Xorg crashes due to calling wrong offset in GL dispatch table for indirect GGLX
Submitted by Stefan Brüns
Assigned to Xorg Project Team
Description
(The glBindProgramARB is used as an example here, in general all calls which are remapped are affected)
The example program is started with LIBGL_ALWAYS_INDIRECT=1
Call chain:
The xserver receives a glXRender request with opcode 0x1054 == 4180 =^ glBindProgramARB. The index for the opcode is looked up in Render_dispatch_tree ( => 300), and Render_function_table[300] points to __glXDisp_BindProgramNV.
Thus far, everything is correct. But looking at __glXDisp_BindProgramNV:
│0x7ffff3093fa0 <__glXDisp_BindProgramNV> mov 0x255fb9(%rip),%rax # 0x7ffff32e9f60
│0x7ffff3093fa7 <__glXDisp_BindProgramNV+7> mov 0x4(%rdi),%esi
│0x7ffff3093faa <__glXDisp_BindProgramNV+10> mov (%rdi),%edi
│0x7ffff3093fac <__glXDisp_BindProgramNV+12> mov %fs:(%rax),%rax
│0x7ffff3093fb0 <__glXDisp_BindProgramNV+16> mov 0x1890(%rax),%rax
│0x7ffff3093fb7 <__glXDisp_BindProgramNV+23> jmpq *%rax
tells that slot/offset 0x1890/8 == 786 is used. Now the dispatch table points to the Mesa internal dispatch table:
(gdb) p ((_glapi_proc*)_glapi_tls_Dispatch)[0]
$56 = (_glapi_proc) 0x7ffff19221c0 <_mesa_NewList>
and slot 786 is:
(gdb) p ((_glapi_proc*)_glapi_tls_Dispatch)[786]
$57 = (_glapi_proc) 0x7ffff1991370 <_mesa_WindowPos3svMESA>
whereas the correct slot is 798:
(gdb) p ((_glapi_proc*)_glapi_tls_Dispatch)[798]
$64 = (_glapi_proc) 0x7ffff190c620 <_mesa_BindProgram>
This offset is defined in the Mesa dispatch.h:
/usr/src/debug/Mesa-9.0.2/src/mesa/main/dispatch.h:#define BindProgramNV_remap_index 377 /usr/src/debug/Mesa-9.0.2/src/mesa/main/dispatch.h:#define _gloffset_BindProgramNV driDispatchRemapTable[BindProgramNV_remap_index]
(gdb) p driDispatchRemapTable[377] $66 = 798
Version: git