Mutter crashes on xdg_activation.activate request
Affected version
Ubuntu 22.04.1 LTS, Mutter 42.2, Wayland
Bug summary
This originates from a bug reported for Qt Wayland: https://bugreports.qt.io/browse/QTBUG-107755
Running the attached example in Mutter causes the server to segfault. The change in Qt that triggers the crash appears to be https://codereview.qt-project.org/c/qt/qtwayland/+/421124
We will investigate further whether there is an error in Qt in the relevant code, but even a malicious client should not be able to crash the system compositor, so we believe this demonstrates a bug in Mutter.
Steps to reproduce
- Run mutter (I ran "mutter --nested" on an X11 desktop, but the original bug report is for the system compositor)
- Compile the example attached in https://bugreports.qt.io/browse/QTBUG-107755 against Qt 6.4 or later
- Run the example
- Click on the combo box and then in the center of the window (to close it)
What happened
Mutter crashes.
What did you expect to happen
Handle the client requests gracefully.
Relevant logs, screenshots, screencasts etc.
I could not find any debug symbols for libmutter in my distro, so the value of the stack trace is limited I think, but here it is anyway:
#0 0x00007ffff7eba279 in () at /lib/x86_64-linux-gnu/libmutter-10.so.0
#1 0x00007ffff7ec699a in () at /lib/x86_64-linux-gnu/libmutter-10.so.0
#2 0x00007ffff7eb1030 in () at /lib/x86_64-linux-gnu/libmutter-10.so.0
#3 0x00007ffff6313e2e in () at /lib/x86_64-linux-gnu/libffi.so.8
#4 0x00007ffff6310493 in () at /lib/x86_64-linux-gnu/libffi.so.8
#5 0x00007ffff7601260 in () at /lib/x86_64-linux-gnu/libwayland-server.so.0
#6 0x00007ffff7605474 in () at /lib/x86_64-linux-gnu/libwayland-server.so.0
#7 0x00007ffff7603eea in wl_event_loop_dispatch () at /lib/x86_64-linux-gnu/libwayland-server.so.0
#8 0x00007ffff7ead86b in () at /lib/x86_64-linux-gnu/libmutter-10.so.0
#9 0x00007ffff7c9ed1b in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007ffff7cf36f8 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007ffff7c9e293 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007ffff7e53849 in meta_context_run_main_loop () at /lib/x86_64-linux-gnu/libmutter-10.so.0
#13 0x0000555555556571 in ()
#14 0x00007ffff77ecd90 in __libc_start_call_main (main=main@entry=0x555555556440, argc=argc@entry=2, argv=argv@entry=0x7fffffffdbb8) at ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x00007ffff77ece40 in __libc_start_main_impl (main=0x555555556440, argc=2, argv=0x7fffffffdbb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdba8) at ../csu/libc-start.c:392
#16 0x0000555555556695 in ()
See attachment wayland.log for the Wayland log. The last request is
xdg_activation_v1@25.activate("d433fead-6d60-4831-809d-05941ce4cb56_TIME0", wl_surface@23)