Saturday, September 30, 2023

Re: sysutils/rofi sometimes coredumps in __vfprintf (+ similar crash in fvwm3)

On 2023/09/28 22:10:08 +0300, Mikhail <mp39590@gmail.com> wrote:
> Core was generated by `rofi'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> 125 movq (%rax),%rdx /* get bytes to check */
> (gdb) bt
> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> #1 0x00000c011b001558 in __vfprintf (fp=<optimized out>, fmt0=<optimized out>, ap=<optimized out>) at /usr/src/lib/libc/stdio/vfprintf.c:877
> #2 0x00000c011affa5a5 in _libc_vasprintf (str=0x76d393e72e40, fmt=0xbfe638afa35 "Found window manager: |%s|", ap=0x76d393e73030) at /usr/src/lib/libc/stdio/vasprintf.c:43
> #3 0x00000c010a1f0ac7 in g_vasprintf () from /usr/local/lib/libglib-2.0.so.4201.10
> #4 0x00000c010a1b512d in g_strdup_vprintf () from /usr/local/lib/libglib-2.0.so.4201.10
> #5 0x00000c010a197b3b in g_logv () from /usr/local/lib/libglib-2.0.so.4201.10
> #6 0x00000c010a197a55 in g_log () from /usr/local/lib/libglib-2.0.so.4201.10
> #7 0x00000bfe638f8a5e in display_setup ()
> #8 0x00000bfe638d8c8f in main ()

I managed to reproduce it. It doesn't seem to fail with CWM, so I run
fvwm3 inside Xephyr.

The issue seems to be in source/xcb.c:

(gdb) p wtitle.strings
$2 = 0xf9d9ce2ce30 "FVWM", '\004' <repeats 12 times>, '\337' <repeats 183 times>, <incomplete sequence \337>...

wtitle.strings is not NUL terminated, so it later crashes in strlen
(via __vfprintf) after it goes out of the bounds.

This seems to fix it, but I'm not knowledgable enough to tell whether
this is a FVWM3 issue. (i assume so tho since it's intermittent.)

Can you give this diff a spin? I don't use nor rofi anymore nor
fvwm3.

(more below the diff)

Index: Makefile
===================================================================
RCS file: /home/cvs/ports/sysutils/rofi/Makefile,v
retrieving revision 1.41
diff -u -p -r1.41 Makefile
--- Makefile 27 Sep 2023 17:16:33 -0000 1.41
+++ Makefile 30 Sep 2023 08:53:55 -0000
@@ -2,7 +2,7 @@ COMMENT = window switcher, run dialog a

V = 1.7.5
DISTNAME = rofi-${V}
-REVISION = 0
+REVISION = 1

CATEGORIES = sysutils x11
HOMEPAGE = https://github.com/davatorium/rofi
@@ -35,6 +35,8 @@ CONFIGURE_STYLE = gnu
CONFIGURE_ARGS = --disable-check
CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include -I${X11BASE}/include" \
YACC="bison -y"
+
+DEBUG_PACKAGES = ${BUILD_PACKAGES}

pre-configure:
sed -i 's,/usr/bin/env bash,/bin/sh,' ${WRKSRC}/script/get_git_rev.sh
Index: patches/patch-source_xcb_c
===================================================================
RCS file: patches/patch-source_xcb_c
diff -N patches/patch-source_xcb_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-source_xcb_c 30 Sep 2023 08:54:47 -0000
@@ -0,0 +1,14 @@
+fwm3 doesn't always NUL terminate the response
+
+Index: source/xcb.c
+--- source/xcb.c.orig
++++ source/xcb.c
+@@ -1475,7 +1475,7 @@ static void x11_helper_discover_window_manager(void) {
+ xcb_ewmh_get_wm_name_unchecked(&(xcb->ewmh), wm_win);
+ if (xcb_ewmh_get_wm_name_reply(&(xcb->ewmh), cookie, &wtitle, (void *)0)) {
+ if (wtitle.strings_len > 0) {
+- g_debug("Found window manager: |%s|", wtitle.strings);
++ g_debug("Found window manager: |%.*s|", wtitle.strings_len, wtitle.strings);
+ if (g_strcmp0(wtitle.strings, "i3") == 0) {
+ current_window_manager =
+ WM_DO_NOT_CHANGE_CURRENT_DESKTOP | WM_PANGO_WORKSPACE_NAMES;


> As a side note - yesterday I got very suspicious crash in fvwm3
> during simple fvwm restart, I can't reproduce it, but the bt also had
> __vfprintf in it, fvwm3 dev's said that it was very strange segfault and
> they have no idea what has happened, but with fvwm the snapshot wasn't
> very new.
>
> Reading symbols from fvwm3...
> Reading symbols from /usr/local/bin/.debug/fvwm3.dbg...
> [New process 532945]
> Core was generated by `fvwm3'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> 125 movq (%rax),%rdx /* get bytes to check */
> (gdb) bt
> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> #1 0x00000141784fd6d8 in __vfprintf (fp=<optimized out>, fmt0=<optimized out>, ap=<optimized out>) at /usr/src/lib/libc/stdio/vfprintf.c:877
> #2 0x00000141784fa996 in _libc_vfprintf (fp=0x14178548630 <usual>, fmt0=0x13f0429b0be " [KEY] %s\n", ap=0x7a1e8b73bb80) at /usr/src/lib/libc/stdio/vfprintf.c:263
> #3 0x000001417852784c in _libc_fprintf (fp=0x14169019ff0, fmt=0x0) at /usr/src/lib/libc/stdio/fprintf.c:44
> #4 0x0000013f04319b60 in SaveGlobalState (f=0x14178548630 <usual>) at session.c:183

use egdb to go to this frame (f 4) and inspect what it's doing there.
It could be another not-NUL terminated string or some other garbage
pointer.

(oh, and install the fvwm3-debug package if you haven't already)

> #5 save_state_file (filename=<optimized out>) at session.c:732
> #6 0x0000013f042fc28a in Done (restart=<optimized out>, command=0x141d1aceb98 "fvwm3") at fvwm3.c:589
> #7 0x0000013f042eccb5 in CMD_Restart (cond_rc=<optimized out>, exc=<optimized out>, action=0x0, pc=0x2020202020202020) at builtins.c:2447
> #8 0x0000013f0431f00e in _execute_command_line (cond_rc=<optimized out>, exc=<optimized out>, xaction=<optimized out>, caller_pc=<optimized out>, exec_flags=<optimized out>,
> all_pos_args_string=<optimized out>, pos_arg_tokens=0x0, has_ref_window_moved=0) at functions.c:672
> #9 0x0000013f0431e992 in execute_function (cond_rc=0x14169019ff0, exc=0x0, action=0x0, pc=0x2020202020202020, exec_flags=16843009) at functions.c:1245
> #10 0x0000013f042c0184 in _menu_execute_function (pexc=0x7a1e8b73c620, action=0x141d1aceb90 "Restart fvwm3") at menus.c:253
> #11 0x0000013f042be924 in do_menu (pmp=<optimized out>, pmret=<optimized out>) at menus.c:5825
> #12 0x0000013f0433b907 in menu_func (cond_rc=0x7a1e8b73c808, exc=0x141144e7000, action=0x14172f6a54e "Nop", pc=<optimized out>, fStaysUp=<optimized out>) at menucmd.c:109
> #13 0x0000013f0431f00e in _execute_command_line (cond_rc=<optimized out>, exc=<optimized out>, xaction=<optimized out>, caller_pc=<optimized out>, exec_flags=<optimized out>,
> all_pos_args_string=<optimized out>, pos_arg_tokens=0x0, has_ref_window_moved=0) at functions.c:672
> #14 0x0000013f0431e992 in execute_function (cond_rc=0x14169019ff0, exc=0x0, action=0x0, pc=0x2020202020202020, exec_flags=16843009) at functions.c:1245
> #15 0x0000013f042dbf90 in _handle_bpress_on_root (exc=0x1414baa8300) at events.c:1667
> #16 HandleButtonPress (ea=<optimized out>) at events.c:1884
> #17 0x0000013f042df666 in dispatch_event (e=0x7a1e8b73cb30) at events.c:4248
> #18 0x0000013f042dfe44 in HandleEvents () at events.c:4287
> #19 0x0000013f0430053c in main (argc=<optimized out>, argv=<optimized out>) at fvwm3.c:2526

No comments:

Post a Comment