Ticket #44 (closed crash: fixed)

Opened 6 years ago

Last modified 4 years ago

xauth bus error

Reported by: jeremyhu@… Owned by: jeremyhu@…
Priority: Blocker Milestone: 2.2.0
Component: xserver Version: 2.1.1 (xserver-1.3.0-apple5)
Keywords: Cc:

Description (last modified by jeremyhu@…) (diff)

This crashes:

$ xauth add :0 MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef
xauth:  creating new authority file /Users/jeremy/.Xauthority
$ xauth add localhost:0 MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
$ xauth list
tifa.local/unix:0  MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
$ xauth remove localhost:0
Bus error
$ rm ~/.Xauthority-* # remove the lock file
$ xauth remove 127.0.0.1:0
$ xauth list
tifa.local/unix:0  MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
$ xauth remove ::1:0
$ xauth list
tifa.local/unix:0  MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef

Adding localhost:0 first works... note that it has 2 identical ipv6 entries:

$ xauth add localhost:0 MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
xauth:  creating new authority file /Users/jeremy/.Xauthority
$ xauth add :0 MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef
$ xauth list
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
tifa.local/unix:0  MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef

<at this point, doing xauth remove works fine in either order>

# Now see, there are two ::1:0 entries:
$ xauth remove 127.0.0.1:0
$ xauth list
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
localhost:0  MIT-MAGIC-COOKIE-1  234567890abcdef1234567890abcdef1
tifa.local/unix:0  MIT-MAGIC-COOKIE-1 1234567890abcdef1234567890abcdef
$ xauth remove ::1:0
$ xauth list
tifa.local/unix:0  MIT-MAGIC-COOKIE-1  1234567890abcdef1234567890abcdef

/etc/hosts shipped with 10.5 leopard:

$ grep localhost /etc/hosts
# localhost is used to configure the loopback interface
127.0.0.1	localhost
::1             localhost
fe80::1%lo0	localhost

Commenting out this last line causes only 1 ipv6 and 1 ipv4 localhost entry to be added for both orderings of xauth add and additionally xauth remove no longer crashes...

So, why is that extra hosts entry causing a duplicate entry to be added in one case (add localhost:0 before :0) and not the other (:0 before localhost:0)... and why is xauth remove then attempting tp remove the ipv6 entry twice even in the case where there is only one (from :0 added before localhost:0)

---

So looking at the backtrace reveals the crash occurring in process.c's remove_entry().

At the start of remove_entry() for the first time, I see the following:

(gdb) print *auth
$1 = {
  family = 6, 
  address_length = 16, 
  address = 0x3003b0 "", # 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
...
}
(gdb) display *xauth_head->auth
4: *xauth_head->auth = {
  family = 256, 
  address_length = 10, 
  address = 0x300210 "tifa.local", 
...
}
(gdb) display *xauth_head->next->auth
5: *xauth_head->next->auth = {
  family = 6, 
  address_length = 16, 
  address = 0x300290 "", # 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
...
}
(gdb) display *xauth_head->next->next->auth
6: *xauth_head->next->next->auth = {
  family = 0, 
  address_length = 4, 
  address = 0x300310 "", # 127, 0, 0, 1
...
}

looks good here... we should be removing the ipv6 entry (which we confirm on the second call to remove_entry())

second time we are in remove_entry, we have at the start:

(gdb) display *xauth_head->auth
1: *xauth_head->auth = {
  family = 256, 
  address_length = 10, 
  address = 0x300210 "tifa.local", 
...
}
(gdb) display *xauth_head->next->auth
2: *xauth_head->next->auth = {
  family = 0, 
  address_length = 4, 
  address = 0x300310 "", 
...
}

as expected, it got rid of the first ipv6 entry, so this time, it should get rid of the ipv4 entry, right?

Nope, for some reason, our second call to remove_entry() is giving us the ipv6 auth to remove (again). Because there is no match in the xauth list at this point, our while loop to find it:

    while (!eq_auth((list = *listp)->auth, auth))
        listp = &list->next;

overflows and we get the bus error... and:

(gdb) print *auth
$18 = {
  family = 6, 
  address_length = 16, 
  address = 0x3003b0 "", # 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
...
}

Change History

comment:1 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:2 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:3 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:4 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:5 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:6 Changed 6 years ago by jeremyhu@…

  • Description modified (diff)

comment:7 Changed 6 years ago by jeremyhu@…

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.