** Description changed: - Running "xauth generate" with a large timeout value (e.g., "xauth - generate :0.0 . trusted timeout 99999999") causes the X server to crash - with an assertion failure. Immediately upon running the command, the X - server crashes, and after a few seconds, the login screen appears. + [Impact] + xauth is not commonly run by users, but applications should not be able to crash the X server. In the case of a guest session, although this does not allow the guest to terminate other users' sessions it leaves the system at a blank VT from which it is not obvious how to recover. + + [Development] + The patch has also been applied to ubuntu-x git, and will be uploaded with 2:1.8.1.901-1ubuntu1. + + [Patch] + The patch is taken from upstream's patchwork tracker: http://patchwork.freedesktop.org/patch/242/ . This patch replaces the existing 122_xext_fix_card32_overflow_in_xauth.patch added in 2:1.7.6-2ubuntu6, which was an earlier patch from the same mailing list thread. + + [Test Case 1] + 1. Update Lucid to the latest version. Reboot and log into Gnome + 2. Open a gnome-terminal + 3. Run “xauth generate $DISPLAY . timeout 99999999” + 4. Xserver instantly crashes (and is restarted by display manager). It should not crash at this point. + + [Test Case 2] + 1. Update Lucid to the latest version. Reboot and log into Gnome + 2. From the session menu select “Guest session” + 2. In the new guest session, open a gnome-terminal + 3. Run “xauth -i generate $DISPLAY . timeout 99999999” + 4. Xserver instantly crashes, resulting in a black screen. After setting console to raw mode (Alt+SysRq+R) Ctrl+Alt+F7 (or possibly F8, F9, etc) will switch back to the original user's session. + + [Regression Potential] + Low. The patch is small, just dropping the assert that causes the crash and ensuring the timeout values fit in the positive range of a CARD32 value. + + There is a known problem with the patch when the epoch time is sufficiently far in the future that we can ignore it for now. + """ + When epoch time is GetTimeInMillis() - + (CARD32)(MAXINT), ie Sun Jan 10 2038 11:09:28 GMT+0530 (IST), security + authorization will expire with timeout reset to Zero. + """ + + [Original Report] + Running "xauth generate" with a large timeout value (e.g., "xauth generate :0.0 . trusted timeout 99999999") causes the X server to crash with an assertion failure. Immediately upon running the command, the X server crashes, and after a few seconds, the login screen appears. I have attached a full backtrace. Xorg.0.log and dmesg don't contain any relevant data. SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed. #3 0x0039f648 in *__GI___assert_fail (assertion=0x81e1ac0 "pAuth->timer == timer", - file=0x81e1aaa "../../Xext/security.c", line=322, function=0x81e1e3a "SecurityAuthorizationExpired") at assert.c:81 + file=0x81e1aaa "../../Xext/security.c", line=322, function=0x81e1e3a "SecurityAuthorizationExpired") at assert.c:81 buf = 0x9f64128 "X: ../../Xext/security.c:322: SecurityAuthorizationExpired: Assertion `pAuth->timer == timer' failed.\n" #4 0x0815f5bc in SecurityAuthorizationExpired (timer=0x9ff7018, time=3179634, pval=0x6) at ../../Xext/security.c:322 __PRETTY_FUNCTION__ = "SecurityAuthorizationExpired" #5 0x081313c2 in TimerSet (timer=0x9ff7018, flags=<value optimized out>, millis=3179338, func=0x815f520 <SecurityAuthorizationExpired>, arg=0x9ee0c70) at ../../os/WaitFor.c:465 prev = <value optimized out> now = 6 #6 0x0815f4f5 in SecurityStartAuthorizationTimer (pAuth=0x9ee0c70) at ../../Xext/security.c:353 #7 0x0815fa01 in ProcSecurityGenerateAuthorization (client=0x9dfa820) at ../../Xext/security.c:578 pAuth = 0x9ee0c70 err = <value optimized out> authId = 372 rep = {type = 164 '\244', pad0 = 96 '`', sequenceNumber = 2079, length = 3221023496, authId = 0, dataLength = 4, pad1 = 0, pad2 = 165652512, pad3 = 0, pad4 = 165652512, pad5 = 162973096} trustLevel = 0 group = 0 timeout = 99999999 values = <value optimized out> protoname = 0xa002584 "MIT-MAGIC-COOKIE-1" authdata_len = <value optimized out> pAuthdata = <value optimized out> eventMask = 0 lsb_release -rd: Description: Ubuntu 9.10 Release: 9.10 apt-cache policy xserver-xorg-core: xserver-xorg-core: Installed: 2:1.6.4-2ubuntu4.1 Candidate: 2:1.6.4-2ubuntu4.1 Version table: *** 2:1.6.4-2ubuntu4.1 0 500 http://us.archive.ubuntu.com karmic-updates/main Packages 500 http://security.ubuntu.com karmic-security/main Packages 100 /var/lib/dpkg/status 2:1.6.4-2ubuntu4 0 500 http://us.archive.ubuntu.com karmic/main Packages
** Changed in: xorg-server (Ubuntu) Status: Triaged => Fix Committed ** Changed in: xorg-server (Ubuntu Lucid) Status: Triaged => Fix Committed -- "xauth generate" with large timeout triggers assertion https://bugs.launchpad.net/bugs/519049 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs