sanitized version of libX11 crashes on heap-use-after-free in _XimUnRegisterIMInstantiateCallback
Vittorio Zecca
zeccav at gmail.com
Mon Nov 9 06:56:43 UTC 2020
While running the testsuite of tk8.6.10 a gnu gcc sanitized version of
libX11-1.6.12 crashes because of a heap-use-after-free at imInsClbk.c
line 238
!strcmp( lcd->core->modifiers, icb->modifiers ))) &&
the sanitizer error messages suggest that lcd->core->modifiers is
referenced after it is freed.
This is under Fedora 32 in an x86-64 hardware.
The following is the complete sanitizer message (tktest is a program
in tk8.6.10)
./tktest
=================================================================
==180767==ERROR: AddressSanitizer: heap-use-after-free on address
0x6020000109f0 at pc 0x146b2ee4868c bp 0x7fff77aa86c0 sp
0x7fff77aa7e68
READ of size 1 at 0x6020000109f0 thread T0
#0 0x146b2ee4868b (/lib64/libasan.so.6+0x8e68b)
#1 0x146b2c570453 in _XimUnRegisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/modules/im/ximcp/imInsClbk.c:238
#2 0x146b2c4c39e9 in XUnregisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/IMWrap.c:200
#3 0x146b2c56f33b in _XimRegisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/modules/im/ximcp/imInsClbk.c:209
#4 0x146b2c4c385c in XRegisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/IMWrap.c:177
#5 0x146b2e1c92ea in TkpOpenDisplay
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:184
#6 0x146b2dd02a17 in GetScreen
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:465
#7 0x146b2dd02a17 in CreateTopLevelWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:348
#8 0x146b2dd04035 in TkCreateMainWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:855
#9 0x146b2dd5c947 in CreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:582
#10 0x146b2dd5e8a7 in TkListCreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:468
#11 0x146b2dd0f00d in Initialize
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:3255
#12 0x4029b0 in Tcl_AppInit
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:109
#13 0x146b2dc7ea75 in Tk_MainEx
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkMain.c:338
#14 0x4027db in main
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:78
#15 0x146b2b0d21a1 in __libc_start_main (/lib64/libc.so.6+0x281a1)
#16 0x4028cd in _start
(/home/vitti/rpmbuild/SOURCES/tk8.6.10/unix/tktest+0x4028cd)
0x6020000109f0 is located 0 bytes inside of 1-byte region
[0x6020000109f0,0x6020000109f1)
freed by thread T0 here:
#0 0x146b2ee6a307 in __interceptor_free (/lib64/libasan.so.6+0xb0307)
#1 0x146b2c513802 in XSetLocaleModifiers
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/lcWrap.c:90
#2 0x146b2e1c7e44 in OpenIM
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:750
#3 0x146b2e1c8a64 in InstantiateIMCallback
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:705
#4 0x146b2c56f33b in _XimRegisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/modules/im/ximcp/imInsClbk.c:209
#5 0x146b2c4c385c in XRegisterIMInstantiateCallback
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/IMWrap.c:177
#6 0x146b2e1c92ea in TkpOpenDisplay
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:184
#7 0x146b2dd02a17 in GetScreen
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:465
#8 0x146b2dd02a17 in CreateTopLevelWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:348
#9 0x146b2dd04035 in TkCreateMainWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:855
#10 0x146b2dd5c947 in CreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:582
#11 0x146b2dd5e8a7 in TkListCreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:468
#12 0x146b2dd0f00d in Initialize
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:3255
#13 0x4029b0 in Tcl_AppInit
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:109
#14 0x146b2dc7ea75 in Tk_MainEx
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkMain.c:338
#15 0x4027db in main
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:78
#16 0x146b2b0d21a1 in __libc_start_main (/lib64/libc.so.6+0x281a1)
previously allocated by thread T0 here:
#0 0x146b2ee6a667 in __interceptor_malloc (/lib64/libasan.so.6+0xb0667)
#1 0x146b2c5126d3 in _XlcDefaultMapModifiers
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/lcWrap.c:147
#2 0x146b2c51377e in XSetLocaleModifiers
/home/vitti/rpmbuild/SOURCES/X11/src/xlibi18n/lcWrap.c:88
#3 0x146b2e1c7e44 in OpenIM
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:750
#4 0x146b2e1c92ab in TkpOpenDisplay
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkUnixEvent.c:183
#5 0x146b2dd02a17 in GetScreen
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:465
#6 0x146b2dd02a17 in CreateTopLevelWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:348
#7 0x146b2dd04035 in TkCreateMainWindow
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:855
#8 0x146b2dd5c947 in CreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:582
#9 0x146b2dd5e8a7 in TkListCreateFrame
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkFrame.c:468
#10 0x146b2dd0f00d in Initialize
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkWindow.c:3255
#11 0x4029b0 in Tcl_AppInit
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:109
#12 0x146b2dc7ea75 in Tk_MainEx
/home/vitti/rpmbuild/SOURCES/tk/unix/../generic/tkMain.c:338
#13 0x4027db in main
/home/vitti/rpmbuild/SOURCES/tk/unix/../unix/tkAppInit.c:78
#14 0x146b2b0d21a1 in __libc_start_main (/lib64/libc.so.6+0x281a1)
SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.6+0x8e68b)
More information about the xorg
mailing list