I'm experiencing rare (but annoying) whole X session crashes, since
mid-2023.
To my surprise it turns out to be FVWM exiting on SIGABRT.
I was able to make these crashes more likely by exercising Chromium
screen-scraping, Firefox playing YouTube, whilst iconifying a small
window. And do so with my own debug build.
The result is the stack trace below.
Packages are from Slackware 15.0, with a local build of xorg-server at
1.21.1.10.
The fvwm-2.6.9-x86_64-4 package has been in use for some time without
crashes, so likely what's changed is my working practices, another
application, or library.
Is anything in the stack trace raise suspicion?
Is it likely (security) change to libX11 is exposing a bug, either in that
library or FVWM?
Thanks
--
Mark
Reading symbols from /opt/fvwm/bin/fvwm...
[New LWP 18689]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/fvwm/bin/fvwm'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f4f91bd5868 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007f4f91bd5868 in raise () at /lib64/libc.so.6
#1 0x00007f4f91bbc546 in abort () at /lib64/libc.so.6
#2 0x00007f4f91bbc43f in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4f91bcd392 in () at /lib64/libc.so.6 <--
__assert_fail()
#4 0x00007f4f92ffedf5 in () at /usr/lib64/libX11.so.6 <--
_XAllocID()
#5 0x00007f4f92e6a2f8 in XRenderCreatePicture () at /usr/lib64/libXrender.so.1
#6 0x00000000004cd187 in FRenderRender (dpy=0x7568a0, win=8390156,
pixmap=8390152, mask=0, alpha=8390154, depth=24, added_alpha_percent=100,
tint=0, tint_percent=0, d=8390156, gc=0x76fc40, alpha_gc=0x76ff00, src_x=0,
src_y=0, src_w=56, src_h=56, dest_x=2, dest_y=2, dest_w=56, dest_h=56,
do_repeat=0) at FRender.c:464
#7 0x00000000004c1e65 in PGraphicsRenderPixmaps (dpy=0x7568a0, win=8390156,
pixmap=8390152, mask=0, alpha=8390154, depth=24, fra=0x7fff98bb9c40, d=8390156,
gc=0x76fc40, mono_gc=0x76fe50, alpha_gc=0x76ff00, src_x=0, src_y=0, src_w=56,
src_h=56, dest_x=2, dest_y=2, dest_w=56, dest_h=56, do_repeat=0) at
PictureGraphics.c:1012
#8 0x000000000045b808 in DrawIconPixmapWindow (fw=0x79e640, reset_bg=0,
pev=0x7fff98bb9ce0, Shadow=0x76c8b0, Relief=0x76c800, cs=-1) at icons.c:1192
#9 0x000000000045c7c2 in DrawIconWindow (fw=0x79e640, draw_title=1,
draw_pixmap=1, focus_change=0, reset_bg=0, pev=0x7fff98bb9e50) at icons.c:1490
#10 0x000000000043b08d in HandleExpose (ea=0x7fff98bb9f90) at events.c:2361
#11 0x000000000043e371 in dispatch_event (e=0x7a6e78) at events.c:4160
#12 0x000000000043738c in _pred_weed_handle_expose (display=0x7568a0,
event=0x7a6e78, arg=0x0) at events.c:266
#13 0x00000000004d0b3f in _fev_pred_weed_if (display=0x7568a0, event=0x7a6e78,
arg=0x7fff98bba3a0 "asC") at FEvent.c:176
#14 0x00000000004d0957 in _fev_pred_check_peek (display=0x7568a0,
event=0x7a6e78, arg=0x7fff98bba100 "|\nM") at FEvent.c:144
#15 0x00007f4f92fdb8b2 in XCheckIfEvent () at /usr/lib64/libX11.so.6
#16 0x00000000004d1cfb in FCheckPeekIfEvent (display=0x7568a0,
event_return=0x7fff98bba2e0, predicate=0x4d0a7c <_fev_pred_weed_if>,
arg=0x7fff98bba3a0 "asC") at FEvent.c:590
#17 0x00000000004d1b04 in FWeedIfEvents (display=0x7568a0,
weed_predicate=0x437361 <_pred_weed_handle_expose>, arg=0x0) at FEvent.c:527
#18 0x000000000043ece1 in handle_all_expose () at events.c:4545
#19 0x000000000047e12f in __raise_or_lower_window (t=0x79e640, mode=SM_RAISE,
allow_recursion=1, is_new_window=0, is_client_request=0) at stack.c:1141
#20 0x000000000047e19c in raise_or_lower_window (t=0x79e640, mode=SM_RAISE,
allow_recursion=1, is_new_window=0, is_client_request=0) at stack.c:1158
#21 0x000000000047ed6d in RaiseWindow (t=0x79e640, is_client_request=0) at
stack.c:1715
#22 0x000000000047f611 in CMD_Raise (cond_rc=0x7fff98bba9d8, exc=0x79ed70,
action=0x79b235 "") at stack.c:2048
#23 0x00000000004894c0 in __execute_function (cond_rc=0x7fff98bba9d8,
exc=0x79ee70, action=0x783990 "Raise", exec_flags=128 '\200',
args=0x7fff98bba810, has_ref_window_moved=0) at functions.c:639
#24 0x000000000048998f in __run_complex_function_items (cond_rc=0x7fff98bba9d8,
cond=105 'i', func=0x783a00, exc=0x79ee70, args=0x7fff98bba810,
has_ref_window_moved=0) at functions.c:838
#25 0x0000000000489f61 in execute_complex_function (cond_rc=0x7fff98bba9d8,
exc=0x79ef70, action=0x799d00 "IconifyRaiseFunction", desperate=0x7fff98bba960,
has_ref_window_moved=0) at functions.c:1036
#26 0x0000000000489548 in __execute_function (cond_rc=0x0, exc=0x774670,
action=0x78b7b0 "IconifyRaiseFunction", exec_flags=0 '\000', args=0x0,
has_ref_window_moved=0) at functions.c:659
#27 0x000000000048a693 in execute_function (cond_rc=0x0, exc=0x774670,
action=0x78b7b0 "IconifyRaiseFunction", exec_flags=0 '\000') at functions.c:1302
#28 0x0000000000439bbf in __handle_bpress_action (exc=0x774670, action=0x78b7b0
"IconifyRaiseFunction") at events.c:1642
#29 0x0000000000439ea7 in __handle_bpress_on_managed (exc=0x774670) at
events.c:1743
#30 0x000000000043a02f in HandleButtonPress (ea=0x7fff98bbaba0) at events.c:1801
#31 0x000000000043e371 in dispatch_event (e=0x7fff98bbabd0) at events.c:4160
#32 0x000000000043e445 in HandleEvents () at events.c:4211
#33 0x0000000000464e37 in main (argc=2, argv=0x7fff98bbb058) at fvwm.c:2590
(gdb) up
#1 0x00007f4f91bbc546 in abort () from /lib64/libc.so.6
(gdb) up
#2 0x00007f4f91bbc43f in __assert_fail_base.cold () from /lib64/libc.so.6
(gdb) up
#3 0x00007f4f91bcd392 in __assert_fail () from /lib64/libc.so.6
(gdb) up
#4 0x00007f4f92ffedf5 in _XAllocID () from /usr/lib64/libX11.so.6
(gdb) up
#5 0x00007f4f92e6a2f8 in XRenderCreatePicture () from
/usr/lib64/libXrender.so.1
(gdb) up
#6 0x00000000004cd187 in FRenderRender (dpy=0x7568a0, win=8390156,
pixmap=8390152, mask=0, alpha=8390154, depth=24, added_alpha_percent=100,
tint=0, tint_percent=0, d=8390156, gc=0x76fc40, alpha_gc=0x76ff00, src_x=0,
src_y=0, src_w=56, src_h=56, dest_x=2, dest_y=2, dest_w=56, dest_h=56,
do_repeat=0) at FRender.c:464
464 alpha_picture = FRenderCreatePicture(
(gdb) list
459
460 if (added_alpha_percent >= 100)
461 {
462 if (alpha != None)
463 {
464 alpha_picture = FRenderCreatePicture(
465 dpy, alpha, PFrenderAlphaFormat, pam,
&pa);
466 }
467 else if (mask != None)
468 {
-rw-r--r-- 1 root root 49773 Oct 12 18:49
/var/log/packages/libX11-1.8.7-x86_64-1_slack15.0
-rw-r--r-- 1 root root 12096 Apr 1 2021 /var/log/packages/fvwm-2.6.9-x86_64-4
+--------------------------+
Tue Oct 3 22:19:10 UTC 2023
patches/packages/libX11-1.8.7-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
libX11: out-of-bounds memory access in _XkbReadKeySyms().
libX11: stack exhaustion from infinite recursion in PutSubImage().
libX11: integer overflow in XCreateImage() leading to a heap overflow.
For more information, see:
https://lists.x.org/archives/xorg-announce/2023-October/003424.html
https://www.cve.org/CVERecord?id=CVE-2023-43785
https://www.cve.org/CVERecord?id=CVE-2023-43786
https://www.cve.org/CVERecord?id=CVE-2023-43787
(* Security fix *)
+--------------------------+
Thu Jun 15 18:59:33 UTC 2023
patches/packages/libX11-1.8.6-x86_64-1_slack15.0.txz: Upgraded.
This update fixes buffer overflows in InitExt.c that could at least cause
the client to crash due to memory corruption.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-3138
(* Security fix *)
+--------------------------+
Mon Jun 7 18:53:49 UTC 2021
x/libX11-1.7.2-x86_64-1.txz: Upgraded.
This is a bug fix release, correcting a regression introduced by and
improving the checks from the fix for CVE-2021-31535.
+--------------------------+
Wed May 19 21:05:00 UTC 2021
x/libX11-1.7.1-x86_64-1.txz: Upgraded.
This update fixes missing request length checks in libX11 that can lead
to
the emission of extra X protocol requests to the X server.
For more information, see:
https://lists.x.org/archives/xorg-announce/2021-May/003088.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535
(* Security fix *)
$ xdpyinfo
name of display: :1
version number: 11.0
vendor string: The X.Org Foundation
vendor release number: 12101010
X.Org version: 1.21.1.10
maximum request size: 16777212 bytes
motion buffer size: 256
bitmap unit, bit order, padding: 32, LSBFirst, 32
image byte order: LSBFirst
number of supported pixmap formats: 7
supported pixmap formats:
depth 1, bits_per_pixel 1, scanline_pad 32
depth 4, bits_per_pixel 8, scanline_pad 32
depth 8, bits_per_pixel 8, scanline_pad 32
depth 15, bits_per_pixel 16, scanline_pad 32
depth 16, bits_per_pixel 16, scanline_pad 32
depth 24, bits_per_pixel 32, scanline_pad 32
depth 32, bits_per_pixel 32, scanline_pad 32
keycode range: minimum 8, maximum 255
focus: window 0x400000c, revert to Parent
number of extensions: 28
BIG-REQUESTS
Composite
DAMAGE
DOUBLE-BUFFER
DPMS
DRI2
DRI3
GLX
Generic Event Extension
MIT-SCREEN-SAVER
MIT-SHM
Present
RANDR
RECORD
RENDER
SHAPE
SYNC
X-Resource
XC-MISC
XFIXES
XFree86-DGA
XFree86-VidModeExtension
XINERAMA
XInputExtension
XKEYBOARD
XTEST
XVideo
XVideo-MotionCompensation
default screen number: 0
number of screens: 1
screen #0:
dimensions: 5120x1200 pixels (1354x317 millimeters)
resolution: 96x96 dots per inch
depths (7): 24, 1, 4, 8, 15, 16, 32
root window id: 0x6b2
depth of root window: 24 planes
number of colormaps: minimum 1, maximum 1
default colormap: 0x20
default number of colormap cells: 256
preallocated pixels: black 0, white 16777215
options: backing-store WHEN MAPPED, save-unders NO
largest cursor: 64x64
current input event mask: 0xda003f
KeyPressMask KeyReleaseMask ButtonPressMask
ButtonReleaseMask EnterWindowMask LeaveWindowMask
StructureNotifyMask SubstructureNotifyMask
SubstructureRedirectMask
PropertyChangeMask ColormapChangeMask
number of visuals: 504
default visual id: 0x21
[...]
