Bug#493823: gpm: segv on SIGWINCH

Wed Aug 6 01:09:46 UTC 2008

Nico Schottelius <nico-debian-pkg-gpm-devel at schottelius.org> writes:
>
> Can you attach gdb and/or strace -fF to it and attach the output?
> You can also run gpm -D to run it in debug mode and send the last lines
> before it dies.

*** debug [daemon/old_main.c(158)]: selected 1 times
*** debug [daemon/getmousedata.c(89)]: Data 0a 00 00 (00)
*** debug [daemon/processmouse.c(281)]: dx:   0 dy:   0 x:   2 y:  48 butt: 1 vc: 11 clicks: 0
*** debug [daemon/old_main.c(158)]: selected 1 times
*** debug [daemon/getmousedata.c(89)]: Data 08 00 00 (00)
*** debug [daemon/processmouse.c(281)]: dx:   0 dy:   0 x:   2 y:  48 butt: 1 vc: 11 clicks: 0
*** warning [daemon/gpm-killed.c(34)]: /usr/sbin/gpm pid 2981 is resizing :-)
*** debug [daemon/get_console_size.c(45)]: Screen size: 80 - 50
*** debug [daemon/get_console_size.c(62)]: x 3, y 3

Program received signal SIGSEGV, Segmentation fault.
0x080544a8 in ?? ()
(gdb) where
#0  0x080544a8 in ?? ()
#1  0x0000001c in ?? ()
#2  0x0000001c in ?? ()
#3  0x00000000 in ?? ()

And if I recompile noopt,nostrip to get a backtrace the claim is

#0  0x0805706c in old_main () at daemon/old_main.c:146
#1  0x080569e7 in main (argc=134572308, argv=0x8000000) at daemon/main.c:33

which is

    for (ci = cinfo[i]; ci; ci = ci->next) kill(ci->data.pid,SIGWINCH);

with i=64 and with cinfo[64]=0x50 ... which looks like a rather dodgy
pointer value.

Sticking a watchpoint on cinfo[64] shows it gets clobbered when
get_console_size() stores to maxx.  And indeed gdb claims the addresses
of cinfo[64] and maxx are the same.  (So it seems that 0x50 is "80", the
screen width.)

Putting gpm.c through the preprocessor it looks like it gets compiled
with MAX_VC=63 coming from MAX_NR_CONSOLES in <linux/vt.h>.  But the
same on old_main.c ends up with MAX_VC=64 coming from the fallback
MAX_NR_CONSOLES=64 in daemon.h.  I guess old_main.c is going past the
end of the array when it tries to propagate sigwinch to the clients ...