Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
dev
-
None
-
-
552e3b9b7 (dev), 725c77420 (tqtc/lts-6.2), 687af7b1a (6.6), df77d8939 (6.5)
Description
There is a potential SEGV (null pointer deref) in the following code from QXcbConnection::initializeAllAtoms():
for (i = 0; i < QXcbAtom::NAtoms; ++i) {
xcb_intern_atom_reply_t *reply = xcb_intern_atom_reply(xcb_connection(), cookies[i], 0);
m_allAtoms[i] = reply->atom;
free(reply);
{{ }}}
Here, the xcb_intern_atom_reply() function may return NULL under some rare conditions (e.g., if the X11 connection enters an error state). However, the return value (reply) is not checked before it is dereferenced in the next line.
This is probably a very rare bug that is difficult to reproduce, as it requires inducing the X11 connection to get into an error state. However, the bug can be seen by inspection. See also the example code from the xcb_intern_atom_reply manpage which does include a NULL check.
Checked the Unbuntu 23.04 shipped libs as well as the latest dev head.
Example stack trace:
Program received signal SIGSEGV, Segmentation fault.
QXcbAtom::initializeAllAtoms (this=this@entry=0x555555ee8c68, connection=0x555555eeb430) at qxcbatom.cpp:271
271 m_allAtoms[i] = reply->atom;
...
#0 QXcbAtom::initializeAllAtoms (this=this@entry=0x555555ee8c68, connection=0x555555eeb430) at qxcbatom.cpp:271
#1 0x00007ffddb0f5969 in QXcbAtom::initialize (this=this@entry=0x555555ee8c68, connection=<optimized out>) at qxcbatom.cpp:246
#2 0x00007ffddb0e8194 in QXcbBasicConnection::QXcbBasicConnection (this=0x555555ee8c30, displayName=<optimized out>)
at qxcbconnection_basic.cpp:132
#3 0x00007ffddb0bfd56 in QXcbConnection::QXcbConnection (this=0x555555ee8c30, nativeInterface=0x555555ed6950,
canGrabServer=<optimized out>, defaultVisualId=4294967295, displayName=<optimized out>) at qxcbconnection.cpp:91
#4 0x00007ffddb0c3669 in QXcbIntegration::QXcbIntegration (this=this@entry=0x555555ed8150, parameters=...,
argc=@0x7fffffffdc4c: 1, argv=argv@entry=0x7fffffffdf48)
at ../../../../include/QtCore/../../src/corelib/tools/qscopedpointer.h:138
#5 0x00007ffff7fbc510 in QXcbIntegrationPlugin::create (this=<optimized out>, system=..., parameters=...,
argc=@0x7fffffffdc4c: 1, argv=0x7fffffffdf48) at qxcbmain.cpp:56
#6 0x00007ffde033839a in init_platform (argv=<optimized out>, argc=<optimized out>, platformThemeName=...,
platformPluginPath=..., pluginNamesWithArguments=...) at kernel/qguiapplication.cpp:1223
#7 QGuiApplicationPrivate::createPlatformIntegration (this=0x555555ed7b50) at kernel/qguiapplication.cpp:1477
#8 0x00007ffde0339968 in QGuiApplicationPrivate::createEventDispatcher (this=<optimized out>) at kernel/qguiapplication.cpp:1494
#9 0x00007ffddfec1835 in QCoreApplicationPrivate::init (this=this@entry=0x555555ed7b50) at kernel/qcoreapplication.cpp:835
#10 0x00007ffde033c870 in QGuiApplicationPrivate::init (this=this@entry=0x555555ed7b50) at kernel/qguiapplication.cpp:1523
#11 0x00007ffde11715bd in QApplicationPrivate::init (this=0x555555ed7b50) at kernel/qapplication.cpp:513
#12 0x00007ffde11716a0 in QApplication::QApplication (this=this@entry=0x7fffffffdcf0, argc=@0x7fffffffdc4c: 1,
argv=argv@entry=0x7fffffffdf48, _internal=_internal@entry=331528) at kernel/qapplication.cpp:501
#13 0x00005555557d77f2 in MainApplication::MainApplication (this=this@entry=0x7fffffffdcf0, argc=@0x7fffffffdc4c: 1,
argv=argv@entry=0x7fffffffdf48) at /usr/src/wireshark-4.0.3-1/ui/qt/main_application.cpp:667
#14 0x00005555558c8234 in WiresharkApplication::WiresharkApplication (this=this@entry=0x7fffffffdcf0, argc=@0x7fffffffdc4c: 1,
argv=argv@entry=0x7fffffffdf48) at /usr/src/wireshark-4.0.3-1/ui/qt/wireshark_application.cpp:15
#15 0x000055555566815e in main (argc=<optimized out>, qt_argv=0x7fffffffdf48) at /usr/src/wireshark-4.0.3-1/ui/qt/main.cpp:651
Attachments
For Gerrit Dashboard: QTBUG-115599 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
493322,2 | xcb: guard a pointer before usage | dev | qt/qtbase | Status: MERGED | +2 | 0 |
493387,2 | xcb: guard a pointer before usage | 6.5 | qt/qtbase | Status: MERGED | +2 | 0 |
493388,2 | xcb: guard a pointer before usage | 6.6 | qt/qtbase | Status: MERGED | +2 | 0 |
493399,2 | xcb: guard a pointer before usage | tqtc/lts-6.2 | qt/tqtc-qtbase | Status: MERGED | +2 | 0 |