Bug 13815 - libX11: 32-bit request number wrapping bug
Summary: libX11: 32-bit request number wrapping bug
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: PATCH, validated_update
Depends on:
Blocks:
 
Reported: 2014-07-28 15:52 CEST by Jan Smout
Modified: 2015-09-29 20:50 CEST (History)
5 users (show)

See Also:
Source RPM: libxcb, libx11
CVE:
Status comment:


Attachments

Description Jan Smout 2014-07-28 15:52:20 CEST
Hi all,


I recently ran into this bug on 32-bit Mageia 4:
https://bugs.freedesktop.org/show_bug.cgi?id=71338

It has basically something to do with a 32-bit sequence number wrapping around in an UInt64.
libX11-1.6.2/src/xcb_io.c: In function _XSend, starting from the last flush, pending requests are queued to be handled later (asynchronous communication...). The queuing is broken due to mixed usage of 32 and 64 bit integer sequence numbers. A textbook example for making the case for strong typing ;-)

My application crashes in less than 24 hours with a fatal XIOError. Others would crash (apparently random) after a few weeks.


But, here's the good news: A proposed solution in patchwork:
http://patchwork.freedesktop.org/patch/16753/

Which I tested and validated using libx11-1.6.2-2.mga4.src.rpm

I could provide a patch against libx11.spec, but it is so simple that someone with direct access to the src.rpm could do it with his or her eyes closed.



For testing purpose there is a reproducer available at:
https://bugs.freedesktop.org/attachment.cgi?id=88996

Using it like this:
for(;;) {
    XNoOp(dpy);
  }

will make it crash a lot faster

compile with gcc -m32 -lX11 -o xdraw xdraw.c

Using a fresh installed 32-bit Mageia 4 with 20140708-225901 updates (gcc-4.8.2-3mga4, Xorg 1.14.5-2.mga4, kernel 3.12.21-server-2.mga4 and nvidia proprietary driver 331.79-2)
David Walser 2014-07-29 12:46:10 CEST

CC: (none) => luigiwalser
Assignee: bugsquad => thierry.vignaud

Comment 1 Thierry Vignaud 2014-07-29 15:55:06 CEST
The above URL show this patch was reviewed and needs fixing.
Can you try ping upstream so that a good version could be commited upstream?
Comment 2 Jan Smout 2014-07-30 09:43:33 CEST
Pinging
http://lists.x.org/archives/xorg-devel/2014-July/043341.html
Comment 3 Samuel Verschelde 2015-09-21 13:20:28 CEST
Mageia 4 changed to end-of-life (EOL) status on 2015-09-19. It is is no longer 
maintained, which means that it will not receive any further security or bug 
fix updates.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version.

Bug Reporter: Thank you for reporting this issue and we are sorry that we weren't 
able to fix it before Mageia 4's end of life. If you are able to reproduce it 
against a later version of Mageia, you are encouraged to click on "Version" and 
change it against that version of Mageia. If it's valid in several versions, 
select the highest and add MGAxTOO in whiteboard for each other valid release.
Example: it's valid in cauldron and Mageia 5, set to cauldron and add MGA5TOO.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you 
most [2].

[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/
Comment 4 Jan Smout 2015-09-22 14:20:03 CEST
Changed bug report to Mageia 5 (Yes it's still there)


The proposed patch of 15/12/2013 (!)
http://patchwork.freedesktop.org/patch/16753/

was good enough to avoid the crash. I confirmed it's correct functioning in back in July 2014. It could have been included easily in Mageia 4/5.


The underlying issue was a design mismatch between libxcb and libx11. 

Finally some progress was made earlier this year.

Latest update is here:
http://lists.x.org/archives/xorg-devel/2015-September/047285.html

* XCB 1.11.1 now exposes 64-bit sequence numbers

http://lists.x.org/archives/xorg-devel/2015-September/047417.html

* Patch got merged into main libX11. No release info available yet.

Version: 4 => 5

Rémi Verschelde 2015-09-22 14:25:50 CEST

Keywords: (none) => PATCH
Source RPM: (none) => libxcb, libx11

Comment 5 David Walser 2015-09-22 23:27:41 CEST
We're not all low-level system programmers, so we're not going to necessarily add a patch we don't understand that upstream hasn't even accepted.

So the real fix is to update to libxcb 1.11.1 and add these patches to libx11:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=a72d2d06c002b644b7040a0a9936c8525e092ba8
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=3f41d8a7f82eb5ffbd5c5d36472cf7043186b904
Comment 6 Olivier Blin 2015-09-22 23:43:47 CEST
xcb 1.11.1 submitted to cauldron, we now need to apply the patches in libx11.

CC: (none) => mageia

Comment 7 Jan Smout 2015-09-23 12:57:37 CEST
The original 2013 patch was quite straight forward + reviewed and tested, but I don't want to be too pedantic about it; just a little ;-)
In your defense, I can and do understand the potential maintenance nightmare of accepting random patches. No grudge there.

Now, I have no idea if they even tested the new code (they should have), so I would like to ask you to keep me posted when you release a new libx11 for cauldron. I intend to put it to a long duration test like I did last year.
Comment 8 David Walser 2015-09-23 15:01:23 CEST
Should be fixed in libxcb-1.11.1-1.mga6 and libx11-1.6.3-2.mga6 in Cauldron.
Comment 9 David Walser 2015-09-23 21:31:33 CEST
Updated packages uploaded for Mageia 5.

Jan, I'll let you test this before assigning to QA.

Advisory:
----------------------------------------

An application that uses libX11 to do a lot of drawing could eventually crash
with an XIOError, due to an integer type mismatch in the Xorg libraries
(fdo#71338).

The libx11 package has been updated to version 1.6.3 and patched to correct
this issue and several other bugs.  The libxcb package has been updated to
version 1.11.1, which is needed by the patched libx11.

References:
https://bugs.freedesktop.org/show_bug.cgi?id=71338
http://lists.x.org/archives/xorg-announce/2015-September/002633.html
http://lists.x.org/archives/xorg-announce/2015-March/002543.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
libxcb1-1.11.1-1.mga5
libxcb-devel-1.11.1-1.mga5
libxcb-static-devel-1.11.1-1.mga5
libxcb-doc-1.11.1-1.mga5
libxcb-composite0-1.11.1-1.mga5
libxcb-damage0-1.11.1-1.mga5
libxcb-dpms0-1.11.1-1.mga5
libxcb-dri2_0-1.11.1-1.mga5
libxcb-dri3_0-1.11.1-1.mga5
libxcb-glx0-1.11.1-1.mga5
libxcb-present_0-1.11.1-1.mga5
libxcb-randr0-1.11.1-1.mga5
libxcb-record0-1.11.1-1.mga5
libxcb-render0-1.11.1-1.mga5
libxcb-res0-1.11.1-1.mga5
libxcb-screensaver0-1.11.1-1.mga5
libxcb-shape0-1.11.1-1.mga5
libxcb-shm0-1.11.1-1.mga5
libxcb-sync1-1.11.1-1.mga5
libxcb-xevie0-1.11.1-1.mga5
libxcb-xf86dri0-1.11.1-1.mga5
libxcb-xfixes0-1.11.1-1.mga5
libxcb-xinerama0-1.11.1-1.mga5
libxcb-xkb1-1.11.1-1.mga5
libxcb-xprint0-1.11.1-1.mga5
libxcb-xtest0-1.11.1-1.mga5
libxcb-xv0-1.11.1-1.mga5
libxcb-xvmc0-1.11.1-1.mga5
libx11_6-1.6.3-1.mga5
libx11-xcb1-1.6.3-1.mga5
libx11-devel-1.6.3-1.mga5
libx11-common-1.6.3-1.mga5
libx11-doc-1.6.3-1.mga5

from SRPMS:
libxcb-1.11.1-1.mga5.src.rpm
libx11-1.6.3-1.mga5.src.rpm
Comment 10 Jan Smout 2015-09-26 15:27:31 CEST
Tested on Mageia 5 with

libxcb-1.11.1-1.mga5.src.rpm
libx11-1.6.3-1.mga5.src.rpm

Tested it yesterday with XNoOp in a tight loop. Used to crash within 10 minutes on my test hardware. I let it run for 4 hours on 2 machines without any problem.

For my own application, a long duration test will start now (requirements are that it runs for 4 months straight), but that's out of scope for this bug report.


This bug report can be closed for me


remark: when I said I would test against cauldron I actually meant that I would backport the src.rpm from cauldron to mageia 5, but there is no need for me to do that now. Thanks you guys
Comment 11 David Walser 2015-09-26 15:38:53 CEST
Thanks Jan.  This bug can't be closed until we actually ship the update.  Which architecture did you test?

Assigning to QA now so that this can be released.  Advisory and package list in Comment 9.  Testing details in Comment 0.

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 12 Yann Cantin 2015-09-26 19:07:32 CEST
mga5 x86_64

I need to use gcc -m32 -L/lib -lX11 -o crash crash.c to compile the crasher.

Before update :
 libx11_6-1.6.2-5.mga5.i586
 libxcb1-1.11-3.mga5.i586

Crash after ~12 minutes :

17:40ERROR Received a X IO error on display=8ff8008.
backtrace() returned 10 addresses
./crash() [0x804892f]
./crash() [0x80489e0]
/lib/libX11.so.6(_XIOError+0x5d) [0xf766979d]
/lib/libX11.so.6(_XReply+0x3a3) [0xf7667883]
/lib/libX11.so.6(+0x3bea4) [0xf7669ea4]
/lib/libX11.so.6(+0x3bf97) [0xf7669f97]
/lib/libX11.so.6(XNoOp+0x58) [0xf7655da8]
./crash() [0x8048b4f]
/lib/libc.so.6(__libc_start_main+0xde) [0xf747cefe]
./crash() [0x80487f1]

Updated packages :
 libx11_6-1.6.3-1.mga5.i586
 libxcb1-1.11.1-1.mga5.i586

Rebuild the crasher.

Run for 20 minutes without crash.

Update OK.

CC: (none) => yann.cantin
Whiteboard: (none) => MGA5-64-OK

Rémi Verschelde 2015-09-26 19:22:58 CEST

Whiteboard: MGA5-64-OK => has_procedure MGA5-64-OK

Comment 13 Rémi Verschelde 2015-09-27 12:02:15 CEST
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 14 Jan Smout 2015-09-27 16:10:04 CEST
@David: compiled and tested on i586 mageia 5


@Yann: so you tested a 32-bit executable (linked against 32-bit libxcb and libx11) on a x86_64 Xorg server, right?


Btw: I first checked if it still crashed with current versions libx11_6-1.6.2-5.mga5.i586 and libxcb1-1.11-3.mga5.i586 as Yann did
Comment 15 David Walser 2015-09-27 16:28:50 CEST
Thanks Jan.

This can be validated.

Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 16 Rémi Verschelde 2015-09-27 16:35:48 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Yann Cantin 2015-09-27 20:17:43 CEST
@Jan : yes
Comment 18 Mageia Robot 2015-09-29 20:50:56 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0135.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.