Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-71491

stack-buffer-overflow with ASAN in xcb code

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 5.12
    • Fix Version/s: 5.12.0
    • Component/s: GUI: Window management
    • Labels:
      None
    • Environment:
      Ubuntu 18.04
    • Platform/s:
      Linux/X11

      Description

      I get this on Ubuntu 18.04 when running any Qt application.

      Here's the stack trace from a Qt Quick application:

      09:13:15: Starting /home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick...
      QML debugging is enabled. Only use this in a safe environment.
      =================================================================
      ==5769==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc74822eac at pc 0x7f3e207cf733 bp 0x7ffc74822320 sp 0x7ffc74821ac8
      READ of size 20 at 0x7ffc74822eac thread T0
          #0 0x7f3e207cf732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
          #1 0x7f3e1749d4c9 in xcb_send_request_with_fds64 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc4c9)
          #2 0x7f3e1749d728 in xcb_send_request (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc728)
          #3 0x7f3e174a3fb0 in xcb_change_property (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0x12fb0)
          #4 0x7f3e13c45802 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1101
          #5 0x7f3e13c5fd9c in QXcbWindow::setWindowFlags(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1031
          #6 0x7f3e13c64adf in QXcbWindow::create() /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:528
          #7 0x7f3e13be8642 in QXcbIntegration::createPlatformWindow(QWindow*) const /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbintegration.cpp:252
          #8 0x7f3e1f83fb7d in QWindowPrivate::create(bool, unsigned long long) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:516
          #9 0x7f3e1f83ffb6 in QWindow::create() /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:639
          #10 0x7f3e1f84350e in QWindowPrivate::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:352
          #11 0x7f3e1f8214b7 in QWindow::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:612
          #12 0x7f3e1f83f794 in QWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qwindow.cpp:601
          #13 0x7f3e1ed4d6e9 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.12-debug/qtbase/include/QtQml/5.12.0/QtQml/private/../../../../../../../qt5.12/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:346
          #14 0x7f3e1ef7ee40 in QQmlObjectCreator::setPropertyValue(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:565
          #15 0x7f3e1ef8a333 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1086
          #16 0x7f3e1ef93907 in QQmlObjectCreator::setupBindings(bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
          #17 0x7f3e1ef95e68 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1461
          #18 0x7f3e1ef888b2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1299
          #19 0x7f3e1ef97124 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
          #20 0x7f3e1ed5d998 in QQmlComponentPrivate::beginCreate(QQmlContextData*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:871
          #21 0x7f3e1ed5e601 in QQmlComponent::beginCreate(QQmlContext*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:823
          #22 0x7f3e1ed53ccf in QQmlComponent::create(QQmlContext*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:783
          #23 0x7f3e1ef49cf2 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:134
          #24 0x7f3e1ef4a665 in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:118
          #25 0x7f3e1ef4a7a7 in QQmlApplicationEngine::load(QUrl const&) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:259
          #26 0x55667fba9c59 in main ../quick/main.cpp:12
          #27 0x7f3e1c902b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #28 0x55667fba9a09 in _start (/home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick+0x1a09)
      
      Address 0x7ffc74822eac is located in stack of thread T0 at offset 2604 in frame
          #0 0x7f3e13c43f09 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1038
      
        This frame has 41 object(s):
          [32, 36) '<unknown>'
          [96, 100) '<unknown>'
          [160, 164) 'defaultFlags'
          [224, 228) '<unknown>'
          [288, 292) '<unknown>'
          [352, 356) '<unknown>'
          [416, 420) '<unknown>'
          [480, 484) '<unknown>'
          [544, 548) '<unknown>'
          [608, 612) '<unknown>'
          [672, 676) '<unknown>'
          [736, 740) '<unknown>'
          [800, 804) '<unknown>'
          [864, 868) '<unknown>'
          [928, 932) '<unknown>'
          [992, 996) '<unknown>'
          [1056, 1060) '<unknown>'
          [1120, 1124) '<unknown>'
          [1184, 1188) '<unknown>'
          [1248, 1252) '<unknown>'
          [1312, 1316) '<unknown>'
          [1376, 1380) '<unknown>'
          [1440, 1444) '<unknown>'
          [1504, 1508) '<unknown>'
          [1568, 1572) '<unknown>'
          [1632, 1636) '<unknown>'
          [1696, 1700) '<unknown>'
          [1760, 1764) '<unknown>'
          [1824, 1828) '<unknown>'
          [1888, 1892) '<unknown>'
          [1952, 1956) '<unknown>'
          [2016, 2020) '<unknown>'
          [2080, 2084) '<unknown>'
          [2144, 2148) '<unknown>'
          [2208, 2212) '<unknown>'
          [2272, 2276) '<unknown>'
          [2336, 2340) '<unknown>'
          [2400, 2404) '<unknown>'
          [2464, 2468) '<unknown>'
          [2528, 2532) '<unknown>'
          [2592, 2604) 'mwmhints' <== Memory access at offset 2604 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
      Shadow bytes around the buggy address:
        0x10000e8fc580: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10000e8fc590: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10000e8fc5a0: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10000e8fc5b0: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
        0x10000e8fc5c0: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
      =>0x10000e8fc5d0: f2 f2 f2 f2 00[04]f2 f2 00 00 00 00 00 00 00 00
        0x10000e8fc5e0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2
        0x10000e8fc5f0: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2
        0x10000e8fc600: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
        0x10000e8fc610: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
        0x10000e8fc620: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==5769==ABORTING
      09:13:16: /home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick exited with code 1
      

      Widget application:

      09:15:30: Starting /home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets...
      =================================================================
      ==6136==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff498baec at pc 0x7fb5e3f12733 bp 0x7ffff498af60 sp 0x7ffff498a708
      READ of size 20 at 0x7ffff498baec thread T0
          #0 0x7fb5e3f12732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
          #1 0x7fb5db0064c9 in xcb_send_request_with_fds64 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc4c9)
          #2 0x7fb5db006728 in xcb_send_request (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc728)
          #3 0x7fb5db00cfb0 in xcb_change_property (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0x12fb0)
          #4 0x7fb5d77ae802 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1101
          #5 0x7fb5d77c8d9c in QXcbWindow::setWindowFlags(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1031
          #6 0x7fb5d77cdadf in QXcbWindow::create() /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:528
          #7 0x7fb5d7751642 in QXcbIntegration::createPlatformWindow(QWindow*) const /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbintegration.cpp:252
          #8 0x7fb5df6d1b7d in QWindowPrivate::create(bool, unsigned long long) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:516
          #9 0x7fb5df6d1fb6 in QWindow::create() /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:639
          #10 0x7fb5e2b772b5 in QWidgetPrivate::create_sys(unsigned long long, bool, bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:1483
          #11 0x7fb5e2b78ba5 in QWidget::create(unsigned long long, bool, bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:1337
          #12 0x7fb5e2bb52e3 in QWidget::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:8271
          #13 0x7fb5e2ba5b0b in QWidget::show() /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:7874
          #14 0x55718c1dd26a in main ../widgets/main.cpp:8
          #15 0x7fb5e0fd2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #16 0x55718c1dd099 in _start (/home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets+0x4099)
      
      Address 0x7ffff498baec is located in stack of thread T0 at offset 2604 in frame
          #0 0x7fb5d77acf09 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1038
      
        This frame has 41 object(s):
          [32, 36) '<unknown>'
          [96, 100) '<unknown>'
          [160, 164) 'defaultFlags'
          [224, 228) '<unknown>'
          [288, 292) '<unknown>'
          [352, 356) '<unknown>'
          [416, 420) '<unknown>'
          [480, 484) '<unknown>'
          [544, 548) '<unknown>'
          [608, 612) '<unknown>'
          [672, 676) '<unknown>'
          [736, 740) '<unknown>'
          [800, 804) '<unknown>'
          [864, 868) '<unknown>'
          [928, 932) '<unknown>'
          [992, 996) '<unknown>'
          [1056, 1060) '<unknown>'
          [1120, 1124) '<unknown>'
          [1184, 1188) '<unknown>'
          [1248, 1252) '<unknown>'
          [1312, 1316) '<unknown>'
          [1376, 1380) '<unknown>'
          [1440, 1444) '<unknown>'
          [1504, 1508) '<unknown>'
          [1568, 1572) '<unknown>'
          [1632, 1636) '<unknown>'
          [1696, 1700) '<unknown>'
          [1760, 1764) '<unknown>'
          [1824, 1828) '<unknown>'
          [1888, 1892) '<unknown>'
          [1952, 1956) '<unknown>'
          [2016, 2020) '<unknown>'
          [2080, 2084) '<unknown>'
          [2144, 2148) '<unknown>'
          [2208, 2212) '<unknown>'
          [2272, 2276) '<unknown>'
          [2336, 2340) '<unknown>'
          [2400, 2404) '<unknown>'
          [2464, 2468) '<unknown>'
          [2528, 2532) '<unknown>'
          [2592, 2604) 'mwmhints' <== Memory access at offset 2604 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
      Shadow bytes around the buggy address:
        0x10007e929700: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10007e929710: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10007e929720: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
        0x10007e929730: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
        0x10007e929740: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
      =>0x10007e929750: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 00[04]f2 f2
        0x10007e929760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007e929770: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2
        0x10007e929780: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 04 f2
        0x10007e929790: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
        0x10007e9297a0: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==6136==ABORTING
      09:15:30: /home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets exited with code 1
      

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              paeglis Gatis Paeglis
              Reporter:
              mitch_curtis Mitch Curtis
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes