Bug 506494

Summary: X Server sporadically crashes on KDE login due to the bug in xkb.c
Product: [openSUSE] openSUSE 11.1 Reporter: Georgiy Kalchev <gkalche>
Component: X.OrgAssignee: Stefan Dirsch <sndirsch>
Status: RESOLVED FIXED QA Contact: E-mail List <xorg-maintainer-bugs>
Severity: Critical    
Priority: P5 - None CC: bluedzins, markgray+to-suse, rommie, sndirsch
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: openSUSE 11.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: My kdm log file with X server crash backtraces and warnings.

Description Georgiy Kalchev 2009-05-22 15:14:23 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042700 SUSE/3.0.10-1.1.1 Firefox/3.0.10

A bug in xkb.c causes X server to sporadically crash on KDE login. After entering my username and password, the screen goes totally black and the keyboard stops responding, leaving only the mouse pointer active. The only solution is a cold reboot. X Server version 1.5.2 released on 2008.10.10.
  After examining the /var/log/kdm.log I noticed the warning "BOGUS LENGTH in write keyboard desc" and the subsequent crash backtrace, and looked them up in the internet. This bug was verified and confirmed by freedesktop.org team on 2009.05.19 and a patch to fix it was issued yesterday, on 2009.05.21.
In short, certain variables in xkb.c were uninitialized, so access to them would overwrite random locations in memory, making this bug very sporadic, but also very severe. The full story: http://bugs.freedesktop.org/show_bug.cgi?id=21464

Reproducible: Sometimes

Steps to Reproduce:
1. Boot up to KDE login screen
2. Provide your credentials and login
3. Sometimes the screen would go black and the keyboard would not respond. Only cold reboot will help.
Actual Results:  
After checking the /var/log/kdm.log and consulting the internet, I have found out that this problem persists in various distros, no matter whether proprietary or X.org video drivers were used. The bug was confirmed by the developers at freedesktop.org and a patch is available for download: http://bugs.freedesktop.org/attachment.cgi?id=26038
Comment 1 Georgiy Kalchev 2009-05-22 15:17:26 UTC 
Created attachment 293939 [details]
My kdm log file with X server crash backtraces and warnings.
Comment 2 Mark Gray 2009-05-22 16:05:08 UTC 
Please attach the information requested by the webpage:

http://en.opensuse.org/Bugs:X
Comment 3 Stefan Dirsch 2009-05-22 16:37:40 UTC 
*** Bug 496034 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Dirsch 2009-05-22 16:54:55 UTC 
Patch is applied now to OBS, X11:XOrg/xorg-x11-server and will be soon available for download via

http://download.opensuse.org/repositories/X11:/XOrg:/sle11/

RPM changelog:


-------------------------------------------------------------------
Fri May 22 18:43:08 CEST 2009 - sndirsch@suse.de

- commit-525aa17-xkb.diff
  * Bug #6428, #16458, #21464: Fix crash due to uninitialized
    VModMap fields. In ProcXkbGetKbdByName, mrep.firstVModMapKey,
    .nVModMapKeys and .totalVModMapKeys were not initialized, 
    contained random values and caused accesses to unallocated and
    later modified memory, causing XkbSizeVirtualModMap and
    XkbWriteVirtualModMap to see different number of nonzero
    values, resulting in writes past the end of an array in
    XkbSendMap. This patch initializes those values sensibly
    and reverts commits 5c0a2088 and 6dd4fc46, which have been
    plain non-sense.
- obsoletes commit-ddb8d89-xkb.diff
Comment 5 Georgiy Kalchev 2009-05-22 18:03:56 UTC 
Hello Stefan and thanks for your fast response!

Just to make sure: is the patched version of X Server going to be available via my normal openSuSE 11.1 update repository (http://download.opensuse.org/update/11.1)? Or do I need to explicitly add some 
other repository to get this update? You see, I don't exactly know what is "OBS, X11:XOrg/xorg-x11-server" :)

Thanks in advance!



(In reply to comment #4)
> Patch is applied now to OBS, X11:XOrg/xorg-x11-server and will be soon
> available for download via
> 
> http://download.opensuse.org/repositories/X11:/XOrg:/sle11/
> 
> RPM changelog:
> 
> 
> -------------------------------------------------------------------
> Fri May 22 18:43:08 CEST 2009 - sndirsch@suse.de
> 
> - commit-525aa17-xkb.diff
>   * Bug #6428, #16458, #21464: Fix crash due to uninitialized
>     VModMap fields. In ProcXkbGetKbdByName, mrep.firstVModMapKey,
>     .nVModMapKeys and .totalVModMapKeys were not initialized, 
>     contained random values and caused accesses to unallocated and
>     later modified memory, causing XkbSizeVirtualModMap and
>     XkbWriteVirtualModMap to see different number of nonzero
>     values, resulting in writes past the end of an array in
>     XkbSendMap. This patch initializes those values sensibly
>     and reverts commits 5c0a2088 and 6dd4fc46, which have been
>     plain non-sense.
> - obsoletes commit-ddb8d89-xkb.diff
Comment 6 Stefan Dirsch 2009-05-22 18:50:24 UTC 
(In reply to comment #5)
> Hello Stefan and thanks for your fast response!
> 
> Just to make sure: is the patched version of X Server going to be available via
> my normal openSuSE 11.1 update repository
> (http://download.opensuse.org/update/11.1)? 

Sooner or later, probably yes.

> Or do I need to explicitly add some  other repository to get this update? You 
> see, I don't exactly know what is "OBS, X11:XOrg/xorg-x11-server" :)

For now add 

  http://download.opensuse.org/repositories/X11:/XOrg:/sle11/openSUSE_11.1/

as additional repo.
Comment 7 Roman Varenik 2009-05-25 06:52:33 UTC 
Stefan, thank you very much for handling https://bugzilla.novell.com/show_bug.cgi?id=496034.
Last week xserver worked for 4 days without crash until it hung due to https://bugzilla.novell.com/show_bug.cgi?id=474207.
BTW, nvidia closed driver hung just in few minutes and I suspect nvidia driver may trigger the bug more intensively and it still may appear again in open-source drivers. Anyway, I havn't faced the bug on recent open-source drivers yet and thank you again.
Comment 8 Georgiy Kalchev 2009-05-25 16:22:00 UTC 
Hi everyone!

Has anyone actually tried the patched X server? Roman, maybe you? Is the problem gone now? Any success?

 I saw a lot of fingerpointing at nvidia proprietary driver when this issue was first brought up. Later, the bug was discovered in xkb.c of the X server. But nevertheless, nvidia is still somehow suspected, as usual :)
 I would like to point out, though, that this bug has been in X server ever since openSuSE 10.3. I was using the open source "nv" driver back then. It did not crash, like in this case, but the logs were overrun with "BOGUS LENGTH in write keyboard desc", literally 20-25 warnings in a row! This warning was identified by freedesktop.org people as a precursor of a *potential* crash due to memory corruption in xkb.c.
 So, with "nv" the X did not go into a full knock-out, but, I guess, only because the corrupted memory did not contain any vital data, or it was just "luck". With "nvidia" it is probably different - that memory could be occupied by some sensitive stuff. Anyway, this could explain why with "nvidia" the crash hits most painfully.
 This way or another, this is a nasty bug that can potentially cause severe damage and security holes to the system - who knows what memory portions get trashed there... I am wondering - why so few people complained about it? Are they all using "nv" driver? :) But this is not a solution, anyway.

Guys at openSuSE, what version of X server are you going to bundle with openSuSE 11.2?
Comment 9 Roman Varenik 2009-05-25 16:32:23 UTC 
As I said above, I tried the patched xserver with nv driver and it was working for 4 days until I found another bug :). But I also tried binary nvidia driver 180.51 and it crashed in an hour. So, there are still chances that the bug remains and I didn't faced it yet.
Comment 10 Georgiy Kalchev 2009-05-25 16:46:32 UTC 
(In reply to comment #9)
> As I said above, I tried the patched xserver with nv driver and it was working
> for 4 days until I found another bug :). But I also tried binary nvidia driver
> 180.51 and it crashed in an hour. So, there are still chances that the bug
> remains and I didn't faced it yet.

Oh. Say, do you see any warnings like "BOGUS LENGTH in write keyboard desc, expected XXXX, got XXXX" in your /var/log/kdm.log (most recent entries at the bottom of the file) and in /var/log/Xorg.0.log? Expecially now, after applying the patch? By the way, how did you obtain the patch - via update repository?
Cheers!
Comment 11 Roman Varenik 2009-05-25 16:51:13 UTC 
Haven't seen that since update. Though, in my case these warning lead to stable crash. I used the repository mentioned by Stefan.
Comment 12 Stefan Dirsch 2009-05-25 18:43:50 UTC 
> Guys at openSuSE, what version of X server are you going to bundle with
> openSuSE 11.2?

xorg-server >= 1.6.1 + this fix (if it's not included yet).
Comment 13 Stefan Dirsch 2009-06-25 03:52:47 UTC 
*** Bug 483232 has been marked as a duplicate of this bug. ***