Bug#234535: xserver dies if I start gimp with LANG=no_NO.UTF-8
Branden Robinson wrote:
tag 234535 = upstream security help
retitle 234535 xserver-xfree86: X server can be crashed by xfstt font server (DoS attack)
severity 234535 important
thanks
On Wed, Apr 28, 2004 at 03:47:54PM +0200, Helge Hafting wrote:
Michel Dänzer wrote:
On Wed, 2004-04-28 at 12:04, Helge Hafting wrote:
I don't know if xfstt does something wrong, but X shouldn't really crash
even if xfstt is wrong. One cannot trust font servers to be nice - they
may be external after all.
True, but if it only happens with xfstt, there might be little incentive
to fix this.
Sure, if an obsolete xfstt is the only problem server.
I still think there is a DoS attack here, and I think it's worth trying
to track the problem down.
Finnally, a trace from running xserver-xfree86-dbg. It contains some
non-ascii characters. Crashing the debug server got the machine
into a strange state where it responded to sysrq keys and nothing else.
In particular, it didn't switch consoles and didn't sync the disks.
Another unclean shutdown, still I got a core file and a logfile.
I hope this helps, please tell if there's anything else I could do.
Helge Hafting
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
warning: core file may not match specified executable file.
Core was generated by `/usr/bin/X11/X -dpi 100 -nolisten tcp'.
Program terminated with signal 6, Aborted.
#0 0x40088da9 in ?? ()
(gdb) bt full
#0 0x40088da9 in ?? ()
No symbol table info available.
#1 0x40195110 in ?? ()
No symbol table info available.
#2 0x089f2d0c in pci_device_10b9_5251 ()
No symbol table info available.
#3 0x4008a601 in ?? ()
No symbol table info available.
#4 0x00000006 in ?? ()
No symbol table info available.
#5 0xbffff080 in ?? ()
No symbol table info available.
#6 0x00000000 in ?? ()
No symbol table info available.
#7 0x00000020 in ?? ()
No symbol table info available.
#8 0x00000000 in ?? ()
No symbol table info available.
#9 0x00000000 in ?? ()
No symbol table info available.
#10 0x00000000 in ?? ()
No symbol table info available.
#11 0x00000000 in ?? ()
No symbol table info available.
#12 0x00000000 in ?? ()
No symbol table info available.
#13 0x00000000 in ?? ()
No symbol table info available.
#14 0x00000000 in ?? ()
No symbol table info available.
#15 0x00000000 in ?? ()
No symbol table info available.
#16 0x00000000 in ?? ()
No symbol table info available.
#17 0x00000000 in ?? ()
No symbol table info available.
#18 0x00000000 in ?? ()
No symbol table info available.
#19 0x00000000 in ?? ()
No symbol table info available.
#20 0x00000000 in ?? ()
No symbol table info available.
#21 0x00000000 in ?? ()
No symbol table info available.
#22 0x00000000 in ?? ()
No symbol table info available.
#23 0x00000000 in ?? ()
No symbol table info available.
#24 0x00000000 in ?? ()
No symbol table info available.
#25 0x00000000 in ?? ()
No symbol table info available.
#26 0x00000000 in ?? ()
No symbol table info available.
#27 0x00000000 in ?? ()
No symbol table info available.
#28 0x00000000 in ?? ()
No symbol table info available.
#29 0x00000000 in ?? ()
No symbol table info available.
#30 0x00000000 in ?? ()
No symbol table info available.
#31 0x00000000 in ?? ()
No symbol table info available.
#32 0x00000000 in ?? ()
No symbol table info available.
#33 0x00000000 in ?? ()
No symbol table info available.
#34 0x00000000 in ?? ()
No symbol table info available.
#35 0x00000000 in ?? ()
No symbol table info available.
#36 0x00000000 in ?? ()
No symbol table info available.
#37 0x00000000 in ?? ()
No symbol table info available.
#38 0x00000000 in ?? ()
No symbol table info available.
#39 0x00000000 in ?? ()
No symbol table info available.
#40 0x086d97e0 in XMesaCreateVisual (display=0x81a3816, visinfo=0x81a37ff,
rgb_flag=8 '\b', alpha_flag=6 '\006', db_flag=234 'ê',
stereo_flag=156 '\234', ximage_flag=22 '\026', depth_size=134757936,
stencil_size=135952800, accum_red_size=11, accum_green_size=16711681,
accum_blue_size=-1073752856, accum_alpha_size=786436,
num_samples=136256780, level=-1073744616, visualCaveat=-7136)
at xm_api.c:1544
gamma = 0xb <Address 0xb out of bounds>
v = 0x4008a430
red_bits = 136336456
green_bits = 361
blue_bits = 1073789920
alpha_bits = -1073745500
#41 0x080e38a0 in TGACopyLineBackwards (pScrn=0x81b71e2, x1=-1073745456,
y1=-1073745436, x2=134757936, y2=135952800, w=11) at tga_accel.c:792
a1 = 135936022
a2 = 135149728
source_address = 3221221812
destination_address = 11
mask_source = 136289408
mask_destination = 134671004
cando = 371889197
cando_mask = 11
source_align = 1074308144
destination_align = 136336456
pixel_shift = 361
read = 1073789920
pTga = 0xbffff1a4
#42 0x080e4d60 in TGASubsequentDashedLine (pScrn=0x81a79a0, x1=11,
y1=16711681, x2=-1073752856, y2=786436, octant=136256780,
flags=-1073744616, phase=-7136) at tga_accel.c:1417
pTga = 0x81b71e2
abs_dx = 135155040
abs_dy = 3221221828
address = 135935999
octant_reg = 135936022
length = 135149728
line_mask = 49151
pattern_overflow = 11
l = 136289408
#43 0x08083e30 in GLINTEnterVT (scrnIndex=11, flags=51) at glint_driver.c:3377
pScrn = 0x81f1d0c
pGlint = 0xc0004
#44 <signal handler called>
No symbol table info available.
#45 0x400d9fbf in ?? ()
No symbol table info available.
#46 0x0875a074 in _mesa_GetBooleanv (pname=141193088, params=0x89f2c98 "\004")
at get.c:144
ctx = (GLcontext *) 0x81f1d0c
i = 1
texUnit = 144649396
textureUnit = (const struct gl_texture_unit *) 0x875a040
#47 0x080f713a in S3VPreInit (pScrn=0x86a6f80, flags=0) at s3v_driver.c:699
pEnt = 0x1
ps3v = 0x1
from = 141193112
i = 144640440
real = 1.5298816543287149e-269
clockRanges = 0x89f2c98
mod = 0x86a6f80 "\n"
reqSym = 0x80f713a "ÿÿÿ"
s = 0xbffff548 "hõÿ¿³q\017\b\200oj\b"
config1 = 8 '\b'
config2 = 106 'j'
m = 111 'o'
n = 128 '\200'
n1 = 8 '\b'
n2 = 159 '\237'
cr66 = 44 ','
mclk = 136256780
hwp = 0x1
vgaCRIndex = 144649396
vgaCRReg = 141926464
vgaIOBase = 141193112
#48 0x080f71b3 in S3VPreInit (pScrn=0x86a6f80, flags=136325664)
at s3v_driver.c:704
pEnt = 0x705b0
ps3v = 0x0
from = X_PROBED
i = 141193088
real = 7.4400138474198825e-270
clockRanges = 0x0
mod = 0x86a6f98 ""
reqSym = 0x1 <Address 0x1 out of bounds>
s = 0x1 <Address 0x1 out of bounds>
config1 = 8 '\b'
config2 = 106 'j'
m = 111 'o'
n = 152 '\230'
n1 = 8 '\b'
n2 = 159 '\237'
cr66 = 9 '\t'
mclk = 136325664
hwp = 0xbffff634
vgaCRIndex = 144649368
vgaCRReg = 141193088
vgaIOBase = 135229754
#49 0x080da2b6 in nv10CalcArbitration (fifo=0x0, arb=0x1) at riva_hw.c:999
data = 136325664
pagemiss = 1
cas = 136316996
width = 0
video_enable = 136325664
color_key_enable = 141193088
bpp = 135111350
align = -1073744504
nvclks = 2
mclks = 136325664
pclks = 460208
vpagemiss = 0
crtpagemiss = 0
vbs = 141193088
nvclk_fill = 135229875
us_extra = -1073744536
found = 0
mclk_extra = 141193112
mclk_loop = 1
cbs = 1
m1 = 141193112
mclk_freq = 144640440
pclk_freq = 136325664
nvclk_freq = -1073744332
mp_enable = 144649368
us_m = 141193088
us_m_min = 135229754
us_n = -1073744568
us_p = 141193088
video_drain_rate = 144649368
crtc_drain_rate = 136256780
vus_m = 1
vus_n = 144649396
vus_p = 141926464
vpm_us = 141193112
us_video = 141926524
vlwm = -872586240
cpm_us = 144649404
us_crt = 135225408
clwm = -1073744616
clwm_rnd_down = -1073744584
craw = 141193112
m2us = 136256780
us_pipe = 11
us_pipe_min = 371889197
vus_pipe = 144649484
p1clk = 135235261
p2 = 371889197
pclks_2_top_fifo = 141926516
min_mclk_extra = -2134048768
us_min_mclk_extra = 7845976
#50 0x080c09c1 in GLINTDRISwapContext (pScreen=0x1, syncType=136325664,
readContextType=0, readContextStore=0x0, writeContextType=-1073744328,
writeContextStore=0x81f1d0c) at glint_dri.c:1569
tmp = 136325664
pScrn = 0x0
pGlint = 0x1
pRC = 0x3
pWC = 0x0
dumpIndex = -1073744472
readValue = 136325664
#51 0x080ddb7e in RegionsEqual (A=0xbffff874, B=0x1) at nv_video.c:370
dataA = (int *) 0xffffffff
dataB = (int *) 0x899dd80
num = 0
#52 0x080b92da in GLINTDRISwapContext (pScreen=0x2, syncType=0,
readContextType=136363944, readContextStore=0xbffffcac,
writeContextType=1074596283, writeContextStore=0x40195110)
at glint_dri.c:1049
pScrn = 0x86d97e0
pGlint = 0x1
pRC = 0xbffff874
pWC = 0x8d4
dumpIndex = 141400032
readValue = 135020995
#53 0x080cc117 in SXInitializeEngine (pScrn=0x5) at sx_accel.c:107
tmp = 1075400976
pGlint = 0x401963f0
#54 0x400747b8 in ?? ()
No symbol table info available.
#55 0x00000005 in ?? ()
No symbol table info available.
#56 0xbffffd54 in ?? ()
No symbol table info available.
#57 0xbffffd6c in ?? ()
No symbol table info available.
#58 0x00000000 in ?? ()
No symbol table info available.
#59 0x40195110 in ?? ()
No symbol table info available.
#60 0x40016480 in ?? ()
No symbol table info available.
#61 0xbffffce0 in ?? ()
No symbol table info available.
#62 0x081a2d20 in SavageSave (pScrn=0xbffffe6c) at savage_driver.c:1547
cr3a = 0 '\0'
cr53 = 0 '\0'
cr66 = 0 '\0'
hwp = 0xbffffd4c
vgaSavePtr = 0x4000c290
psav = 0x81a2d80
save = 0x81a2d20
vgaCRReg = 49151
vgaCRIndex = 64852
#63 0xbffffe67 in ?? ()
No symbol table info available.
#64 0xbffffe6c in ?? ()
No symbol table info available.
#65 0xbffffe70 in ?? ()
No symbol table info available.
#66 0xbffffe7a in ?? ()
No symbol table info available.
#67 0x00000000 in ?? ()
No symbol table info available.
#68 0xbffffe7e in ?? ()
No symbol table info available.
#69 0xbffffe85 in ?? ()
No symbol table info available.
#70 0xbffffe95 in ?? ()
No symbol table info available.
#71 0xbffffea0 in ?? ()
No symbol table info available.
#72 0xbffffeb0 in ?? ()
No symbol table info available.
#73 0xbffffeba in ?? ()
No symbol table info available.
#74 0xbffffece in ?? ()
No symbol table info available.
#75 0xbfffff1d in ?? ()
No symbol table info available.
#76 0xbfffff27 in ?? ()
No symbol table info available.
#77 0xbfffff42 in ?? ()
No symbol table info available.
#78 0xbfffff53 in ?? ()
No symbol table info available.
#79 0xbfffff5b in ?? ()
No symbol table info available.
#80 0xbfffff66 in ?? ()
No symbol table info available.
#81 0xbfffff73 in ?? ()
No symbol table info available.
#82 0xbfffff9e in ?? ()
No symbol table info available.
#83 0xbfffffb4 in ?? ()
No symbol table info available.
#84 0xbfffffc8 in ?? ()
No symbol table info available.
#85 0x00000000 in ?? ()
No symbol table info available.
#86 0x00000020 in ?? ()
No symbol table info available.
#87 0xffffe400 in ?? ()
No symbol table info available.
#88 0x00000021 in ?? ()
No symbol table info available.
#89 0xffffe000 in ?? ()
No symbol table info available.
#90 0x00000010 in ?? ()
No symbol table info available.
#91 0x3febfbff in ?? ()
No symbol table info available.
#92 0x00000006 in ?? ()
No symbol table info available.
#93 0x00001000 in ?? ()
No symbol table info available.
#94 0x00000011 in ?? ()
No symbol table info available.
#95 0x00000064 in ?? ()
No symbol table info available.
#96 0x00000003 in ?? ()
No symbol table info available.
#97 0x08048034 in ?? ()
No symbol table info available.
#98 0x00000004 in ?? ()
No symbol table info available.
#99 0x00000020 in ?? ()
No symbol table info available.
#100 0x00000005 in ?? ()
No symbol table info available.
#101 0x00000008 in ?? ()
No symbol table info available.
#102 0x00000007 in ?? ()
No symbol table info available.
#103 0x40000000 in ?? ()
No symbol table info available.
#104 0x00000008 in ?? ()
No symbol table info available.
#105 0x00000000 in ?? ()
No symbol table info available.
#106 0x00000009 in ?? ()
No symbol table info available.
#107 0x0806d0b0 in Mga32SubsequentSolidFillRect (pScrn=0x3131582f,
x=754997295, y=6910052, w=3158065, h=1819242029) at mga_storm32.c:1454
n = 1761607680
pMga = 0x363836
#108 0x6e69622f in ?? ()
No symbol table info available.
#109 0x3131582f in ?? ()
No symbol table info available.
#110 0x2d00582f in ?? ()
No symbol table info available.
#111 0x00697064 in ?? ()
No symbol table info available.
#112 0x00303031 in ?? ()
No symbol table info available.
#113 0x6c6f6e2d in ?? ()
No symbol table info available.
#114 0x65747369 in ?? ()
No symbol table info available.
#115 0x6374006e in ?? ()
No symbol table info available.
#116 0x5a480070 in ?? ()
No symbol table info available.
#117 0x3030313d in ?? ()
No symbol table info available.
#118 0x45485300 in ?? ()
No symbol table info available.
#119 0x2f3d4c4c in ?? ()
No symbol table info available.
#120 0x2f6e6962 in ?? ()
No symbol table info available.
#121 0x68736162 in ?? ()
No symbol table info available.
#122 0x52455400 in ?? ()
No symbol table info available.
#123 0x696c3d4d in ?? ()
No symbol table info available.
#124 0x0078756e in ?? ()
No symbol table info available.
#125 0x48535548 in ?? ()
No symbol table info available.
#126 0x49474f4c in ?? ()
No symbol table info available.
#127 0x41463d4e in ?? ()
No symbol table info available.
#128 0x0045534c in ?? ()
No symbol table info available.
#129 0x52455355 in ?? ()
No symbol table info available.
#130 0x6f6f723d in ?? ()
No symbol table info available.
#131 0x414d0074 in ?? ()
No symbol table info available.
#132 0x2f3d4c49 in ?? ()
No symbol table info available.
#133 0x2f726176 in ?? ()
No symbol table info available.
#134 0x6c69616d in ?? ()
No symbol table info available.
#135 0x6f6f722f in ?? ()
No symbol table info available.
#136 0x41500074 in ?? ()
No symbol table info available.
#137 0x2f3d4854 in ?? ()
No symbol table info available.
#138 0x2f727375 in ?? ()
No symbol table info available.
#139 0x61636f6c in ?? ()
No symbol table info available.
#140 0x62732f6c in ?? ()
No symbol table info available.
#141 0x2f3a6e69 in ?? ()
No symbol table info available.
#142 0x2f727375 in ?? ()
No symbol table info available.
#143 0x61636f6c in ?? ()
No symbol table info available.
#144 0x69622f6c in ?? ()
No symbol table info available.
#145 0x752f3a6e in ?? ()
No symbol table info available.
#146 0x732f7273 in ?? ()
No symbol table info available.
#147 0x3a6e6962 in ?? ()
No symbol table info available.
#148 0x7273752f in ?? ()
No symbol table info available.
#149 0x6e69622f in ?? ()
No symbol table info available.
#150 0x62732f3a in ?? ()
No symbol table info available.
#151 0x2f3a6e69 in ?? ()
No symbol table info available.
#152 0x3a6e6962 in ?? ()
No symbol table info available.
#153 0x7273752f in ?? ()
No symbol table info available.
#154 0x6e69622f in ?? ()
No symbol table info available.
#155 0x3131582f in ?? ()
No symbol table info available.
#156 0x2f3d5f00 in ?? ()
No symbol table info available.
#157 0x2f6e6962 in ?? ()
No symbol table info available.
#158 0x50006873 in ?? ()
No symbol table info available.
#159 0x2f3d4457 in ?? ()
No symbol table info available.
#160 0x656d6f68 in ?? ()
No symbol table info available.
#161 0x6c65682f in ?? ()
No symbol table info available.
#162 0x61686567 in ?? ()
No symbol table info available.
#163 0x74782f66 in ?? ()
No symbol table info available.
#164 0x2f747365 in ?? ()
No symbol table info available.
#165 0x414c0033 in ?? ()
No symbol table info available.
#166 0x6e3d474e in ?? ()
No symbol table info available.
#167 0x4f4e5f6f in ?? ()
No symbol table info available.
#168 0x4654552e in ?? ()
No symbol table info available.
#169 0x5300382d in ?? ()
No symbol table info available.
#170 0x4c564c48 in ?? ()
No symbol table info available.
#171 0x4800323d in ?? ()
No symbol table info available.
#172 0x3d454d4f in ?? ()
No symbol table info available.
#173 0x6f6f722f in ?? ()
No symbol table info available.
#174 0x4f4c0074 in ?? ()
No symbol table info available.
#175 0x4d414e47 in ?? ()
No symbol table info available.
#176 0x6f723d45 in ?? ()
No symbol table info available.
#177 0x4300746f in ?? ()
No symbol table info available.
#178 0x5353414c in ?? ()
No symbol table info available.
#179 0x48544150 in ?? ()
No symbol table info available.
#180 0x73752f3d in ?? ()
No symbol table info available.
#181 0x6f6c2f72 in ?? ()
No symbol table info available.
#182 0x2f6c6163 in ?? ()
No symbol table info available.
#183 0x7374656e in ?? ()
No symbol table info available.
#184 0x65706163 in ?? ()
No symbol table info available.
#185 0x76616a2f in ?? ()
No symbol table info available.
#186 0x6c632f61 in ?? ()
No symbol table info available.
#187 0x65737361 in ?? ()
No symbol table info available.
#188 0x454c0073 in ?? ()
No symbol table info available.
#189 0x504f5353 in ?? ()
No symbol table info available.
#190 0x7c3d4e45 in ?? ()
No symbol table info available.
#191 0x7373656c in ?? ()
No symbol table info available.
#192 0x65706970 in ?? ()
No symbol table info available.
#193 0x00732520 in ?? ()
No symbol table info available.
#194 0x52415453 in ?? ()
No symbol table info available.
#195 0x4f50535f in ?? ()
No symbol table info available.
#196 0x445f4c4f in ?? ()
No symbol table info available.
#197 0x2f3d5249 in ?? ()
No symbol table info available.
#198 0x00706d74 in ?? ()
No symbol table info available.
#199 0x54554158 in ?? ()
No symbol table info available.
#200 0x49524f48 in ?? ()
No symbol table info available.
#201 0x2f3d5954 in ?? ()
No symbol table info available.
#202 0x746f6f72 in ?? ()
No symbol table info available.
#203 0x61582e2f in ?? ()
No symbol table info available.
#204 0x6f687475 in ?? ()
No symbol table info available.
#205 0x79746972 in ?? ()
No symbol table info available.
#206 0x73752f00 in ?? ()
No symbol table info available.
#207 0x31582f72 in ?? ()
No symbol table info available.
#208 0x2f365231 in ?? ()
No symbol table info available.
#209 0x2f6e6962 in ?? ()
No symbol table info available.
#210 0x65724658 in ?? ()
No symbol table info available.
#211 0x00363865 in ?? ()
No symbol table info available.
#212 0x00000000 in ?? ()
No symbol table info available.
Cannot access memory at address 0xc0000000
(gdb) quit
Reply to: