Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x11/konsole: crash when resizing #160

Open
kwitaszczyk opened this issue Jun 4, 2024 · 1 comment
Open

x11/konsole: crash when resizing #160

kwitaszczyk opened this issue Jun 4, 2024 · 1 comment
Assignees
@kwitaszczyk

Comments

@kwitaszczyk
Copy link
Member

kwitaszczyk commented Jun 4, 2024
edited
Loading

Konsole crashes in icu when resizing to large dimensions. I've found this bug when using Xvnc and 4K resolution. On real hardware, I had to resize the window to dimensions larger than my screen dimensions (2048x1152 despite of a 4K screen).

My environment:

FreeBSD cheribsd 15.0-CURRENT FreeBSD 15.0-CURRENT #0 dev-n268215-087f488f0032: Thu May 30 17:57:44 BST 2024     root@cheribsd:/usr/obj/usr/src/arm64.aarch64c/sys/GENERIC-MORELLO-PURECAP arm64

The crash happens regardless of security.cheri.lib_based_c18n_default being set or not.

Steps to reproduce on hardware:

  1. Move a window to the top left corner
  2. Using the bottom right corner, not the maximise button, resize the window to the maximum size
  3. If Konsole hasn't crashed yet, move the window to the left, outside screen boundaries, leaving right border visible and use the right border line to resize it to the right as much as possible. This step is not needed when using Xvnc in the full screen mode with a 4K screen

Crash:

kw543@cheribsd:~ $ gdb-cheri-c18n  -nx konsole konsole.core
(...)
Core was generated by `/usr/local/bin/konsole'.
Program terminated with signal SIGPROT, CHERI protection violation.
Capability bounds fault.
#0  0x0000000040edf1e4 in countSpaces (dest=0x61040e00 [rwRW,0x61040e00-0x61041062] u' ' <repeats 200 times>..., size=305, spacesCountl=0x69989ca8 [rwRW,0x69989ca8-0x69989cac], spacesCountr=0x69989ca4 [rwRW,0x69989ca4-0x69989ca8]) at ushape.cpp:466

warning: 466	ushape.cpp: No such file or directory
[Current thread is 1 (LWP 100613)]
(gdb) directory /home/kw543/cheribsd-ports/devel/icu/work/icu/source/common
Source directories searched: /home/kw543/cheribsd-ports/devel/icu/work/icu/source/common:$cdir:$cwd
(gdb) bt
#0  0x0000000040ecc1e4 in countSpaces (dest=0x4dc1dc00 [rwRW,0x4dc1dc00-0x4dc1de5e] u' ' <repeats 200 times>..., size=303, spacesCountl=0xfffffff752d8 [rwRW,0xfffffff752d8-0xfffffff752dc], spacesCountr=0xfffffff752d4 [rwRW,0xfffffff752d4-0xfffffff752d8]) at ushape.cpp:466
#1  0x0000000040ecb7a8 in u_shapeArabic (source=0x4d8f7820 [rwRW,0x4d8f7820-0x4d8f7c00] u' ' <repeats 200 times>..., sourceLength=303, dest=0xfffffff767cc [rwRW,0xfffffff767cc-0xfffffff76fcc] u"kw543@cheribsd:~ $", ' ' <repeats 96 times>, "毛\xfff7\xffff", destCapacity=1024, options=9, pErrorCode=0xfffffff76fcc [rwRW,0xfffffff76fcc-0xfffffff76fd0]) at ushape.cpp:1584
#2  0x000000004050eac0 in Konsole::TerminalDisplay::bidiMap (this=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], screenline=0x48ec82f0 [rwRW,0x48ec7000-0x48f11980], line=..., log2line=0xfffffff7a9c0 [rwRW,0xfffffff7a9c0-0xfffffff7b9c0], line2log=0xfffffff799c0 [rwRW,0xfffffff799c0-0xfffffff7a9c0], shapemap=0xfffffff791c0 [rwRW,0xfffffff791c0-0xfffffff799c0], vis2line=0xfffffff781c0 [rwRW,0xfffffff781c0-0xfffffff791c0], 
    shaped=@0xfffffff781bc: false, shape=true, bidi=true) at /wrkdirs/usr/ports/x11/konsole/work/konsole-23.04.3/src/terminalDisplay/TerminalDisplay.cpp:3248
#3  0x0000000040528fd0 in Konsole::TerminalPainter::drawContents (this=0x4daca490 [rwRW,0x4daca490-0x4daca4c0], image=0x48ec7000 [rwRW,0x48ec7000-0x48f11980], paint=..., rect=..., printerFriendly=false, imageSize=19089, bidiEnabled=true, lineProperties=..., ulColorTable=0x506b1f5a [rwRW,0x506b1e80-0x506b20d0]) at /wrkdirs/usr/ports/x11/konsole/work/konsole-23.04.3/src/terminalDisplay/TerminalPainter.cpp:279
#4  0x000000004050826c in Konsole::TerminalDisplay::paintEvent (this=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], pe=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at /wrkdirs/usr/ports/x11/konsole/work/konsole-23.04.3/src/terminalDisplay/TerminalDisplay.cpp:721
#5  0x00000000432c1778 in QWidget::event (this=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], event=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at kernel/qwidget.cpp:8644
#6  0x00000000405145f0 in Konsole::TerminalDisplay::event (this=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], event=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at /wrkdirs/usr/ports/x11/konsole/work/konsole-23.04.3/src/terminalDisplay/TerminalDisplay.cpp:2925
#7  0x0000000043284e98 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], e=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at kernel/qapplication.cpp:3640
#8  0x00000000432863e4 in QApplication::notify (this=0x4802b740 [rwRW,0x4802b740-0x4802b760], receiver=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], e=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at kernel/qapplication.cpp:2979
#9  0x000000004461f0dc in QCoreApplication::notifyInternal2 (receiver=0x4dd79000 [rwRW,0x4dd79000-0x4dd795c0], event=0xfffffff7c880 [rwRW,0xfffffff7c880-0xfffffff7c8e0]) at kernel/qcoreapplication.cpp:1096
#10 0x000000004461fc44 in QCoreApplication::sendSpontaneousEvent (receiver=0x4dc1dc00 [rwRW,0x4dc1dc00-0x4dc1de5e], event=0x12f) at kernel/qcoreapplication.cpp:1506
#11 0x00000000432b218c in QWidgetPrivate::sendPaintEvent (this=0x4805b680 [rwRW,0x4805b680-0x4805b990], toBePainted=...) at kernel/qwidget.cpp:5479
#12 QWidgetPrivate::drawWidget (this=0x4805b680 [rwRW,0x4805b680-0x4805b990], pdev=0x4801c7d0 [rwRW,0x4801c7a0-0x4801c840], rgn=..., offset=..., flags=..., sharedPainter=<optimized out>, repaintManager=<optimized out>) at kernel/qwidget.cpp:5429
#13 0x00000000432bb714 in QWidgetPrivate::paintSiblingsRecursive (this=<optimized out>, pdev=<optimized out>, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=..., sharedPainter=<optimized out>, repaintManager=<optimized out>) at kernel/qwidget.cpp:5610
#14 0x00000000432b1a04 in QWidgetPrivate::drawWidget (this=0x50760500 [rwRW,0x50760500-0x50760870], pdev=0x4801c7d0 [rwRW,0x4801c7a0-0x4801c840], rgn=..., offset=..., flags=..., sharedPainter=0x0, repaintManager=<optimized out>) at kernel/qwidget.cpp:5470
#15 0x00000000432bb714 in QWidgetPrivate::paintSiblingsRecursive (this=<optimized out>, pdev=<optimized out>, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=..., sharedPainter=<optimized out>, repaintManager=<optimized out>) at kernel/qwidget.cpp:5610
#16 0x00000000432b1a04 in QWidgetPrivate::drawWidget (this=0x48059700 [rwRW,0x48059700-0x48059a50], pdev=0x4801c7d0 [rwRW,0x4801c7a0-0x4801c840], rgn=..., offset=..., flags=..., sharedPainter=0x0, repaintManager=<optimized out>) at kernel/qwidget.cpp:5470
#17 0x00000000432bb714 in QWidgetPrivate::paintSiblingsRecursive (this=<optimized out>, pdev=<optimized out>, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=..., sharedPainter=<optimized out>, repaintManager=<optimized out>) at kernel/qwidget.cpp:5610
#18 0x00000000432b1a04 in QWidgetPrivate::drawWidget (this=0x48059380 [rwRW,0x48059380-0x480596f0], pdev=0x4801c7d0 [rwRW,0x4801c7a0-0x4801c840], rgn=..., offset=..., flags=..., sharedPainter=0x0, repaintManager=<optimized out>) at kernel/qwidget.cpp:5470
#19 0x00000000432bb714 in QWidgetPrivate::paintSiblingsRecursive (this=<optimized out>, pdev=<optimized out>, siblings=..., index=<optimized out>, rgn=..., offset=..., flags=..., sharedPainter=<optimized out>, repaintManager=<optimized out>) at kernel/qwidget.cpp:5610
#20 0x00000000432b1a04 in QWidgetPrivate::drawWidget (this=0x4805ac00 [rwRW,0x4805ac00-0x4805af30], pdev=0x4801c7d0 [rwRW,0x4801c7a0-0x4801c840], rgn=..., offset=..., flags=..., sharedPainter=0x0, repaintManager=<optimized out>) at kernel/qwidget.cpp:5470
#21 0x0000000043291584 in QWidgetRepaintManager::paintAndFlush (this=0x4dae4ac0 [rwRW,0x4dae4ac0-0x4dae4b70]) at kernel/qwidgetrepaintmanager.cpp:1023
#22 0x000000004329176c in QWidgetRepaintManager::sync (this=0x4dae4ac0 [rwRW,0x4dae4ac0-0x4dae4b70]) at kernel/qwidgetrepaintmanager.cpp:770
#23 0x00000000432b0e28 in QWidgetPrivate::syncBackingStore (this=0x4805ac00 [rwRW,0x4805ac00-0x4805af30]) at kernel/qwidget.cpp:1758
#24 0x00000000432e3678 in QWidgetWindow::handleResizeEvent (this=0x481194c0 [rwRW,0x481194c0-0x48119570], event=0xfffffff7e560 [rwRW,0xfffffff7e560-0xfffffff7e5a0]) at kernel/qwidgetwindow.cpp:841
#25 0x00000000432e1744 in QWidgetWindow::event (this=0x481194c0 [rwRW,0x481194c0-0x48119570], event=0xfffffff7e560 [rwRW,0xfffffff7e560-0xfffffff7e5a0]) at kernel/qwidgetwindow.cpp:322
#26 0x0000000043284e98 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x481194c0 [rwRW,0x481194c0-0x48119570], e=0xfffffff7e560 [rwRW,0xfffffff7e560-0xfffffff7e5a0]) at kernel/qapplication.cpp:3640
#27 0x00000000432863e4 in QApplication::notify (this=0x4802b740 [rwRW,0x4802b740-0x4802b760], receiver=0x481194c0 [rwRW,0x481194c0-0x48119570], e=0xfffffff7e560 [rwRW,0xfffffff7e560-0xfffffff7e5a0]) at kernel/qapplication.cpp:2979
#28 0x000000004461f0dc in QCoreApplication::notifyInternal2 (receiver=0x481194c0 [rwRW,0x481194c0-0x48119570], event=0xfffffff7e560 [rwRW,0xfffffff7e560-0xfffffff7e5a0]) at kernel/qcoreapplication.cpp:1096
#29 0x000000004461fc44 in QCoreApplication::sendSpontaneousEvent (receiver=0x4dc1dc00 [rwRW,0x4dc1dc00-0x4dc1de5e], event=0x12f) at kernel/qcoreapplication.cpp:1506
#30 0x0000000043ada8b8 in QGuiApplicationPrivate::processGeometryChangeEvent (e=<optimized out>) at kernel/qguiapplication.cpp:2610
#31 0x0000000043ad766c in QGuiApplicationPrivate::processWindowSystemEvent (e=0x481897e0 [rwRW,0x481897e0-0x48189840]) at kernel/qguiapplication.cpp:2017
#32 0x0000000043abb928 in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at kernel/qwindowsysteminterface.cpp:1169
#33 0x0000000043ab74a4 in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at kernel/qwindowsysteminterface.cpp:1138
#34 0x000000004631d270 in QtWaylandClient::QWaylandWindow::applyConfigure (this=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0]) at qwaylandwindow.cpp:531
#35 0x0000000046346bb8 in QtWaylandClient::QWaylandWindow::qt_static_metacall (_o=0x4dc1dc00 [rwRW,0x4dc1dc00-0x4dc1de5e], _c=303, _id=9, _a=0xfffffff752d8 [rwRW,0xfffffff752d8-0xfffffff752dc]) at .moc/moc_qwaylandwindow_p.cpp:86
#36 0x0000000044648a54 in QMetaCallEvent::placeMetaCall (this=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90], object=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0]) at kernel/qobject.cpp:635
#37 0x0000000044649fc0 in QObject::event (this=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0], e=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90]) at kernel/qobject.cpp:1347
#38 0x0000000043284e98 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0], e=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90]) at kernel/qapplication.cpp:3640
#39 0x00000000432863e4 in QApplication::notify (this=0x4802b740 [rwRW,0x4802b740-0x4802b760], receiver=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0], e=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90]) at kernel/qapplication.cpp:2979
#40 0x000000004461f0dc in QCoreApplication::notifyInternal2 (receiver=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0], event=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90]) at kernel/qcoreapplication.cpp:1096
#41 0x000000004462045c in QCoreApplication::sendEvent (receiver=0x480a1f00 [rwRW,0x480a1f00-0x480a21d0], event=0x49c73bc0 [rwRW,0x49c73bc0-0x49c73c90]) at kernel/qcoreapplication.cpp:1494
#42 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=4, data=0x48042000 [rwRW,0x48042000-0x480420d0]) at kernel/qcoreapplication.cpp:1853
#43 0x0000000044677a1c in QEventDispatcherUNIX::processEvents (this=0x480eba60 [rwRW,0x480eba60-0x480eba80], flags=...) at kernel/qeventdispatcher_unix.cpp:468
#44 0x0000000046356250 in QUnixEventDispatcherQPA::processEvents (this=0x4dc1dc00 [rwRW,0x4dc1dc00-0x4dc1de5e], flags=...) at qunixeventdispatcher.cpp:63
#45 0x000000004461af30 in QEventLoop::processEvents (this=0xfffffff7f300 [rwRW,0xfffffff7f300-0xfffffff7f320], flags=...) at kernel/qeventloop.cpp:142
#46 QEventLoop::exec (this=0xfffffff7f300 [rwRW,0xfffffff7f300-0xfffffff7f320], flags=...) at kernel/qeventloop.cpp:235
#47 0x000000004461f848 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1407
#48 0x0000000043ad6f34 in QGuiApplication::exec () at kernel/qguiapplication.cpp:1870
#49 0x0000000043286040 in QApplication::exec () at kernel/qapplication.cpp:2832
#50 0x0000000000118fa0 in main (argc=1, argv=0xffffbff7f1f0 [rwRW,0xffffbff7f1f0-0xffffbff7f210]) at /wrkdirs/usr/ports/x11/konsole/work/konsole-23.04.3/src/main.cpp:271
(gdb) disassemble /s $pcc,+4
Dump of assembler code from 0x40ecc1e4 to 0x40ecc1e8:
ushape.cpp:
466	    while((dest[i] == SPACE_CHAR) && (countl < size)) {
=> 0x0000000040ecc1e4 <_ZL11countSpacesPDsijPiS0_+52>:	ldrh	w9, [c0, x8, lsl #1]
End of assembler dump.
kwitaszczyk added a commit to kwitaszczyk/icu that referenced this issue Jun 4, 2024
@kwitaszczyk
Eliminate an out-of-bounds read
eb377bb 
Check if an iterator is within bounds before accessing memory.
Also, remove a redundant variable to make the while condition more
clear.

This issue was found [1] by running Konsole on CheriBSD/Morello that was
compiled for CheriABI. The out of bounds read triggered a CHERI
capability violation.

[1] CTSRD-CHERI/cheribsd-ports#160
kwitaszczyk added a commit to kwitaszczyk/icu that referenced this issue Jun 4, 2024
@kwitaszczyk
ICU-22790 Eliminate an out-of-bounds read
80a9502 
Check if an iterator is within bounds before accessing memory.
Also, remove a redundant variable to make the while condition more
clear.

This issue was found [1] by running Konsole on CheriBSD/Morello that was
compiled for CheriABI. The out of bounds read triggered a CHERI
capability violation.

[1] CTSRD-CHERI/cheribsd-ports#160
@kwitaszczyk
Copy link
Member Author

A fix for this issue has been submitted to upstream in unicode-org/icu#3024.

@kwitaszczyk kwitaszczyk self-assigned this Jun 4, 2024
kwitaszczyk added a commit to CTSRD-CHERI/icu that referenced this issue Jun 12, 2024
@kwitaszczyk
ICU-22790 Eliminate an out-of-bounds read
ce48832 
Check if an iterator is within bounds before accessing memory.
Also, remove a redundant variable to make the while condition more
clear.

This issue was found [1] by running Konsole on CheriBSD/Morello that was
compiled for CheriABI. The out of bounds read triggered a CHERI
capability violation.

[1] CTSRD-CHERI/cheribsd-ports#160
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kwitaszczyk kwitaszczyk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kwitaszczyk