Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2161020 - After update libX11 to version 1.8.3-1.fc38 in some games I need move mouse for invoke screen updates.
Summary: After update libX11 to version 1.8.3-1.fc38 in some games I need move mouse f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libX11
Version: 38
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Adam Jackson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-15 10:13 UTC by Mikhail
Modified: 2023-02-10 00:38 UTC (History)
7 users (show)

Fixed In Version: libX11-1.8.4-1.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-02-10 00:38:28 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Mikhail 2023-01-15 10:13:24 UTC
Description of problem:
After update libX11 to version 1.8.3-1.fc38 appears weird bug.
In some games I need move mouse for invoke screen updates.
Demonstration: https://youtu.be/3OHzKpxaB6E

I bisected the issue and found that this happens because of the commit 

d6d6cba90215d323567fef13d6565756c9956f60 is the first bad commit
commit d6d6cba90215d323567fef13d6565756c9956f60
Author: Keith Packard <keithp>
Date:   Sun Dec 11 10:32:26 2022 -0800

    Update XPutBackEvent() to support clients that put back unpadded events
    
    It seems to be common practice of some X11 clients to pass specific event
    types into APIs that take XEvent*.  For example, freeglut does:
    
       XConfigureEvent fakeEvent = {0};
       ...
       XPutBackEvent(fgDisplay.Display, (XEvent*)&fakeEvent);
    
    This can result in reads overflowing the input event when libX11 does:
    
       XEvent store = *event;
    
    =================================================================
    ==75304==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016ee4a8e8 at pc 0x000101c54d14 bp 0x00016ee4a0d0 sp 0x00016ee49888
    READ of size 192 at 0x00016ee4a8e8 thread T0
        #0 0x101c54d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
        #1 0x102848a18 in _XPutBackEvent PutBEvent.c:41
        #2 0x1028490a4 in XPutBackEvent PutBEvent.c:84
        #3 0x1013295c8 in fgOpenWindow freeglut_window.c:1178
        #4 0x101321984 in fgCreateWindow freeglut_structure.c:108
        #5 0x10132b138 in glutCreateWindow freeglut_window.c:1551
        #6 0x100fb7d94 in main+0x78 (checkeredTriangles:arm64+0x100003d94)
        #7 0x197de3e4c  (<unknown module>)
    
    Address 0x00016ee4a8e8 is located in stack of thread T0 at offset 840 in frame
        #0 0x1013282f8 in fgOpenWindow freeglut_window.c:1063
    
      This frame has 8 object(s):
        [32, 40) 'title.addr'
        [64, 176) 'winAttr' (line 1066)
        [208, 240) 'textProperty' (line 1067)
        [272, 352) 'sizeHints' (line 1068)
        [384, 440) 'wmHints' (line 1069)
        [480, 672) 'eventReturnBuffer' (line 1070)
        [736, 740) 'num_FBConfigs' (line 1072)
        [752, 840) 'fakeEvent' (line 1074) <== Memory access at offset 840 overflows this variable
    
    This change allows XPutBackEvent() to support such clients without
    risk of memory read overflow.
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu>
    Tested-by: Jeremy Huddleston Sequoia <jeremyhu>

 src/PutBEvent.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)


I see that this commit already reverted in master https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/88399e01be679bfcc9a5e8922ffe2c47f0e56dee

But who knows when version 1.8.4 will release?

So I builded libX11 with commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/88399e01be679bfcc9a5e8922ffe2c47f0e56dee  and suggest review my PR.

Comment 1 Mikhail 2023-01-15 10:17:18 UTC
Please review my PR
https://src.fedoraproject.org/rpms/libX11/pull-request/1

Comment 2 Fedora Update System 2023-01-16 04:16:04 UTC
FEDORA-2023-be3023012d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-be3023012d

Comment 3 Fedora Update System 2023-01-17 02:40:00 UTC
FEDORA-2023-be3023012d has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-be3023012d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-be3023012d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Ben Cotton 2023-02-07 15:14:10 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 5 Fedora Update System 2023-02-09 10:08:55 UTC
FEDORA-2023-e4d7cfa2c2 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e4d7cfa2c2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e4d7cfa2c2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-02-10 00:38:28 UTC
FEDORA-2023-e4d7cfa2c2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.