Summary: | NET*Info isn't robust against junk data, causing segfaults in third clients | ||
---|---|---|---|
Product: | [Frameworks and Libraries] frameworks-kwindowsystem | Reporter: | marvin24 |
Component: | general | Assignee: | Martin Flöser <mgraesslin> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kdelibs-bugs, robert.kausch, simonandric5, thomas.luebking, wbauer1 |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | openSUSE | ||
OS: | Linux | ||
URL: | https://git.reviewboard.kde.org/r/124354/ | ||
See Also: |
https://bugs.kde.org/show_bug.cgi?id=350708 https://bugs.kde.org/show_bug.cgi?id=350821 |
||
Latest Commit: | http://commits.kde.org/kwindowsystem/a0698881fb0e5a4799d7320561acae84bcd6509f | Version Fixed In: | 5.13 |
Sentry Crash Report: |
Description
marvin24
2015-07-13 13:46:12 UTC
Can you please install debug packages for frameworks-kwindowsystem (for that's where it crashes) and update the backtrace (so that we've a line number in /usr/lib64/libKF5WindowSystem.so.5)? Thanks. ok, here it goes: #0 0x00007f6b4882c344 in __memcpy_sse2_unaligned () at /lib64/libc.so.6 #1 0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (__len=2535796352, __src=0x7f6b2800e8c8, __dest=<optimized out>) at /usr/include/bits/string3.h:53 width = <optimized out> height = <optimized out> size = 2535796352 i = 0 j = <optimized out> reply = <optimized out> data = 0x7f6b2800e8c0 dirty = <optimized out> dirty2 = <optimized out> cookies = {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...} c = 10 #2 0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (icon_count=@0x2ae0e50: 0, icons=..., cookie=..., c=<optimized out>) at /usr/src/debug/kwindowsystem-5.11.0/src/netwm.cpp:563 width = <optimized out> height = <optimized out> size = 2535796352 i = 0 j = <optimized out> reply = <optimized out> data = 0x7f6b2800e8c0 dirty = <optimized out> dirty2 = <optimized out> cookies = {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...} c = 10 #3 0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (this=0x23badb0, dirtyProperties=..., dirtyProperties2=...) at /usr/src/debug/kwindowsystem-5.11.0/src/netwm.cpp:4471 dirty = <optimized out> dirty2 = <optimized out> cookies = {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...} c = 10 #4 0x00007f6b483d5146 in KWin::WinInfo::WinInfo(KWin::Client*, unsigned int, unsigned int, QFlags<NET::Property>, QFlags<NET::Property2>) (this=0x23badb0, c=0x271a590, window=132120578, rwin=<optimized out>, properties=..., properties2=...) at /usr/src/debug/kwin-5.3.2/netinfo.cpp:233 #5 0x00007f6b484062ef in KWin::Client::manage(unsigned int, bool) (this=this@entry=0x271a590, w=w@entry=132120578, isMapped=isMapped@entry=false) at /usr/src/debug/kwin-5.3.2/manage.cpp:111 stacking_blocker = {ws = 0x21bfd90} attr = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::WindowAttributesData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 45845}, m_window = <optimized out>, m_reply = 0x7f6b2800bbf0}, <No data fields>} windowGeometry = {<KWin::Xcb::Wrapper<KWin::Xcb::GeometryData, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::GeometryData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 45846}, m_window = <optimized out>, m_reply = 0x7f6b280021e0}, <No data fields>}, <No data fields>} properties = {i = 553549824} properties2 = {i = 65742475} wmClientLeaderCookie = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45859}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 33} skipCloseAnimationCookie = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45860}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6} gtkFrameExtentsCookie = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45861}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6} showOnScreenEdgeCookie = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45862}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6} colorSchemeCookie = {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ada8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 45863}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>} firstInTabBoxCookie = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45864}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 485} transientCookie = {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878b0e8 <vtable for KWin::Xcb::TransientFor+16>, m_retrieved = false, m_cookie = {sequence = 45865}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 33}, <No data fields>} activitiesCookie = {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ada8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 45866}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>} init_minimize = <optimized out> asn_id = {d = 0x212ed40} asn_data = {d = 0x2338750} asn_valid = <optimized out> session = <optimized out> activitiesList = {static null = {<No data fields>}, d = 0x27ea890} geom = {x1 = 41840656, y1 = 0, x2 = 1181836237, y2 = 32619} placementDone = <optimized out> area = {x1 = 1182325536, y1 = 32619, x2 = 0, y2 = 0} partial_keep_in_area = <optimized out> usePosition = <optimized out> dontKeepInArea = <optimized out> forced_pos = <optimized out> #6 0x00007f6b483ad4dd in KWin::Workspace::createClient(unsigned int, bool) (this=this@entry=0x21bfd90, w=132120578, is_mapped=is_mapped@entry=false) at /usr/src/debug/kwin-5.3.2/workspace.cpp:440 blocker = {ws = 0x21bfd90} c = 0x271a590 #7 0x00007f6b483f060f in KWin::Workspace::workspaceEvent(xcb_generic_event_t*) (this=0x21bfd90, e=0x7f6b28002210) at /usr/src/debug/kwin-5.3.2/events.cpp:419 c = 0x0 event = 0x7f6b28002210 eventType = <optimized out> eventWindow = <optimized out> #8 0x00007f6b466e082f in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) () at /usr/lib64/libQt5Core.so.5 #9 0x00007f6b30c1e0ee in () at /usr/lib64/qt5/plugins/platforms/libqxcb.so #10 0x00007f6b30c1f10b in () at /usr/lib64/qt5/plugins/platforms/libqxcb.so #11 0x00007f6b46713ca9 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5 #12 0x00007f6b473a186c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5 #13 0x00007f6b473a6b80 in QApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5 #14 0x00007f6b466e3bf3 in QCoreApplication::notifyInternal(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5 #15 0x00007f6b466e5c37 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5 #16 0x00007f6b46735a32 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #17 0x00007f6b30c704cd in () at /usr/lib64/qt5/plugins/platforms/libqxcb.so #18 0x00007f6b466e15ea in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #19 0x00007f6b466e8d6d in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5 #20 0x00007f6b48b446a8 in kdemain(int, char**) (argc=1, argv=0x7fff55828018) at /usr/src/debug/kwin-5.3.2/main_x11.cpp:301 primaryScreen = 0 c = 0x0 number_of_screens = <optimized out> a = {<KWin::Application> = {<QApplication> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7f6b47a733c0 <QApplication::staticMetaObject>, stringdata = 0x7f6b4853cc60 <qt_meta_stringdata_KWin__Application>, data = 0x7f6b4853cb80 <qt_meta_data_KWin__Application>, static_metacall = 0x7f6b484fc720 <KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, m_originalSessionKey = {static null = {<No data fields>}, d = 0x7f6b4678db20 <QArrayData::shared_null>}, m_eventFilter = {d = 0x2187680}, m_configLock = false, m_operationMode = KWin::Application::OperationModeX11, m_x11Time = 296415829, m_rootWindow = 703, m_connection = 0x214baf0, static crashes = 0}, static staticMetaObject = {d = {superdata = 0x7f6b48795880 <KWin::Application::staticMetaObject>, stringdata = 0x7f6b48b45180 <qt_meta_stringdata_KWin__ApplicationX11>, data = 0x7f6b48b45120 <qt_meta_data_KWin__ApplicationX11>, static_metacall = 0x7f6b48b44be0 <KWin::ApplicationX11::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, owner = {d = 0x218f1b0}, m_replace = false} replaceOption = {d = {d = 0x21868e0}} parser = {d = 0x2188d30} helper = {<QObject> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7f6b46b0e220 <QObject::staticMetaObject>, stringdata = 0x7f6b48532180 <qt_meta_stringdata_KWin__SessionSaveDoneHelper>, data = 0x7f6b48532120 <qt_meta_data_KWin__SessionSaveDoneHelper>, static_metacall = 0x7f6b484fe170 <KWin::SessionSaveDoneHelper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, notifier = 0x400840 <_start>, conn = 0x0} #21 0x00007f6b487bc790 in __libc_start_main () at /lib64/libc.so.6 #22 0x0000000000400869 in _start () at ../sysdeps/x86_64/start.S:118 Detaching from program: /usr/bin/kwin_x11, process 21038 > size = 2535796352
WOW! - size = width * height * sizeof(uint32_t);
=> if the icon image was square, it'd be around 25178x25178 px =)
So the icon property data is junk (or falsely encoded)
@Martin
Since this is basically input data (one client, in this case kwin, reads potential junk some other client put there) I'd suggest to add some data sanity checks (notably whether j + size <= reply->value_len, but maybe even if the icon width/height is eg < 1025)
I'll oc. pass a RR, but are you ok with the general idea?
@Marvin, can you compile/test a kwindowsystem patch?
> @Marvin, can you compile/test a kwindowsystem patch?
I'll do my very best
> I'd suggest to add some data sanity checks
yes, clearly! Especially as that could crash a wayland session (and there it's security relevant).
just added a q&d check myself (size < 1024*1024) which breaks the loop in case of overflow (and prints a message, see below): NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352 NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352 NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352 NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352 NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208 *** Bug 350708 has been marked as a duplicate of this bug. *** Git commit a0698881fb0e5a4799d7320561acae84bcd6509f by Thomas Lübking. Committed on 29/07/2015 at 19:59. Pushed by luebking into branch 'master'. Harden NETWM data reading It's basically input data and cannot be assumed to be sane (a malicious or just stupid client could write anything there) REVIEW: 124354 FIXED-IN: 5.13 M +11 -3 src/platforms/xcb/netwm.cpp http://commits.kde.org/kwindowsystem/a0698881fb0e5a4799d7320561acae84bcd6509f confirm fixed (on kwinsystem-5.12) - thanks! *** Bug 350821 has been marked as a duplicate of this bug. *** |