memory corruption in xorg-server when closing acpid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xorg-server (Ubuntu) |
Fix Released
|
Undecided
|
Maarten Lankhorst | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Maarten Lankhorst |
Bug Description
[IMPACT]
* If acpid is closed before server is shutdown (for example with shutdown -h now, or stop acpid) a memory corruption will occur, because the acpi handler frees itself from a linked list before the next entry is taken. This will cause a reliable in valgrind, and in the worst case can cause the X server to shutdown uncleanly, or corrupt silently.
* the fix is simply taking the next member before calling the handler in xf86WakeUp
[TESTCASE]
* Start X with valgrind --free-fill=fe
* stop acpid
* Server crashes
[Regression Potential]
I don't believe there's much potential for regressions, since the code is called from few places, and I do not believe any of the handlers depend on the specific order in which they're called. Potentially suitable for precise too.
[Other Info]
I originally wanted to get this in before quantal release, but lost out due to time, but this would be more involved than converting the offending function to use nt_list_
Original discussion at http://
Changed in xorg-server (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Maarten Lankhorst (mlankhorst) |
tags: |
added: verification-done removed: verification-needed |
This bug was fixed in the package xorg-server - 2:1.13.0-0ubuntu7
---------------
xorg-server (2:1.13.0-0ubuntu7) raring; urgency=low
[ Maarten Lankhorst ] valgrind. patch to fix a xserver corruption tracking. patch to fix exa corruption.
* Add 233-xf86events-
when acpid is stopped before Xorg is.
(LP: #1070481)
* Add 235-composite-
(LP: #1010794)
[ Bryce Harrington ] fbdev-for- poulsbo- oaktrail- medfield. patch: Never use Intel Oaktrail/ Medfield. Thanks to Matthias Klumpp. set-the- device- transformation- matrix. patch: Fix pointer
* Add 236-use-
driver on Poulsbo/
(LP: #1069031)
* Add 237-dix-
jumping with absolute pointing device. Initializes device
transformation matrix to an identity matrix. Thanks to a7x.
(LP: #1041063)
[ Tim Lunn ] barrier_ thresholds. diff: Update to fix gaps above
* 500_pointer_
barriers at edge of screen
(LP: #1073724)
-- Bryce Harrington <email address hidden> Fri, 16 Nov 2012 11:37:26 -0800