf);".

Comment 16 Jerry James 2021-06-10 15:06:36 UTC
The xcmemzero() call on line 746 of xclip.c should also be guarded with "if (sel_buf != NULL)".

Comment 17 Tom "spot" Callaway 2021-06-10 17:30:06 UTC
Looks correct to me, thank you Jerry. Would you like to make a PR for this to go upstream? If not, I will do it on your behalf.

Comment 18 Fedora Update System 2021-06-10 17:47:44 UTC
FEDORA-2021-cdd942c6d4 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4

Comment 19 Jerry James 2021-06-10 18:56:58 UTC
Here's the PR: https://github.com/astrand/xclip/pull/121

Comment 20 Fedora Update System 2021-06-11 02:07:59 UTC
FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cdd942c6d4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 21 Fedora Update System 2021-06-19 01:08:28 UTC
FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.