Created attachment 60979
Diff needed to trigger the problem in ubuntu.
priv->num_slots can grow out of bounds if multitouch is enabled, resulting in memory corruption.
A simple patch is attached that crashes when the the problem is triggered.
On my laptop I seem to be able to reproduce it by simply running /usr/bin/Xorg in 1 window, making circles with 2 fingers on touchpad and then starting DISPLAY=:0 /etc/X11/Xsession in another.
Backtrace:
#0 0x00007ffff61cf445 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff61d2bab in __GI_abort () at abort.c:91
#2 0x00007ffff61c810e in __assert_fail_base (fmt=<optimized out>, assertion=0x7fffefdd4186 "priv->num_active_touches >= 0",
file=0x7fffefdd4170 "../../src/synaptics.c", line=<optimized out>, function=<optimized out>) at assert.c:94
#3 0x00007ffff61c81b2 in __GI___assert_fail (assertion=0x7fffefdd4186 "priv->num_active_touches >= 0", file=0x7fffefdd4170 "../../src/synaptics.c",
line=3021, function=0x7fffefdd4100 "UpdateTouchState") at assert.c:103
#4 0x00007fffefdc9e30 in UpdateTouchState (hw=<optimized out>, pInfo=<optimized out>) at ../../src/synaptics.c:3021
#5 0x00007fffefdcb033 in HandleTouches (hw=0x555555d5d3f0, pInfo=0x555555d35940) at ../../src/synaptics.c:3113
#6 HandleState (pInfo=<optimized out>, hw=<optimized out>, now=<optimized out>, from_timer=<optimized out>) at ../../src/synaptics.c:3306
#7 0x00007fffefdcd0b0 in ReadInput (pInfo=0x555555d35940) at ../../src/synaptics.c:1678
#8 0x00005555555df787 in xf86SigioReadInput (fd=<optimized out>, closure=0x555555d35940) at ../../../../hw/xfree86/common/xf86Events.c:298
#9 0x0000555555605757 in xf86SIGIO (sig=<optimized out>) at ../../../../../hw/xfree86/os-support/linux/../shared/sigio.c:111
#10 <signal handler called>
#11 SmartScheduleTimer (sig=14) at ../../os/utils.c:1158
#12 <signal handler called>
#13 __GI__dl_debug_state () at dl-debug.c:77
#14 0x00007ffff7ded908 in dl_open_worker (a=0x7fffffffdf70) at dl-open.c:294
#15 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffdfb8, errstring=0x7fffffffdfc0, mallocedp=0x7fffffffdfcf,
operate=0x7ffff7ded700 <dl_open_worker>, args=0x7fffffffdf70) at dl-error.c:178
#16 0x00007ffff7ded31a in _dl_open (file=0x7fffffffe1c0 "libnss_compat.so.2", mode=-2147483647, caller_dlopen=0x7ffff629d21e, nsid=-2, argc=1,
argv=<optimized out>, env=0x555555969370) at dl-open.c:639
#17 0x00007ffff62c7e02 in do_dlopen (ptr=0x7fffffffe170) at dl-libc.c:89
#18 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffe1a0, errstring=0x7fffffffe190, mallocedp=0x7fffffffe1af,
operate=0x7ffff62c7dc0 <do_dlopen>, args=0x7fffffffe170) at dl-error.c:178
#19 0x00007ffff62c7ec4 in dlerror_run (args=0x7fffffffe170, operate=0x7ffff62c7dc0 <do_dlopen>) at dl-libc.c:48
#20 __GI___libc_dlopen_mode (name=<optimized out>, mode=<optimized out>) at dl-libc.c:165
#21 0x00007ffff629d21e in nss_load_library (ni=<optimized out>) at nsswitch.c:372
#22 0x00007ffff629dc7d in __GI___nss_lookup_function (ni=0x555555d79330, fct_name=0x7ffff63127aa "getpwnam_r") at nsswitch.c:474
#23 0x00007ffff629de8c in __GI___nss_lookup (ni=0x7fffffffe2d0, fct_name=0x7ffff63127aa "getpwnam_r", fct2_name=0x0, fctp=0x7fffffffe2e0)
at nsswitch.c:202
#24 0x00007ffff62562c8 in __getpwnam_r (name=0x555555ce4990 "i", resbuf=0x7ffff6552320, buffer=0x555555b35870 "X\374T\366\377\177", buflen=1024,
result=0x7fffffffe330) at ../nss/getXXbyYY_r.c:203
#25 0x00007ffff6255b74 in getpwnam (name=0x555555ce4990 "i") at ../nss/getXXbyYY.c:117
#26 0x00005555556db375 in siLocalCredGetId (addr=0x555555c7a272 "i", len=1, lcPriv=0x555555952790, id=0x7fffffffe3cc) at ../../os/access.c:1980
#27 0x00005555556db3d1 in siLocalCredCheckAddr (addrString=<optimized out>, length=<optimized out>, typePriv=<optimized out>)
at ../../os/access.c:2055
#28 0x00005555556db11c in siCheckAddr (addrString=<optimized out>, length=11) at ../../os/access.c:1686
#29 0x00005555556dc4af in AddHost (client=0x555555ce4c60, family=5, length=11, pAddr=0x555555c7a268) at ../../os/access.c:1249
#30 0x00005555555a2881 in Dispatch () at ../../dix/dispatch.c:439
#31 0x00005555555917aa in main (argc=1, argv=<optimized out>, envp=<optimized out>) at ../../dix/main.c:287
Created attachment 60979
Diff needed to trigger the problem in ubuntu.
priv->num_slots can grow out of bounds if multitouch is enabled, resulting in memory corruption.
A simple patch is attached that crashes when the the problem is triggered.
On my laptop I seem to be able to reproduce it by simply running /usr/bin/Xorg in 1 window, making circles with 2 fingers on touchpad and then starting DISPLAY=:0 /etc/X11/Xsession in another.
Backtrace:
#0 0x00007ffff61cf445 in __GI_raise (sig=<optimized out>) at ../nptl/ sysdeps/ unix/sysv/ linux/raise. c:64 0x7fffefdd4186 "priv-> num_active_ touches >= 0", 0x7fffefdd4170 "../../ src/synaptics. c", line=<optimized out>, function=<optimized out>) at assert.c:94 0x7fffefdd4186 "priv-> num_active_ touches >= 0", file=0x7fffefdd4170 "../../ src/synaptics. c", 0x7fffefdd4100 "UpdateTouchState") at assert.c:103 synaptics. c:3021 35940) at ../../src/ synaptics. c:3113 <optimized out>) at ../../src/ synaptics. c:3306 0x555555d35940) at ../../src/ synaptics. c:1678 0x555555d35940) at ../../. ./../hw/ xfree86/ common/ xf86Events. c:298 ./../.. /hw/xfree86/ os-support/ linux/. ./shared/ sigio.c: 111 utils.c: 1158 debug_state () at dl-debug.c:77 0x7fffffffdfb8, errstring= 0x7fffffffdfc0, mallocedp= 0x7fffffffdfcf, 0x7ffff7ded700 <dl_open_worker>, args=0x7fffffff df70) at dl-error.c:178 fe1c0 "libnss_ compat. so.2", mode=-2147483647, caller_ dlopen= 0x7ffff629d21e, nsid=-2, argc=1, e170) at dl-libc.c:89 0x7fffffffe1a0, errstring= 0x7fffffffe190, mallocedp= 0x7fffffffe1af, 0x7ffff62c7dc0 <do_dlopen>, args=0x7fffffff e170) at dl-error.c:178 fe170, operate= 0x7ffff62c7dc0 <do_dlopen>) at dl-libc.c:48 libc_dlopen_ mode (name=<optimized out>, mode=<optimized out>) at dl-libc.c:165 nss_lookup_ function (ni=0x555555d79330, fct_name= 0x7ffff63127aa "getpwnam_r") at nsswitch.c:474 0x7ffff63127aa "getpwnam_r", fct2_name=0x0, fctp=0x7fffffff e2e0) e4990 "i", resbuf= 0x7ffff6552320, buffer= 0x555555b35870 "X\374T\ 366\377\ 177", buflen=1024, 0x7fffffffe330) at ../nss/ getXXbyYY_ r.c:203 e4990 "i") at ../nss/ getXXbyYY. c:117 7a272 "i", len=1, lcPriv= 0x555555952790, id=0x7fffffffe3cc) at ../../os/ access. c:1980 kAddr (addrString= <optimized out>, length=<optimized out>, typePriv=<optimized out>) access. c:2055 <optimized out>, length=11) at ../../os/ access. c:1686 0x555555ce4c60, family=5, length=11, pAddr=0x555555c 7a268) at ../../os/ access. c:1249 dispatch. c:439 main.c: 287
#1 0x00007ffff61d2bab in __GI_abort () at abort.c:91
#2 0x00007ffff61c810e in __assert_fail_base (fmt=<optimized out>, assertion=
file=
#3 0x00007ffff61c81b2 in __GI___assert_fail (assertion=
line=3021, function=
#4 0x00007fffefdc9e30 in UpdateTouchState (hw=<optimized out>, pInfo=<optimized out>) at ../../src/
#5 0x00007fffefdcb033 in HandleTouches (hw=0x555555d5d3f0, pInfo=0x555555d
#6 HandleState (pInfo=<optimized out>, hw=<optimized out>, now=<optimized out>, from_timer=
#7 0x00007fffefdcd0b0 in ReadInput (pInfo=
#8 0x00005555555df787 in xf86SigioReadInput (fd=<optimized out>, closure=
#9 0x0000555555605757 in xf86SIGIO (sig=<optimized out>) at ../../.
#10 <signal handler called>
#11 SmartScheduleTimer (sig=14) at ../../os/
#12 <signal handler called>
#13 __GI__dl_
#14 0x00007ffff7ded908 in dl_open_worker (a=0x7fffffffdf70) at dl-open.c:294
#15 0x00007ffff7de9176 in _dl_catch_error (objname=
operate=
#16 0x00007ffff7ded31a in _dl_open (file=0x7ffffff
argv=<optimized out>, env=0x555555969370) at dl-open.c:639
#17 0x00007ffff62c7e02 in do_dlopen (ptr=0x7fffffff
#18 0x00007ffff7de9176 in _dl_catch_error (objname=
operate=
#19 0x00007ffff62c7ec4 in dlerror_run (args=0x7ffffff
#20 __GI___
#21 0x00007ffff629d21e in nss_load_library (ni=<optimized out>) at nsswitch.c:372
#22 0x00007ffff629dc7d in __GI___
#23 0x00007ffff629de8c in __GI___nss_lookup (ni=0x7fffffffe2d0, fct_name=
at nsswitch.c:202
#24 0x00007ffff62562c8 in __getpwnam_r (name=0x555555c
result=
#25 0x00007ffff6255b74 in getpwnam (name=0x555555c
#26 0x00005555556db375 in siLocalCredGetId (addr=0x555555c
#27 0x00005555556db3d1 in siLocalCredChec
at ../../os/
#28 0x00005555556db11c in siCheckAddr (addrString=
#29 0x00005555556dc4af in AddHost (client=
#30 0x00005555555a2881 in Dispatch () at ../../dix/
#31 0x00005555555917aa in main (argc=1, argv=<optimized out>, envp=<optimized out>) at ../../dix/