Bug#857498: x11vnc: X11vnc crash during a connection with Remmina

Bernhard Übelacker Thu, 28 Mar 2019 18:21:24 -0700

Control: fixed 857498 0.9.13-6


Dear Maintainer,
just tried to make a more readable stack out of these
backtraces.

So that one points to function "record_CW" and a buffer
overflow in that function got fixed in [1],
like mentioned in last message.

Therefore marking as fixed.

Kind regards,
Bernhard


[1] https://github.com/LibVNC/x11vnc/pull/25
    
https://github.com/LibVNC/x11vnc/pull/25/commits/a3a34ca49c60738cc958096ebb06dc7dbff4660a




*** stack smashing detected ***: x11vnc terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f016a945bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f016a9ce0b7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7f016a9ce080]
x11vnc(+0xb8887)[0x55babf222887]                                            
xrecord.c, line 1347: callq  0x55555555e3b0 <__stack_chk_fail@plt>
x11vnc(+0xb8d3b)[0x55babf222d3b]                                            
xrecord.c, line 1387: callq  0x55555560bc80 <record_CW>
/usr/lib/x86_64-linux-gnu/libXtst.so.6(+0x19d8)[0x7f016c6b59d8]             
src/XRecord.c, line 856: callq  *%rax
/usr/lib/x86_64-linux-gnu/libXtst.so.6(+0x1f55)[0x7f016c6b5f55]             
src/XRecord.c, line 987: callq  0x7ffff6e1a910 <parse_reply_call_callback>
/usr/lib/x86_64-linux-gnu/libX11.so.6(+0x421dd)[0x7f016b98d1dd]             
src/xcb_io.c, line 305: callq  *0x8(%rax)
/usr/lib/x86_64-linux-gnu/libX11.so.6(_XEventsQueued+0x55)[0x7f016b98db15]  
src/xcb_io.c, line 350: callq  0x7ffff60f2190 <handle_response>
/usr/lib/x86_64-linux-gnu/libX11.so.6(XPending+0x57)[0x7f016b97f7e7]        
src/Pending.c, line 55: callq  0x7ffff60cc2c0 <_XEventsQueued@plt>
x11vnc(+0x97060)[0x55babf201060]                                            
userinput.c, line 2988: callq  0x55555555e490 <XRecordProcessReplies@plt> -> 
jmpq   0x7ffff6e1a2e0 <XPending@plt>
x11vnc(+0xa1f95)[0x55babf20bf95]                                            
userinput.c, line 5712: callq  0x5555555eab00 <check_xrecord>
x11vnc(+0x6a77c)[0x55babf1d477c]                                            
screen.c, line 4561: callq  0x5555555f5e90 <check_user_input>
x11vnc(+0x13ae4)[0x55babf17dae4]                                            
x11vnc.c, line 5990: callq  0x5555555bdd10 <watch_loop>
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f016a8f52b1]
x11vnc(+0x1cd7a)[0x55babf186d7a]

# Jessie amd64 qemu VM 2019-03-28

apt update
apt dist-upgrade

########

approx:
debian-9-stretch-snapshot.debian.org                
https://snapshot.debian.org/archive/debian/20170311T000000Z/

sources.list:
deb     [check-valid-until=no] 
http://192.168.178.25:9999/debian-9-stretch-snapshot.debian.org/ stretch main
deb-src [check-valid-until=no] 
http://192.168.178.25:9999/debian-9-stretch-snapshot.debian.org/ stretch main


echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/99disable-translations
echo 'Acquire::Check-Valid-Until "no";' > 
/etc/apt/apt.conf.d/99disable-check-valid-until


apt update
apt dist-upgrade


apt install dpkg-dev devscripts x11vnc gdb


wget 
https://snapshot.debian.org/archive/debian-debug/20161222T030857Z/pool/main/x/x11vnc/x11vnc-dbgsym_0.9.13-2_amd64.deb
dpkg -i x11vnc-dbgsym_0.9.13-2_amd64.deb
wget 
https://snapshot.debian.org/archive/debian-debug/20170128T030650Z/pool/main/libx/libx11/libx11-6-dbgsym_1.6.4-3_amd64.deb
dpkg -i libx11-6-dbgsym_1.6.4-3_amd64.deb
wget 
https://snapshot.debian.org/archive/debian-debug/20161206T030437Z/pool/main/libx/libxtst/libxtst6-dbgsym_1.2.3-1_amd64.deb
dpkg -i libxtst6-dbgsym_1.2.3-1_amd64.deb


mkdir /home/benutzer/source/x11vnc/orig -p
cd    /home/benutzer/source/x11vnc/orig
apt source x11vnc




gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'set backtrace past-main 
on' -ex 'directory /home/benutzer/source/x11vnc/orig/x11vnc-0.9.13/x11vnc' -ex 
'b main' -ex 'run' --args x11vnc

script -c "gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'set backtrace 
past-main on' -ex 'directory 
/home/benutzer/source/x11vnc/orig/x11vnc-0.9.13/x11vnc' -ex 'b main' -ex 'run' 
--args x11vnc" -a x11vnc-gdb_$(date +%Y-%m-%d_%H-%M-%S).log
    disassemble main

benutzer@debian:~$ grep "ae4 " x11vnc-gdb_2019-03-29_01-45-59.log -B1
   0x0000555555567adf <+19871>: callq  0x5555555bdd10 <watch_loop>
   0x0000555555567ae4 <+19876>: xor    %eax,%eax



   
*** stack smashing detected ***: x11vnc terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f016a945bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f016a9ce0b7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7f016a9ce080]
x11vnc(+0xb8887)[0x55babf222887]                                            
xrecord.c, line 1347: callq  0x55555555e3b0 <__stack_chk_fail@plt>
x11vnc(+0xb8d3b)[0x55babf222d3b]                                            
xrecord.c, line 1387: callq  0x55555560bc80 <record_CW>
/usr/lib/x86_64-linux-gnu/libXtst.so.6(+0x19d8)[0x7f016c6b59d8]             
src/XRecord.c, line 856: callq  *%rax
/usr/lib/x86_64-linux-gnu/libXtst.so.6(+0x1f55)[0x7f016c6b5f55]             
src/XRecord.c, line 987: callq  0x7ffff6e1a910 <parse_reply_call_callback>
/usr/lib/x86_64-linux-gnu/libX11.so.6(+0x421dd)[0x7f016b98d1dd]             
src/xcb_io.c, line 305: callq  *0x8(%rax)
/usr/lib/x86_64-linux-gnu/libX11.so.6(_XEventsQueued+0x55)[0x7f016b98db15]  
src/xcb_io.c, line 350: callq  0x7ffff60f2190 <handle_response>
/usr/lib/x86_64-linux-gnu/libX11.so.6(XPending+0x57)[0x7f016b97f7e7]        
src/Pending.c, line 55: callq  0x7ffff60cc2c0 <_XEventsQueued@plt>
x11vnc(+0x97060)[0x55babf201060]                                            
userinput.c, line 2988: callq  0x55555555e490 <XRecordProcessReplies@plt> -> 
jmpq   0x7ffff6e1a2e0 <XPending@plt>
x11vnc(+0xa1f95)[0x55babf20bf95]                                            
userinput.c, line 5712: callq  0x5555555eab00 <check_xrecord>
x11vnc(+0x6a77c)[0x55babf1d477c]                                            
screen.c, line 4561: callq  0x5555555f5e90 <check_user_input>
x11vnc(+0x13ae4)[0x55babf17dae4]                                            
x11vnc.c, line 5990: callq  0x5555555bdd10 <watch_loop>
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f016a8f52b1]
x11vnc(+0x1cd7a)[0x55babf186d7a]
======= Memory map: ========





https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851496
https://github.com/LibVNC/x11vnc/pull/25
https://github.com/LibVNC/x11vnc/pull/25/commits/a3a34ca49c60738cc958096ebb06dc7dbff4660a

Bug#857498: x11vnc: X11vnc crash during a connection with Remmina

Reply via email to