Re: sysutils/rofi sometimes coredumps in __vfprintf (+ similar crash in fvwm3)

Omar Polo Sat, 30 Sep 2023 02:00:48 -0700

On 2023/09/28 22:10:08 +0300, Mikhail <mp39...@gmail.com> wrote:
> Core was generated by `rofi'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> 125             movq    (%rax),%rdx             /* get bytes to check */
> (gdb) bt
> #0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> #1  0x00000c011b001558 in __vfprintf (fp=<optimized out>, fmt0=<optimized 
> out>, ap=<optimized out>) at /usr/src/lib/libc/stdio/vfprintf.c:877
> #2  0x00000c011affa5a5 in _libc_vasprintf (str=0x76d393e72e40, 
> fmt=0xbfe638afa35 "Found window manager: |%s|", ap=0x76d393e73030) at 
> /usr/src/lib/libc/stdio/vasprintf.c:43
> #3  0x00000c010a1f0ac7 in g_vasprintf () from 
> /usr/local/lib/libglib-2.0.so.4201.10
> #4  0x00000c010a1b512d in g_strdup_vprintf () from 
> /usr/local/lib/libglib-2.0.so.4201.10
> #5  0x00000c010a197b3b in g_logv () from /usr/local/lib/libglib-2.0.so.4201.10
> #6  0x00000c010a197a55 in g_log () from /usr/local/lib/libglib-2.0.so.4201.10
> #7  0x00000bfe638f8a5e in display_setup ()
> #8  0x00000bfe638d8c8f in main ()


I managed to reproduce it.  It doesn't seem to fail with CWM, so I run
fvwm3 inside Xephyr.

The issue seems to be in source/xcb.c:

(gdb) p wtitle.strings
$2 = 0xf9d9ce2ce30 "FVWM", '\004' <repeats 12 times>, '\337' <repeats 183 
times>, <incomplete sequence \337>...

wtitle.strings is not NUL terminated, so it later crashes in strlen
(via __vfprintf) after it goes out of the bounds.

This seems to fix it, but I'm not knowledgable enough to tell whether
this is a FVWM3 issue.  (i assume so tho since it's intermittent.)

Can you give this diff a spin?  I don't use nor rofi anymore nor
fvwm3.

(more below the diff)

Index: Makefile
===================================================================
RCS file: /home/cvs/ports/sysutils/rofi/Makefile,v
retrieving revision 1.41
diff -u -p -r1.41 Makefile
--- Makefile    27 Sep 2023 17:16:33 -0000      1.41
+++ Makefile    30 Sep 2023 08:53:55 -0000
@@ -2,7 +2,7 @@ COMMENT =               window switcher, run dialog a
 
 V =                    1.7.5
 DISTNAME =             rofi-${V}
-REVISION =             0
+REVISION =             1
 
 CATEGORIES =           sysutils x11
 HOMEPAGE =             https://github.com/davatorium/rofi
@@ -35,6 +35,8 @@ CONFIGURE_STYLE =     gnu
 CONFIGURE_ARGS =       --disable-check
 CONFIGURE_ENV =                CPPFLAGS="-I${LOCALBASE}/include 
-I${X11BASE}/include" \
                        YACC="bison -y"
+
+DEBUG_PACKAGES =       ${BUILD_PACKAGES}
 
 pre-configure:
        sed -i 's,/usr/bin/env bash,/bin/sh,' ${WRKSRC}/script/get_git_rev.sh
Index: patches/patch-source_xcb_c
===================================================================
RCS file: patches/patch-source_xcb_c
diff -N patches/patch-source_xcb_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-source_xcb_c  30 Sep 2023 08:54:47 -0000
@@ -0,0 +1,14 @@
+fwm3 doesn't always NUL terminate the response
+
+Index: source/xcb.c
+--- source/xcb.c.orig
++++ source/xcb.c
+@@ -1475,7 +1475,7 @@ static void x11_helper_discover_window_manager(void) {
+         xcb_ewmh_get_wm_name_unchecked(&(xcb->ewmh), wm_win);
+     if (xcb_ewmh_get_wm_name_reply(&(xcb->ewmh), cookie, &wtitle, (void *)0)) 
{
+       if (wtitle.strings_len > 0) {
+-        g_debug("Found window manager: |%s|", wtitle.strings);
++        g_debug("Found window manager: |%.*s|", wtitle.strings_len, 
wtitle.strings);
+         if (g_strcmp0(wtitle.strings, "i3") == 0) {
+           current_window_manager =
+               WM_DO_NOT_CHANGE_CURRENT_DESKTOP | WM_PANGO_WORKSPACE_NAMES;


> As a side note - yesterday I got very suspicious crash in fvwm3
> during simple fvwm restart, I can't reproduce it, but the bt also had
> __vfprintf in it, fvwm3 dev's said that it was very strange segfault and
> they have no idea what has happened, but with fvwm the snapshot wasn't
> very new.
> 
> Reading symbols from fvwm3...
> Reading symbols from /usr/local/bin/.debug/fvwm3.dbg...
> [New process 532945]
> Core was generated by `fvwm3'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> 125             movq    (%rax),%rdx             /* get bytes to check */
> (gdb) bt
> #0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> #1  0x00000141784fd6d8 in __vfprintf (fp=<optimized out>, fmt0=<optimized 
> out>, ap=<optimized out>) at /usr/src/lib/libc/stdio/vfprintf.c:877
> #2  0x00000141784fa996 in _libc_vfprintf (fp=0x14178548630 <usual>, 
> fmt0=0x13f0429b0be "    [KEY] %s\n", ap=0x7a1e8b73bb80) at 
> /usr/src/lib/libc/stdio/vfprintf.c:263
> #3  0x000001417852784c in _libc_fprintf (fp=0x14169019ff0, fmt=0x0) at 
> /usr/src/lib/libc/stdio/fprintf.c:44
> #4  0x0000013f04319b60 in SaveGlobalState (f=0x14178548630 <usual>) at 
> session.c:183

use egdb to go to this frame (f 4) and inspect what it's doing there.
It could be another not-NUL terminated string or some other garbage
pointer.

(oh, and install the fvwm3-debug package if you haven't already)

> #5  save_state_file (filename=<optimized out>) at session.c:732
> #6  0x0000013f042fc28a in Done (restart=<optimized out>, 
> command=0x141d1aceb98 "fvwm3") at fvwm3.c:589
> #7  0x0000013f042eccb5 in CMD_Restart (cond_rc=<optimized out>, 
> exc=<optimized out>, action=0x0, pc=0x2020202020202020) at builtins.c:2447
> #8  0x0000013f0431f00e in _execute_command_line (cond_rc=<optimized out>, 
> exc=<optimized out>, xaction=<optimized out>, caller_pc=<optimized out>, 
> exec_flags=<optimized out>,
>     all_pos_args_string=<optimized out>, pos_arg_tokens=0x0, 
> has_ref_window_moved=0) at functions.c:672
> #9  0x0000013f0431e992 in execute_function (cond_rc=0x14169019ff0, exc=0x0, 
> action=0x0, pc=0x2020202020202020, exec_flags=16843009) at functions.c:1245
> #10 0x0000013f042c0184 in _menu_execute_function (pexc=0x7a1e8b73c620, 
> action=0x141d1aceb90 "Restart fvwm3") at menus.c:253
> #11 0x0000013f042be924 in do_menu (pmp=<optimized out>, pmret=<optimized 
> out>) at menus.c:5825
> #12 0x0000013f0433b907 in menu_func (cond_rc=0x7a1e8b73c808, 
> exc=0x141144e7000, action=0x14172f6a54e "Nop", pc=<optimized out>, 
> fStaysUp=<optimized out>) at menucmd.c:109
> #13 0x0000013f0431f00e in _execute_command_line (cond_rc=<optimized out>, 
> exc=<optimized out>, xaction=<optimized out>, caller_pc=<optimized out>, 
> exec_flags=<optimized out>,
>     all_pos_args_string=<optimized out>, pos_arg_tokens=0x0, 
> has_ref_window_moved=0) at functions.c:672
> #14 0x0000013f0431e992 in execute_function (cond_rc=0x14169019ff0, exc=0x0, 
> action=0x0, pc=0x2020202020202020, exec_flags=16843009) at functions.c:1245
> #15 0x0000013f042dbf90 in _handle_bpress_on_root (exc=0x1414baa8300) at 
> events.c:1667
> #16 HandleButtonPress (ea=<optimized out>) at events.c:1884
> #17 0x0000013f042df666 in dispatch_event (e=0x7a1e8b73cb30) at events.c:4248
> #18 0x0000013f042dfe44 in HandleEvents () at events.c:4287
> #19 0x0000013f0430053c in main (argc=<optimized out>, argv=<optimized out>) 
> at fvwm3.c:2526

Re: sysutils/rofi sometimes coredumps in __vfprintf (+ similar crash in fvwm3)

Reply via email to