350173 – NET*Info isn't robust against junk data, causing segfaults in third clients

Bug 350173 - NET*Info isn't robust against junk data, causing segfaults in third clients

Summary: NET*Info isn't robust against junk data, causing segfaults in third clients

Status:	RESOLVED FIXED

Alias:	None

Product:	frameworks-kwindowsystem
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	unspecified
Platform:	openSUSE Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Martin Flöser

URL:	https://git.reviewboard.kde.org/r/124...
Keywords:

Duplicates (2):	350708 350821 (view as bug list)
Depends on:
Blocks:

Reported:	2015-07-13 13:46 UTC by marvin24
Modified:	2015-07-31 14:57 UTC (History)
CC List:	5 users (show)

See Also:	350708 350821
Latest Commit:	http://commits.kde.org/kwindowsystem/a0698881fb0e5a4799d7320561acae84bcd6509f
Version Fixed In:	5.13
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description marvin24 2015-07-13 13:46:12 UTC

after starting Unigine Heaven 4.0, kwin_x11 crashes. This in on opensuse/tumbleweed. gpu:rs880, dual monitor.

Reproducible: Always

Steps to Reproduce:
1. download unigine heaven 4
2. start (using lowest settings is ok)
3. desktop hangs (no drkonqi output available)



this is from gdb:

#0  0x00007ffff78c0344 in __memcpy_sse2_unaligned () at /lib64/libc.so.6
#1  0x00007ffff6d75a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) () at /usr/lib64/libKF5WindowSystem.so.5
#2  0x00007ffff7469146 in KWin::WinInfo::WinInfo(KWin::Client*, unsigned int, unsigned int, QFlags<NET::Property>, QFlags<NET::Property2>) (this=0x8a9c70, c=0xfe46f0, window=130023426, rwin=<optimized out>, properties=..., properties2=...) at /usr/src/debug/kwin-5.3.2/netinfo.cpp:233
#3  0x00007ffff749a2ef in KWin::Client::manage(unsigned int, bool) (this=this@entry=0xfe46f0, w=w@entry=130023426, isMapped=isMapped@entry=false)
    at /usr/src/debug/kwin-5.3.2/manage.cpp:111
        stacking_blocker = {ws = 0x6b0d40}
        attr = 
            {<KWin::Xcb::AbstractWrapper<KWin::Xcb::WindowAttributesData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 1937}, m_window = <optimized out>, m_reply = 0x7fffd800e760}, <No data fields>}
        windowGeometry = 
              {<KWin::Xcb::Wrapper<KWin::Xcb::GeometryData, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::GeometryData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 1938}, m_window = <optimized out>, m_reply = 0x7fffd800e710}, <No data fields>}, <No data fields>}
        properties = {i = 553549824}
        properties2 = {i = 65742475}
        wmClientLeaderCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781ed88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 1951}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 33}
        skipCloseAnimationCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781ed88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 1952}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 6}
        gtkFrameExtentsCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781ed88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 1953}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 6}
        showOnScreenEdgeCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781ed88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 1954}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 6}
        colorSchemeCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781eda8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 1955}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>}
        firstInTabBoxCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781ed88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 1956}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 485}
        transientCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781f0e8 <vtable for KWin::Xcb::TransientFor+16>, m_retrieved = false, m_cookie = {sequence = 1957}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 33}, <No data fields>}
        activitiesCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7ffff781eda8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 1958}, m_window = 130023426, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>}
        init_minimize = <optimized out>
        asn_id = {d = 0x61fd40}
        asn_data = {d = 0xe01950}
        asn_valid = <optimized out>
        session = <optimized out>
        activitiesList = {static null = {<No data fields>}, d = 0x8ae840}
        geom = {x1 = 16577136, y1 = 0, x2 = -176512051, y2 = 32767}
        placementDone = <optimized out>
        area = {x1 = -176022752, y1 = 32767, x2 = 0, y2 = 0}
        partial_keep_in_area = <optimized out>
        usePosition = <optimized out>
        dontKeepInArea = <optimized out>
        forced_pos = <optimized out>
#4  0x00007ffff74414dd in KWin::Workspace::createClient(unsigned int, bool) (this=this@entry=0x6b0d40, w=130023426, is_mapped=is_mapped@entry=false)
    at /usr/src/debug/kwin-5.3.2/workspace.cpp:440
        blocker = {ws = 0x6b0d40}
        c = 0xfe46f0
#5  0x00007ffff748460f in KWin::Workspace::workspaceEvent(xcb_generic_event_t*) (this=0x6b0d40, e=0x7fffd8001970) at /usr/src/debug/kwin-5.3.2/events.cpp:419
        c = 0x0
        event = 0x7fffd8001970
        eventType = <optimized out>
        eventWindow = <optimized out>
#6  0x00007ffff577482f in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) () at /usr/lib64/libQt5Core.so.5
#7  0x00007fffdfcb20ee in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#8  0x00007fffdfcb310b in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#9  0x00007ffff57a7ca9 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5
#10 0x00007ffff643586c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#11 0x00007ffff643ab80 in QApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#12 0x00007ffff5777bf3 in QCoreApplication::notifyInternal(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#13 0x00007ffff5779c37 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#14 0x00007ffff57c9a32 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#15 0x00007fffdfd044cd in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#16 0x00007ffff57755ea in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#17 0x00007ffff577cd6d in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#18 0x00007ffff7bd86a8 in kdemain(int, char**) (argc=1, argv=0x7fffffffd9d8) at /usr/src/debug/kwin-5.3.2/main_x11.cpp:301
        primaryScreen = 0
        c = 0x0
        number_of_screens = <optimized out>
        a = 
          {<KWin::Application> = {<QApplication> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7ffff6b073c0 <QApplication::staticMetaObject>, stringdata = 0x7ffff75d0c60 <qt_meta_stringdata_KWin__Application>, data = 0x7ffff75d0b80 <qt_meta_data_KWin__Application>, static_metacall = 0x7ffff7590720 <KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, m_originalSessionKey = {static null = {<No data fields>}, d = 0x7ffff5821b20 <QArrayData::shared_null>}, m_eventFilter = {d = 0x676cd0}, m_configLock = false, m_operationMode = KWin::Application::OperationModeX11, m_x11Time = 272686056, m_rootWindow = 703, m_connection = 0x63caf0, static crashes = 0}, static staticMetaObject = {d = {superdata = 0x7ffff7829880 <KWin::Application::staticMetaObject>, stringdata = 0x7ffff7bd9180 <qt_meta_stringdata_KWin__ApplicationX11>, data = 0x7ffff7bd9120 <qt_meta_data_KWin__ApplicationX11>, static_metacall = 0x7ffff7bd8be0 <KWin::ApplicationX11::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, owner = {d = 0x680160}, m_replace = false}
        replaceOption = {d = {d = 0x679cc0}}
        parser = {d = 0x679d20}
        helper = 
          {<QObject> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7ffff5ba2220 <QObject::staticMetaObject>, stringdata = 0x7ffff75c6180 <qt_meta_stringdata_KWin__SessionSaveDoneHelper>, data = 0x7ffff75c6120 <qt_meta_data_KWin__SessionSaveDoneHelper>, static_metacall = 0x7ffff7592170 <KWin::SessionSaveDoneHelper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, notifier = 0x400840 <_start>, conn = 0x0}
#19 0x00007ffff7850790 in __libc_start_main () at /lib64/libc.so.6
#20 0x0000000000400869 in _start () at ../sysdeps/x86_64/start.S:118

Comment 1 Thomas Lübking 2015-07-13 15:09:55 UTC

Can you please install debug packages for frameworks-kwindowsystem (for that's where it crashes) and update the backtrace (so that we've a line number in /usr/lib64/libKF5WindowSystem.so.5)?

Thanks.

Comment 2 marvin24 2015-07-13 19:55:39 UTC

ok, here it goes:

#0  0x00007f6b4882c344 in __memcpy_sse2_unaligned () at /lib64/libc.so.6
#1  0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (__len=2535796352, __src=0x7f6b2800e8c8, __dest=<optimized out>)
    at /usr/include/bits/string3.h:53
        width = <optimized out>
        height = <optimized out>
        size = 2535796352
        i = 0
        j = <optimized out>
        reply = <optimized out>
        data = 0x7f6b2800e8c0
        dirty = <optimized out>
        dirty2 = <optimized out>
        cookies = 
            {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...}
        c = 10
#2  0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (icon_count=@0x2ae0e50: 0, icons=..., cookie=..., c=<optimized out>)
    at /usr/src/debug/kwindowsystem-5.11.0/src/netwm.cpp:563
        width = <optimized out>
        height = <optimized out>
        size = 2535796352
        i = 0
        j = <optimized out>
        reply = <optimized out>
        data = 0x7f6b2800e8c0
        dirty = <optimized out>
        dirty2 = <optimized out>
        cookies = 
            {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...}
        c = 10
#3  0x00007f6b47ce1a46 in NETWinInfo::update(QFlags<NET::Property>, QFlags<NET::Property2>) (this=0x23badb0, dirtyProperties=..., dirtyProperties2=...)
    at /usr/src/debug/kwindowsystem-5.11.0/src/netwm.cpp:4471
        dirty = <optimized out>
        dirty2 = <optimized out>
        cookies = 
            {{sequence = 45869}, {sequence = 45870}, {sequence = 45871}, {sequence = 45872}, {sequence = 45873}, {sequence = 45874}, {sequence = 45875}, {sequence = 45876}, {sequence = 45877}, {sequence = 45878}, {sequence = 45879}, {sequence = 45880}, {sequence = 45881}, {sequence = 45882}, {sequence = 45883}, {sequence = 45884}, {sequence = 45885}, {sequence = 45886}, {sequence = 45887}, {sequence = 45888}, {sequence = 45889}, {sequence = 0}, {sequence = 1434611824}, {sequence = 32767}, {sequence = 1}, {sequence = 0}, {sequence = 1434611916}, {sequence = 32767}, {sequence = 1434611888}, {sequence = 32767}, {sequence = 1179745140}, {sequence = 32619}, {sequence = 36860448}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 1025}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1187057656}, {sequence = 32619}, {sequence = 1434611712}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181628690}, {sequence = 32619}, {sequence = 1182325536}, {sequence = 32619}, {sequence = 14}, {sequence = 0}, {sequence = 5}, {sequence = 32619}, {sequence = 72}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 36860448}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1194989676}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 0}, {sequence = 0}, {sequence = 1434615472}, {sequence = 32767}, {sequence = 1025}, {sequence = 0}, {sequence = 1195010944}, {sequence = 32619}, {sequence = 40619040}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 34981712}, {sequence = 0}, {sequence = 34864288}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 1181830230}, {sequence = 32619}, {sequence = 3}, {sequence = 0}, {sequence = 40}, {sequence = 0}, {sequence = 80}, {sequence = 0}, {sequence = 3}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 48}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 91}, {sequence = 110}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 119}, {sequence = 124}, {sequence = 0}, {sequence = 0}, {sequence = 1219730208}, {sequence = 32619}, {sequence = 40}, {sequence = 0}, {sequence = 0}, {sequence = 0}, {sequence = 24}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 1434612608}, {sequence = 32767}, {sequence = 1216440734}, {sequence = 32619}, {sequence = 80}, {sequence = 0}, {sequence = 16}, {sequence = 0}, {sequence = 8}, {sequence = 0}, {sequence = 1179734899}, {sequence = 32619}, {sequence = 15}, {sequence = 0}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 1190617344}, {sequence = 32619}, {sequence = 0}, {sequence = 0}, {sequence = 1434612304}, {sequence = 32767}, {sequence = 43226704}, {sequence = 0}, {sequence = 45189280}, {sequence = 0}, {sequence = 44911536}, {sequence = 0}, {sequence = 44911544}, {sequence = 0}, {sequence = 1181817837}, {sequence = 32619}, {sequence = 1434612176}, {sequence = 32767}, {sequence = 4294967288}, {sequence = 4294967295}, {sequence = 45189280}, {sequence = 0}, {sequence = 160}, {sequence = 0}, {sequence = 1434612368}, {sequence = 32767}, {sequence = 1181629427}, {sequence = 32619}, {sequence = 8}, {sequence = 0}, {sequence = 1176868761}, {sequence = 32619}, {sequence = 1176922624}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176870201}, {sequence = 32619}, {sequence = 1434612416}, {sequence = 32767}, {sequence = 1176868761}, {sequence = 0}, {sequence = 1176922560}, {sequence = 32619}, {sequence = 2}, {sequence = 0}, {sequence = 1434612448}, {sequence = 32767}, {sequence = 23068883}, {sequence = 0}...}
        c = 10
#4  0x00007f6b483d5146 in KWin::WinInfo::WinInfo(KWin::Client*, unsigned int, unsigned int, QFlags<NET::Property>, QFlags<NET::Property2>) (this=0x23badb0, c=0x271a590, window=132120578, rwin=<optimized out>, properties=..., properties2=...) at /usr/src/debug/kwin-5.3.2/netinfo.cpp:233
#5  0x00007f6b484062ef in KWin::Client::manage(unsigned int, bool) (this=this@entry=0x271a590, w=w@entry=132120578, isMapped=isMapped@entry=false)
    at /usr/src/debug/kwin-5.3.2/manage.cpp:111
        stacking_blocker = {ws = 0x21bfd90}
        attr = 
            {<KWin::Xcb::AbstractWrapper<KWin::Xcb::WindowAttributesData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 45845}, m_window = <optimized out>, m_reply = 0x7f6b2800bbf0}, <No data fields>}
        windowGeometry = 
              {<KWin::Xcb::Wrapper<KWin::Xcb::GeometryData, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::GeometryData>> = {_vptr.AbstractWrapper = <optimized out>, m_retrieved = true, m_cookie = {sequence = 45846}, m_window = <optimized out>, m_reply = 0x7f6b280021e0}, <No data fields>}, <No data fields>}
        properties = {i = 553549824}
        properties2 = {i = 65742475}
        wmClientLeaderCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45859}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 33}
        skipCloseAnimationCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45860}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6}
        gtkFrameExtentsCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45861}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6}
        showOnScreenEdgeCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45862}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 6}
        colorSchemeCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ada8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 45863}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>}
        firstInTabBoxCookie = 
          {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ad88 <vtable for KWin::Xcb::Property+16>, m_retrieved = false, m_cookie = {sequence = 45864}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 485}
        transientCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878b0e8 <vtable for KWin::Xcb::TransientFor+16>, m_retrieved = false, m_cookie = {sequence = 45865}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 33}, <No data fields>}
        activitiesCookie = 
            {<KWin::Xcb::Property> = {<KWin::Xcb::Wrapper<KWin::Xcb::PropertyData, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>> = {<KWin::Xcb::AbstractWrapper<KWin::Xcb::PropertyData>> = {_vptr.AbstractWrapper = 0x7f6b4878ada8 <vtable for KWin::Xcb::StringProperty+16>, m_retrieved = false, m_cookie = {sequence = 45866}, m_window = 132120578, m_reply = 0x0}, <No data fields>}, m_type = 31}, <No data fields>}
        init_minimize = <optimized out>
        asn_id = {d = 0x212ed40}
        asn_data = {d = 0x2338750}
        asn_valid = <optimized out>
        session = <optimized out>
        activitiesList = {static null = {<No data fields>}, d = 0x27ea890}
        geom = {x1 = 41840656, y1 = 0, x2 = 1181836237, y2 = 32619}
        placementDone = <optimized out>
        area = {x1 = 1182325536, y1 = 32619, x2 = 0, y2 = 0}
        partial_keep_in_area = <optimized out>
        usePosition = <optimized out>
        dontKeepInArea = <optimized out>
        forced_pos = <optimized out>
#6  0x00007f6b483ad4dd in KWin::Workspace::createClient(unsigned int, bool) (this=this@entry=0x21bfd90, w=132120578, is_mapped=is_mapped@entry=false)
    at /usr/src/debug/kwin-5.3.2/workspace.cpp:440
        blocker = {ws = 0x21bfd90}
        c = 0x271a590
#7  0x00007f6b483f060f in KWin::Workspace::workspaceEvent(xcb_generic_event_t*) (this=0x21bfd90, e=0x7f6b28002210) at /usr/src/debug/kwin-5.3.2/events.cpp:419
        c = 0x0
        event = 0x7f6b28002210
        eventType = <optimized out>
        eventWindow = <optimized out>
#8  0x00007f6b466e082f in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) () at /usr/lib64/libQt5Core.so.5
#9  0x00007f6b30c1e0ee in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#10 0x00007f6b30c1f10b in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#11 0x00007f6b46713ca9 in QObject::event(QEvent*) () at /usr/lib64/libQt5Core.so.5
#12 0x00007f6b473a186c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#13 0x00007f6b473a6b80 in QApplication::notify(QObject*, QEvent*) () at /usr/lib64/libQt5Widgets.so.5
#14 0x00007f6b466e3bf3 in QCoreApplication::notifyInternal(QObject*, QEvent*) () at /usr/lib64/libQt5Core.so.5
#15 0x00007f6b466e5c37 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib64/libQt5Core.so.5
#16 0x00007f6b46735a32 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#17 0x00007f6b30c704cd in  () at /usr/lib64/qt5/plugins/platforms/libqxcb.so
#18 0x00007f6b466e15ea in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5
#19 0x00007f6b466e8d6d in QCoreApplication::exec() () at /usr/lib64/libQt5Core.so.5
#20 0x00007f6b48b446a8 in kdemain(int, char**) (argc=1, argv=0x7fff55828018) at /usr/src/debug/kwin-5.3.2/main_x11.cpp:301
        primaryScreen = 0
        c = 0x0
        number_of_screens = <optimized out>
        a = 
          {<KWin::Application> = {<QApplication> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7f6b47a733c0 <QApplication::staticMetaObject>, stringdata = 0x7f6b4853cc60 <qt_meta_stringdata_KWin__Application>, data = 0x7f6b4853cb80 <qt_meta_data_KWin__Application>, static_metacall = 0x7f6b484fc720 <KWin::Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, m_originalSessionKey = {static null = {<No data fields>}, d = 0x7f6b4678db20 <QArrayData::shared_null>}, m_eventFilter = {d = 0x2187680}, m_configLock = false, m_operationMode = KWin::Application::OperationModeX11, m_x11Time = 296415829, m_rootWindow = 703, m_connection = 0x214baf0, static crashes = 0}, static staticMetaObject = {d = {superdata = 0x7f6b48795880 <KWin::Application::staticMetaObject>, stringdata = 0x7f6b48b45180 <qt_meta_stringdata_KWin__ApplicationX11>, data = 0x7f6b48b45120 <qt_meta_data_KWin__ApplicationX11>, static_metacall = 0x7f6b48b44be0 <KWin::ApplicationX11::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, owner = {d = 0x218f1b0}, m_replace = false}
        replaceOption = {d = {d = 0x21868e0}}
        parser = {d = 0x2188d30}
        helper = 
          {<QObject> = {<No data fields>}, static staticMetaObject = {d = {superdata = 0x7f6b46b0e220 <QObject::staticMetaObject>, stringdata = 0x7f6b48532180 <qt_meta_stringdata_KWin__SessionSaveDoneHelper>, data = 0x7f6b48532120 <qt_meta_data_KWin__SessionSaveDoneHelper>, static_metacall = 0x7f6b484fe170 <KWin::SessionSaveDoneHelper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, notifier = 0x400840 <_start>, conn = 0x0}
#21 0x00007f6b487bc790 in __libc_start_main () at /lib64/libc.so.6
#22 0x0000000000400869 in _start () at ../sysdeps/x86_64/start.S:118
Detaching from program: /usr/bin/kwin_x11, process 21038

Comment 3 Thomas Lübking 2015-07-14 07:46:35 UTC

> size = 2535796352
WOW! - size   = width * height * sizeof(uint32_t);

=> if the icon image was square, it'd be around 25178x25178 px =)

So the icon property data is junk (or falsely encoded)

@Martin
Since this is basically input data (one client, in this case kwin, reads potential junk some other client put there) I'd suggest to add some data sanity checks (notably whether j + size <= reply->value_len, but maybe even if the icon width/height is eg < 1025)
I'll oc. pass a RR, but are you ok with the general idea?

@Marvin, can you compile/test a kwindowsystem patch?

Comment 4 marvin24 2015-07-14 07:59:01 UTC

> @Marvin, can you compile/test a kwindowsystem patch?

I'll do my very best

Comment 5 Martin Flöser 2015-07-14 08:14:39 UTC

>  I'd suggest to add some data sanity checks

yes, clearly! Especially as that could crash a wayland session (and there it's security relevant).

Comment 6 marvin24 2015-07-14 13:21:13 UTC

just added a q&d check myself (size < 1024*1024) which breaks the loop in case of overflow (and prints a message, see below):
NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352
NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352
NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352
NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352
NET: readIcon reply len=1026, width=32, heigth=4281223773, size=2535796352
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208
NET: readIcon reply len=1026, width=32, heigth=14797736, size=1894110208

Comment 7 Wolfgang Bauer 2015-07-28 16:00:31 UTC

*** Bug 350708 has been marked as a duplicate of this bug. ***

Comment 8 Thomas Lübking 2015-07-29 20:08:31 UTC

Git commit a0698881fb0e5a4799d7320561acae84bcd6509f by Thomas Lübking.
Committed on 29/07/2015 at 19:59.
Pushed by luebking into branch 'master'.

Harden NETWM data reading

It's basically input data and cannot
be assumed to be sane (a malicious
or just stupid client could write anything
there)
REVIEW: 124354
FIXED-IN: 5.13

M  +11   -3    src/platforms/xcb/netwm.cpp

http://commits.kde.org/kwindowsystem/a0698881fb0e5a4799d7320561acae84bcd6509f

Comment 9 marvin24 2015-07-30 08:28:41 UTC

confirm fixed (on kwinsystem-5.12) - thanks!

Comment 10 Thomas Lübking 2015-07-31 14:57:42 UTC

*** Bug 350821 has been marked as a duplicate of this bug. ***