Skip to content

Xorg server 1.5.2 SEGV during XFixesGetCursorImage()

Submitted by Karl Runge

Assigned to Xorg Project Team

Link to original bug (#18451)

Description

Created attachment 20159 Xorg.0.log output and xorg.conf

I have a test machine running ubuntu 8.10 that is running this version of the X server:

X.Org X Server 1.5.2 Release Date: 10 October 2008 X Protocol Version 11, Revision 0 Build Operating System: Linux 2.6.24-19-server i686 Ubuntu Current Operating System: Linux fred-desktop 2.6.27-7-generic #1 (closed) SMP Tue Nov 4 19:33:20 UTC 2008 i686 Build Date: 24 October 2008 08:00:16AM xorg-server 2:1.5.2-2ubuntu3 (buildd@rothera.buildd)

The x11vnc (http://www.karlrunge.com/x11vnc) VNC server uses XFixesGetCursorImage() to retrieve the current cursor's pixels.

Normally this is working fine with X.Org X Server 1.5.2. However, at a critical point when GDM is starting the user's X session, this crash occurs nearly always:

Backtrace: 0: /usr/X11R6/bin/X(xf86SigHandler+0x79) [0x80c3009] 1: [0xb7f89400] 2: /usr/X11R6/bin/X [0x8158279] 3: /usr/X11R6/bin/X(CallCallbacks+0x4e) [0x80909ae] 4: /usr/X11R6/bin/X(XaceHook+0x7e) [0x815702e] 5: /usr/X11R6/bin/X(ProcXFixesGetCursorImageAndName+0x8b) [0x8147e9b] 6: /usr/X11R6/bin/X [0x814639c] 7: /usr/X11R6/bin/X(Dispatch+0x34f) [0x808c89f] 8: /usr/X11R6/bin/X(main+0x47d) [0x8071d1d] 9: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7b93685] 10: /usr/X11R6/bin/X [0x8071101] Saw signal 11. Server aborting. (II) Macintosh mouse button emulation: Close (II) UnloadModule: "evdev" (II) ImPS/2 Generic Wheel Mouse: Close (II) UnloadModule: "evdev" (II) AT Translated Set 2 keyboard: Close (II) UnloadModule: "evdev" (II) AIGLX: Suspending AIGLX clients for VT switch (II) CHROME(0): VIALeaveVT (II) CHROME(0): [drm] Cleaning up DMA ring-buffer. (II) CHROME(0): ViaCursorStore (II) CHROME(0): VIARestore (II) CHROME(0): ViaDisablePrimaryFIFO

Some others are reporting this problem:

http://ubuntuforums.org/showthread.php?t=965695 http://ubuntuforums.org/showthread.php?t=968044

The way this mode works is that x11vnc exports via VNC the X server when it is showing the GDM greeter login. The user connects via VNC and then logs in via his username and password. GDM then starts the user's X session.

Normally at this point GDM will kill all clients (via XKillClient(3)) however, one uses the GDM 'KillInitClients=false' setting to prevent this.

Previously this worked fine and the user would not be disconnected after he logs in. Now, however, the X server actually crashes right after he logs in.

It is not clear to me what could be making the X server vulnerable that this point with GDM starts the users X session...

Karl Runge

Attachment 20159, "Xorg.0.log output and xorg.conf":
xorg.log+conf

Version: git

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information