FS#51298 : [libxi] gtk2 segfaults

FS#51298 - [libxi] gtk2 segfaults

Attached to Project: Arch Linux
Opened by Erin (heimer16) - Sunday, 09 October 2016, 15:43 GMT
Last edited by Jan de Groot (JGC) - Friday, 21 October 2016, 09:10 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Jan de Groot (JGC) Andreas Radke (AndyRTR) Laurent Carlier (lordheavy)
Architecture	x86_64
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	4 Joshua Dunn (pspslimboy) (2016-10-17) Erin (heimer16) (2016-10-10) Jouke Witteveen (jouke) (2016-10-09) Benjamin Richter (Waldteufel) (2016-10-09)
Private	No

Details

gtk2 applications fail to start with a segmentation fault using libxi 1.7.7 with xbox360 controller connected via usb. When disconnecting the controller gtk2 applications start normally. Re-connecting the controller resumes causing segfaults on starting gtk2 applications. gtk3 and non-gtk applications start fine.

downgrading to libxi 1.7.6 fixes the issue.

an example stack trace:

#0 0x00007ffff78898ce in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#1 0x00007ffff7864f28 in gdk_display_open () from /usr/lib/libgdk-x11-2.0.so.0
#2 0x00007ffff7834732 in gdk_display_open_default_libgtk_only ()
from /usr/lib/libgdk-x11-2.0.so.0
#3 0x00007ffff2176275 in gtk_init () from /usr/lib/libgtk-x11-2.0.so.0
#4 0x00007ffff7228f28 in Gtk::Main::init(int*, char***, bool) ()
from /usr/lib/libgtkmm-2.4.so.1
#5 0x00007ffff7228f8f in Gtk::Main::Main(int&, char**&, bool) ()
from /usr/lib/libgtkmm-2.4.so.1
#6 0x0000000000412231 in ?? ()
#7 0x00007ffff50c3291 in __libc_start_main () from /usr/lib/libc.so.6
#8 0x0000000000413e69 in ?? ()

thread in forum here:
https://bbs.archlinux.org/viewtopic.php?pid=1659799#p1659799

This task depends upon

Closed by Jan de Groot (JGC)
Friday, 21 October 2016, 09:10 GMT
Reason for closing: Fixed
Additional comments about closing: libxi 1.7.7-2 moved to extra.

Comment by Erin (heimer16) - Monday, 10 October 2016, 15:46 GMT

Just to add, that it seems to be an issue with some input devices in general, not just the xbox controller. I get the same issue with a ps2 controller via a usb adapter, and someone else in the forum has reported the issue with a wacom tablet.

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 10:46 GMT

The error goes away if I remove lines 224 and 225 from src/XListDev.c [if (!s) goto out].

Comment by Laurent Carlier (lordheavy) - Tuesday, 11 October 2016, 11:35 GMT

@jouke

You should fill an upstream bug report at https://bugs.freedesktop.org

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 11:51 GMT

I hadn't because I had not fully researched the bug, but here we go:
https://bugs.freedesktop.org/show_bug.cgi?id=98204

Comment by Jan de Groot (JGC) - Tuesday, 11 October 2016, 13:11 GMT

Thanks for investigating.

Something hits the bailout code. I don't know what's wrong with the bailout code or if it's a problem in the server/driver here, but the bailout code is not complete.

XListInputDevices(
register Display *dpy,
int *ndevices)

ndevices is set to non-zero, then the calculations are done, something hits the bailout, ndevices is not touched anymore and NULL is returned.

gtk does this:
devices = XListInputDevices(display_x11->xdisplay, &num_devices);
for(loop=0; loop<num_devices; loop++)

So gtk will loop through a NULL devices array because num_devices is non-zero.

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 13:28 GMT

Shouldn't gtk check whether or not devices is NULL? This is not to say that the behavior of XListInputDevices is not wrong, but not checking a return value smells.

Comment by Laurent Carlier (lordheavy) - Tuesday, 11 October 2016, 13:35 GMT

From libxi code (https://cgit.freedesktop.org/xorg/lib/libXi/tree/src/XListDev.c?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5) line 193, in case of failure devices is NULL

gtk is probably wrong and should check for devices, through it doesn't seem to be defined in the XListInputDevices manpage (https://linux.die.net/man/3/xlistinputdevices)

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 13:53 GMT

I think you mean line 181. In the bailout code, sclist is returned which is initialized to NULL on line 181 and only set on line 244, after which no unsuccessful exits are coded for.
The man page should probably include a section on return codes, but for safety it is better to not touch ndevices at all until we are sure to return anything meaningful.

I still haven't looked into the code too much, but it could also be that the logic in XListInputDevices is wrong and it should not abort when SizeClassInfo returns 0.

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 14:21 GMT

I have submitted a patch upstream that mitigates the issue, although the gtk bug should probably still be addressed.

Comment by Jouke Witteveen (jouke) - Tuesday, 11 October 2016, 16:19 GMT

https://bugzilla.gnome.org/show_bug.cgi?id=772794

Comment by Laurent Carlier (lordheavy) - Thursday, 13 October 2016, 16:38 GMT

Please check with libxi-1.7.7-2 in testing

Comment by Jouke Witteveen (jouke) - Thursday, 20 October 2016, 19:25 GMT

1.7.7-2 indeed fixes the problem :-).

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#51298 - [libxi] gtk2 segfaults

Details

Loading...