severity 269860 important retitle 269860 xserver-xfree86: [dix/various input drivers] 'xset m' will SIGILL the server if the core pointer doesn't register an InitPtrFeedbackClassDeviceStruct calback [DoS attack?] tag 269860 + upstream help thanks On Sat, Sep 04, 2004 at 12:25:56AM +0100, Colin Hogben wrote: > Package: xserver-xfree86 > Version: 4.3.0.dfsg.1-4 [...] > Program received signal SIGILL, Illegal instruction. > 0x00000013 in ?? () > (gdb) bt > #0 0x00000013 in ?? () > #1 0x401ed550 in ?? () from /lib/libc.so.6 > #2 0x084cf4d0 in ProcChangePointerControl (client=0x8bc0b00) at devices.c:1574 > #3 0x084d00c8 in Dispatch () at dispatch.c:450 > #4 0x084e763c in main (argc=3, argv=0xbffffd9c, envp=0xbffffdac) at main.c:469 > > It appears that ProcChangePointerControl is calling > (*mouse->ptrfeed->CtrlProc)(mouse, &mouse->ptrfeed->ctrl); > > but mouse->ptrfeed is 0 [...] > Although I defer to those with understanding of the X design, ancestry > of MIT X, xfree86 and other derived implementations, my suggestions > would be: > > 1. The contract between input drivers and the rest of the server needs > to be clarified; > > 2. Something needs to be fixed - either: > > i) make dix tolerant of core pointer devices which do not support > pointer feedback (surely acceleration has no meaning for a > touch-screen?), and clean up input drivers which no longer need to > register dummy pointer feedback function; [...] > I prefer 2(i). I am sorry that it has taken so long to get back to you about this. Essentially, I agree with your analysis, but the level of patching your suggestion requires is a bit above the norm for distributors like Debian. I will accept a patch for this (hence I am tagging it "help"), but your best bet is probably to approach the freedesktop.org X.Org people. The most appropriate mailing list for this is probably: http://lists.freedesktop.org/mailman/listinfo/xorg Given that any X client can generate the same X protocol requests as "xset m", this issue could conceivably be characterized as a denial-of-service attack against the X server. If you couch it in those terms, it will either make people annoyed with you and prolong the failure to rectify it, or motivate them to take it seriously and fix it. Unfortunately, I cannot guess which. :( For design issues like this, I tend to defer to the heroes I worship, like Keith Packard and Jim Gettys. So if you guys are reading this, please feel free to put in your two cents. :) -- G. Branden Robinson | The word "power" is an obscenity in Debian GNU/Linux | a democracy. branden@debian.org | -- Andy Jacobs, Jr. http://people.debian.org/~branden/ |
Attachment:
signature.asc
Description: Digital signature