Ubuntu
glib2.0 package

glib2.0: Uninitialised memory is written to gschema.compiled, failure to parse this file leads to gdm, gnome-shell failing to start

Bug #1930359 reported by Matthew Ruffell on 2021-06-01

This bug affects 1 person

	Status	Importance	Assigned to
GLib	Fix Released	Unknown	auto-gitlab.gnome.org-gnome-gvdb-- #2
glib2.0 (Ubuntu)	Fix Released	Undecided	Matthew Ruffell
Focal	Fix Released	High	Matthew Ruffell

Bug Description

[Impact]

A recent SRU of mutter 3.36.9-0ubuntu0.20.04.1 caused an outage for a user with 300 VDIs running Focal, where GNOME applications would fail to start, and if you reboot, gdm and gnome-shell both fail to start, and you are left with a black screen and a blinking cursor.

After much investigation, mutter was not at fault. Instead, mutter-common calls the libglib2.0-0 hook on upgrade:

Processing triggers for libglib2.0-0:amd64 (2.64.6-1~ubuntu20.04.3) ...

This in turn calls glib-compile-schemas to recompile the gsettings gschema cache, from the files in /usr/share/glib-2.0/schemas/. The result is a binary gschemas.compiled file, which is loaded by libglib2.0 on every invocation of a GNOME application, or gdm or gnome-shell to fetch application default settings.

Now, glib2.0 2.64.6-1~ubuntu20.04.3 in Focal has some non-deterministic behaviour when calling glib-compile-schemas, causing generated gschemas.compiled files to have differing contents on each run:

# glib-compile-schemas /usr/share/glib-2.0/schemas
# cmp -l /home/ubuntu/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 D0
00003771 A4 DB

The bytes on the left are from a corrupted gschemas.compiled provided by an affected user. The changing bytes on the right are non-deterministic.

I ran valgrind over glib-compile-schemas, and found that we are writing to uninitialised memory.

https://paste.ubuntu.com/p/hvZccwdzxz/

What is happening is that a submodule of glib, gvdb, contains the logic for serialising the gschema data structures, and when it allocates a buffer to store the eventual gschemas.compiled file, it does not initialise it.

When we populate the fields in the buffer, some bytes are never overwritten, and these junk bytes find themselves written to gschemas.compiled.

On boot, when gdm and gnome-shell attempt to parse and load this corrupted gschemas.compiled file, it can't parse the junk bytes, and raises and error, which propagates up to a breakpoint in glib logging, but no debugger is present, so the kernel traps the breakpoint, and terminates the library, and the calling application, e.g. gdm.

The result is that the user is left starting at a black screen with a blinking pointer.

[Testcase]

On a Focal system, simply run valgrind over glib-compile-schemas:

# valgrind glib-compile-schemas /usr/share/glib-2.0/schemas

You will get output like this, with the warning "Syscall param write(buf) points to uninitialised byte(s)":

https://paste.ubuntu.com/p/hvZccwdzxz/

If you happen to have a large amount of gschema overrides present on your system, like my affected user does, you can save a copy of a generated gschema.compiled to your home directory and bindiff it against recompiles:

# glib-compile-schemas /usr/share/glib-2.0/schemas
# cp /usr/share/glib-2.0/schemas/gschema.compiled /home/ubuntu/schemas/gschemas.compiled
# glib-compile-schemas /usr/share/glib-2.0/schemas
# cmp -l /home/ubuntu/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 C3
00003771 A4 98

If you install the test package from the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf311791-test

When you run valgrind, it will report a clean run with no writing to uninitialised buffers, and all invocations of glib-compile-schemas will be deterministic, and generate the file same with the same sha256 hash every time. The unwritten bytes if you do a bindiff from before and after will be all set to zero.

[Where problems can occur]

I am doubtful that any programs are relying on buggy non-deterministic behaviour from random bytes found in uninitialised memory, so this should be a relatively safe change.

Since we are updating glib, which all GNOME applications, gdm and gnome-shell link to, if we introduce an error, it could cause these applications to stop working, and at a worse case, see the symptoms this bug is trying to fix, which is a blinking cursor on a blank screen.

Installing any updates to glib also causes the gsettings gschema cache to be re-generated, and from this bug, we know that libglib seems to trust the gschema.compiled file and doesn't perform much validation, if the user has bad data in their gschema files, it could lead to their systems having issues on next boot.

If a regression occurs, users should first attempt to re-generate their schemas like so:

glib-compile-schemas /usr/share/glib-2.0/schemas

and if that fails, then they should downgrade their libglib2.0-0 libglib2.0-bin libglib2.0-data packages.

[Other info]

This was fixed by the commit:

commit ea64c739239faea463f3cb9154a12cc4532ba525
Author: Philip Withnall <email address hidden>
Date: Wed Mar 18 09:15:59 2020 +0000
Subject: gvdb-builder: Initialise some memory to zero in the bloom filter
Link: https://github.com/GNOME/glib/commit/ea64c739239faea463f3cb9154a12cc4532ba525

Only Focal needs this patch, Groovy and up are unaffected.

See original description

Tags:

Matthew Ruffell (mruffell) on 2021-06-01

Changed in mutter (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Matthew Ruffell (mruffell)
tags:	added: regression-update sts
description:	updated

Daniel van Vugt (vanvugt) on 2021-06-01

tags:

added: focal

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-06-14:

I built a test package based on mutter 3.36.9-0ubuntu0.20.04.1, and reverted the three commits introduced by LP #1905825, namely:

commit: 92834d8feceeac538299a47a8c742e155de4e6e8
From: Kai-Heng Feng <email address hidden>
Date: Mon, 21 Dec 2020 14:34:43 +0800
Subject: renderer/native: Refactor modeset boilerplate into new helpers
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/92834d8feceeac538299a47a8c742e155de4e6e8

commit: 097af7ddb381606da74c737859cc92fff72ed417
From: Kai-Heng Feng <email address hidden>
Date: Mon, 21 Dec 2020 14:59:32 +0800
Subject: monitor-manager-kms: Disable CRTCs if there is no monitor
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/097af7ddb381606da74c737859cc92fff72ed417

commit: 93f3ce3c305571bfc39f6d9e5d221e1b60a920a4 Mon Sep 17 00:00:00 2001
From: Kai-Heng Feng <email address hidden>
Date: Fri, 13 Nov 2020 14:19:26 +0800
Subject: monitor-manager-xrandr: Disable CRTCs if there is no monitor
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/93f3ce3c305571bfc39f6d9e5d221e1b60a920a4

The testpackage is available in [1]:

[1] https://launchpad.net/~mruffell/+archive/ubuntu/sf311791-test

I provided the testpackage to the affected user, and they installed it in a test VDI on their VMware Horizon environment, and wrote back that it works.

So, it seems to be the CRTc changes from bug 1905825.

The affected user's environment uses Nvidia GRID GPUs, passed into the VDI. They are using the Nvidia GRID 450.51.05 driver.

I have been trying to reproduce this for a few days now. Google Cloud has an option to pass a Nvidia P4 GPU into the instance, and turn on Nvidia GRID, so I have been using that platform.

I have tried with gpu, without gpu, multiple versions of mutter, with and without VMware Horizon Viewagent 7.13, but in each of my runs, I see gdm3 running, and I see the usual processes that get spawned off of it. I have tried multiple versions of the Nvidia GRID driver, available from [2], but they appear to act the same.

[2] https://cloud.google.com/compute/docs/gpus/grid-drivers-table

I think I am missing something, but I'm not sure what. I have tried using the "virtual display" feature with and without, and when it is enabled and I view the screenshot, I just see a black screen with a blinking cursor, no matter what mutter package I have installed.

It could be a virtual hotplug might be needed, but I'm not sure how that can be achieved on Google Cloud, or how it would happen on the affected user's VMware Horizon on VMware ESXi environment.

I will ask the affected user for some more logs, so we can better see what is going on.

I built a test package based on mutter 3.36.9-0ubuntu0.20.04.1, and reverted the three commits introduced by LP #1905825, namely:

commit: 92834d8feceeac538299a47a8c742e155de4e6e8
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date: Mon, 21 Dec 2020 14:34:43 +0800
Subject: renderer/native: Refactor modeset boilerplate into new helpers
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/92834d8feceeac538299a47a8c742e155de4e6e8

commit: 097af7ddb381606da74c737859cc92fff72ed417
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date: Mon, 21 Dec 2020 14:59:32 +0800
Subject: monitor-manager-kms: Disable CRTCs if there is no monitor
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/097af7ddb381606da74c737859cc92fff72ed417

commit: 93f3ce3c305571bfc39f6d9e5d221e1b60a920a4 Mon Sep 17 00:00:00 2001
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date: Fri, 13 Nov 2020 14:19:26 +0800
Subject: monitor-manager-xrandr: Disable CRTCs if there is no monitor
Link: https://gitlab.gnome.org/GNOME/mutter/-/commit/93f3ce3c305571bfc39f6d9e5d221e1b60a920a4

The testpackage is available in [1]:

[1] https://launchpad.net/~mruffell/+archive/ubuntu/sf311791-test

I provided the testpackage to the affected user, and they installed it in a test VDI on their VMware Horizon environment, and wrote back that it works.

So, it seems to be the CRTc changes from bug 1905825.

The affected user's environment uses Nvidia GRID GPUs, passed into the VDI. They are using the Nvidia GRID 450.51.05 driver.

I have been trying to reproduce this for a few days now. Google Cloud has an option to pass a Nvidia P4 GPU into the instance, and turn on Nvidia GRID, so I have been using that platform.

[2] https://cloud.google.com/compute/docs/gpus/grid-drivers-table

It could be a virtual hotplug might be needed, but I'm not sure how that can be achieved on Google Cloud, or how it would happen on the affected user's VMware Horizon on VMware ESXi environment.

I will ask the affected user for some more logs, so we can better see what is going on.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-06-18:

Output of systemctl status and nvidia smi Edit (7.8 KiB, text/plain)

I spent some time attempting to reproduce on AWS today, using a g4dn.xlarge instance, which has a Nvidia Tesla T4 GPU, which supports GRID.

I installed ubuntu-desktop-minimal and rebooted, and gdm started fine with mutter 3.36.9-0ubuntu0.20.04.1. I confirmed this by looking at the instance screenshot.

I then downloaded and installed the Nvidia GRID 450.51.05 driver, and rebooted. The system came up, I checked lsmod, the nvidia kernel modules were loaded, and the instance screenshot shows gdm running. I then installed VMware Horizon Agent 7.13.0-17123958 and rebooted, and again, gdm started just fine.

Attached status of gdm3.service, nvidia-smi and instance screenshot.

I wonder if this is GPU specific? or hypervisor specific, since the affected user runs on VMware esxi. I will again ask for more information.

But for the moment, this seems very specific to the affected user's environment, and not a widespread regression.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-06-18:

screenshot of working gdm on AWS Edit (52.6 KiB, image/png)

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2021-06-18:

I wonder if the affected system uses `xrandr` on GDM start? The settings will be lost after a CTRC disable/enable cycle.

I had a discussion with maintainer here: https://gitlab.gnome.org/GNOME/mutter/-/issues/1619

Daniel van Vugt (vanvugt) on 2021-06-21

summary:

- gdm fails to start with latest mutter 3.36.9-0ubuntu0.20.04.1 in focal-
- updates
+ gdm fails to start in a VMware Horizon VDI environment with latest
+ mutter 3.36.9-0ubuntu0.20.04.1 in focal-updates

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-06-29: Re: gdm fails to start in a VMware Horizon VDI environment with latest mutter 3.36.9-0ubuntu0.20.04.1 in focal-updates

The affected user cannot reproduce the issue anymore. The new mutter packages install fine in their environment, and gdm starts every time. They have since rolled out the new mutter packages to their fleet without any issues.

I'm going to mark this bug as invalid, as we can't reproduce the issue anymore.

Maybe it was a temporary issue with restarting services? I'm not sure.

If the affected user ever experiences the issue again, I will re-open.

Changed in mutter (Ubuntu):
status:	New → Invalid
Changed in mutter (Ubuntu Focal):
importance:	High → Undecided
status:	In Progress → Invalid

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-07-01:

Okay, the affected user has now started experiencing the issue again, and was forced to roll mutter back on their fleet.

We managed to get some logs this time, and we have determined what is happening.

When the user upgrades the mutter packages, particularly mutter-common, the libglib2.0-0 hook is called post-install to re-compile the gsettings gschemas into the binary file /usr/share/glib-2.0/schemas/gschemas.compiled

Processing triggers for libglib2.0-0:amd64 (2.64.6-1~ubuntu20.04.3) ...

For some reason or another, this fails or errors out, leaving the system with no /usr/share/glib-2.0/schemas/gschemas.compiled file present.

If the VDI was running, and you attempt to start a program, like nautilus, it fails to open, and you see the following in syslog:

Jul 1 09:28:05 hostname kernel: [510232.497360] traps: nautilus[523090] trap int3 ip:7f9118995295 sp:7ffe78b4de90 error:0 in libglib-2.0.so.0.6400.6[7f9118959000+84000]
Jul 1 09:28:05 hostname nautilus[523090]: No GSettings schemas are installed on the system

If you then reboot, gdm and gnome-session both fail to start, and you see a blank screen with a blinking cursor.

If you ssh in and check the logs, it is the same issue:

Jul 1 09:29:06 hostname kernel: [ 13.311371] traps: gnome-session-b[2304] trap int3 ip:7febfac7c295 sp:7ffe75338c60 error:0 in libglib-2.0.so.0.6400.6[7febfac40000+84000]
Jul 1 09:29:06 hostname gnome-session[2304]: gnome-session-binary[2304]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
Jul 1 09:29:06 hostname gnome-session[2304]: aborting...
Jul 1 09:29:06 hostname gnome-session-binary[2304]: GLib-GIO-ERROR: No GSettings schemas are installed on the system#012aborting...
Jul 1 09:29:06 hostname gdm3: GdmDisplay: Session never registered, failing
Jul 1 09:29:06 hostname systemd[1]: session-c6.scope: Succeeded.
Jul 1 09:29:06 hostname gdm3: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors
Jul 1 09:29:06 hostname gdm3: Child process -2282 was already dead.

You can reproduce the problem pretty easily. Take a started Ubuntu 20.04 Desktop VM and run:

$ sudo rm /usr/share/glib-2.0/schemas/gschemas.compiled

Then try open gedit or nautiuls and see them fail. Then try reboot, and you will meet the black screen with blinking cursor.

I looked at all the changes in mutter 3.36.9-0ubuntu0.20.04.1 and there doesn't seem to be any related to gsettings.

Maybe it has something to do with the gsettings in the affected user's environment? I will try ask for a tarball.

But what we do know, if that when we upgrade mutter, the gschemas.compiled is removed and never replaced, or is corrupted.

Okay, the affected user has now started experiencing the issue again, and was forced to roll mutter back on their fleet.

We managed to get some logs this time, and we have determined what is happening.

Processing triggers for libglib2.0-0:amd64 (2.64.6-1~ubuntu20.04.3) ...

For some reason or another, this fails or errors out, leaving the system with no /usr/share/glib-2.0/schemas/gschemas.compiled file present.

If the VDI was running, and you attempt to start a program, like nautilus, it fails to open, and you see the following in syslog:

Jul  1 09:28:05 hostname kernel: [510232.497360] traps: nautilus[523090] trap int3 ip:7f9118995295 sp:7ffe78b4de90 error:0 in libglib-2.0.so.0.6400.6[7f9118959000+84000]
Jul  1 09:28:05 hostname nautilus[523090]: No GSettings schemas are installed on the system

If you then reboot, gdm and gnome-session both fail to start, and you see a blank screen with a blinking cursor.

If you ssh in and check the logs, it is the same issue:

Jul  1 09:29:06 hostname kernel: [   13.311371] traps: gnome-session-b[2304] trap int3 ip:7febfac7c295 sp:7ffe75338c60 error:0 in libglib-2.0.so.0.6400.6[7febfac40000+84000]
Jul  1 09:29:06 hostname gnome-session[2304]: gnome-session-binary[2304]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
Jul  1 09:29:06 hostname gnome-session[2304]: aborting...
Jul  1 09:29:06 hostname gnome-session-binary[2304]: GLib-GIO-ERROR: No GSettings schemas are installed on the system#012aborting...
Jul  1 09:29:06 hostname gdm3: GdmDisplay: Session never registered, failing
Jul  1 09:29:06 hostname systemd[1]: session-c6.scope: Succeeded.
Jul  1 09:29:06 hostname gdm3: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors
Jul  1 09:29:06 hostname gdm3: Child process -2282 was already dead.

You can reproduce the problem pretty easily. Take a started Ubuntu 20.04 Desktop VM and run:

$ sudo rm /usr/share/glib-2.0/schemas/gschemas.compiled

Then try open gedit or nautiuls and see them fail. Then try reboot, and you will meet the black screen with blinking cursor.

I looked at all the changes in mutter 3.36.9-0ubuntu0.20.04.1 and there doesn't seem to be any related to gsettings.

Maybe it has something to do with the gsettings in the affected user's environment? I will try ask for a tarball.

But what we do know, if that when we upgrade mutter, the gschemas.compiled is removed and never replaced, or is corrupted.

Changed in mutter (Ubuntu Focal):
importance:	Undecided → High
status:	Invalid → In Progress
Changed in mutter (Ubuntu):
status:	Invalid → New

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-07-01:

Are you sure that's the same bug as the original issue here? The original issue sounded plausibly related to the fix for bug 1905825 as you say.

The diff between:

ubuntu/3.36.7+git20201123-0.20.04.1
ubuntu/3.36.9-0ubuntu0.20.04.1

indeed shows no changes mentioning "schema" or "gsettings".

The diff between:

ubuntu/3.36.1-3ubuntu3
ubuntu/3.36.7+git20201123-0.20.04.1

does show some changes mentioning "schema" and "gsettings. So are you sure about the statement "the issue does not occur with 3.36.7+git20201123-0.20.04.1."?

It's curious other people are not reporting this problem so I wonder what is unique about the customer's machines. Do they have any PPAs installed?

I fear we might be onto a new separate issue now so reusing this bug might be confusing the situation.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-07-02:

Download full text (7.4 KiB)

Hi Daniel,

Yes, I am sure this is the same issue that they are experiencing there, and I now believe the issue lies in glib, and not mutter.

When we install mutter-common, it calls the libglib2.0-0 hook to recompile the gsettings schemas.

The customer provided me with a tarball of their /usr/share/glib-2.0/schemas directory, and I have spent the day looking at it.

I deleted all the schemas from a test 20.04 VM, and extracted the tarball of their schemas in place, and rebooted the VM.

From there, the same exact problems occurred. Each program could not load the compiled gschema file, and hit a breakpoint in the glib library.

Jul 2 13:41:04 ubuntu tracker-miner-f[1235]: No GSettings schemas are installed on the system
Jul 2 13:41:04 ubuntu tracker-extract[1234]: No GSettings schemas are installed on the system
Jul 2 13:41:04 ubuntu kernel: [ 13.280095] show_signal: 7 callbacks suppressed
Jul 2 13:41:04 ubuntu kernel: [ 13.280097] traps: tracker-miner-f[1235] trap int3 ip:7fb6202ac295 sp:7fff0d5c7cd0 error:0 in libglib-2.0.so.0.6400.6[7fb620270000+84000]
Jul 2 13:41:04 ubuntu kernel: [ 13.281163] traps: tracker-extract[1234] trap int3 ip:7f8718ac3295 sp:7ffe774d1c40 error:0 in libglib-2.0.so.0.6400.6[7f8718a87000+84000]

Jul 2 13:41:00 ubuntu gnome-session[1175]: gnome-session-binary[1175]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
Jul 2 13:41:00 ubuntu gnome-session[1175]: aborting...
Jul 2 13:41:00 ubuntu gnome-session-binary[1175]: GLib-GIO-ERROR: No GSettings schemas are installed on the system#012aborting...
Jul 2 13:41:00 ubuntu gdm3: GdmDisplay: Session never registered, failing
Jul 2 13:41:00 ubuntu gdm3: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors
Jul 2 13:41:00 ubuntu gdm3: Child process -1157 was already dead.

Now, looking closer, we see their gschema.compiled file exists. This means that we aren't dealing with a missing file and it not being re-created, but instead a corrupted gschema.compiled file.

I rebuilt the file with:

$ sudo glib-compile-schemas /usr/share/glib-2.0/schemas/

and rebooted, and the system came up normally. Very interesting.

From there, I rebuilt the file several times, each time checking the sha256 value. Each time it was exactly the same, so the compile process appears to be deterministic.

I then did a binary diff of the corrupted gschema.compiled file, and a freshly rebuilt one.

I found two bytes were different:

$ cmp -l ~/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 25
00003771 A4 65

$ xxd ~/schemas/gschemas.compiled > ~/corrupt.bin
$ xxd /usr/share/glib-2.0/schemas/gschemas.compiled > ~/working.bin
$ diff ~/corrupt.bin ~/working.bin
887,888c887,888
< 00003760: 0515 0000 ffff ffff 7837 0000 0000 e300 ........x7......
< 00003770: a455 0000 0000 0000 6f72 672e 676e 6f6d .U......org.gnom
---
> 00003760: 0515 0000 ffff ffff 7837 0000 0000 2500 ........x7....%.
> 00003770: 6555 0000 0000 0000 6f72 672e 676e 6f6d eU......org.gnom

I need to determine exactly how these two bytes ended up differen...

Hi Daniel,

Yes, I am sure this is the same issue that they are experiencing there, and I now believe the issue lies in glib, and not mutter.

When we install mutter-common, it calls the libglib2.0-0 hook to recompile the gsettings schemas.

The customer provided me with a tarball of their /usr/share/glib-2.0/schemas directory, and I have spent the day looking at it.

I deleted all the schemas from a test 20.04 VM, and extracted the tarball of their schemas in place, and rebooted the VM.

From there, the same exact problems occurred. Each program could not load the compiled gschema file, and hit a breakpoint in the glib library.

Jul  2 13:41:04 ubuntu tracker-miner-f[1235]: No GSettings schemas are installed on the system
Jul  2 13:41:04 ubuntu tracker-extract[1234]: No GSettings schemas are installed on the system
Jul  2 13:41:04 ubuntu kernel: [   13.280095] show_signal: 7 callbacks suppressed
Jul  2 13:41:04 ubuntu kernel: [   13.280097] traps: tracker-miner-f[1235] trap int3 ip:7fb6202ac295 sp:7fff0d5c7cd0 error:0 in libglib-2.0.so.0.6400.6[7fb620270000+84000]
Jul  2 13:41:04 ubuntu kernel: [   13.281163] traps: tracker-extract[1234] trap int3 ip:7f8718ac3295 sp:7ffe774d1c40 error:0 in libglib-2.0.so.0.6400.6[7f8718a87000+84000]

Jul  2 13:41:00 ubuntu gnome-session[1175]: gnome-session-binary[1175]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
Jul  2 13:41:00 ubuntu gnome-session[1175]: aborting...
Jul  2 13:41:00 ubuntu gnome-session-binary[1175]: GLib-GIO-ERROR: No GSettings schemas are installed on the system#012aborting...
Jul  2 13:41:00 ubuntu gdm3: GdmDisplay: Session never registered, failing
Jul  2 13:41:00 ubuntu gdm3: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors
Jul  2 13:41:00 ubuntu gdm3: Child process -1157 was already dead.

Now, looking closer, we see their gschema.compiled file exists. This means that we aren't dealing with a missing file and it not being re-created, but instead a corrupted gschema.compiled file.

I rebuilt the file with:

$ sudo glib-compile-schemas /usr/share/glib-2.0/schemas/

and rebooted, and the system came up normally. Very interesting.

From there, I rebuilt the file several times, each time checking the sha256 value. Each time it was exactly the same, so the compile process appears to be deterministic.

I then did a binary diff of the corrupted gschema.compiled file, and a freshly rebuilt one.

I found two bytes were different:

$ cmp -l ~/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 25
00003771 A4 65

$ xxd ~/schemas/gschemas.compiled > ~/corrupt.bin
$ xxd /usr/share/glib-2.0/schemas/gschemas.compiled > ~/working.bin
$ diff ~/corrupt.bin ~/working.bin 
887,888c887,888
< 00003760: 0515 0000 ffff ffff 7837 0000 0000 e300  ........x7......
< 00003770: a455 0000 0000 0000 6f72 672e 676e 6f6d  .U......org.gnom
---
> 00003760: 0515 0000 ffff ffff 7837 0000 0000 2500  ........x7....%.
> 00003770: 6555 0000 0000 0000 6f72 672e 676e 6f6d  eU......org.gnom

I need to determine exactly how these two bytes ended up different.

I think we are chasing two bugs here:

1) A bug which generates a corrupted gschema.compiled file.
2) A bug where we cannot parse a corrupted gschema.compiled file gracefully.

Since my VM was generating a lot of coredumps for each process, I took a look. I downloaded the debug symbols of glib2.0 for 20.04 and opened a crashdump in gdb.

(gdb) bt
#0  _g_log_abort (breakpoint=1) at ../../../glib/gmessages.c:554
#1  0x00007f635e381579 in g_logv (log_domain=0x7f635e6006ff "GLib-GIO", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7ffe83d1e730) at ../../../glib/gmessages.c:1373
#2  0x00007f635e381743 in g_log (log_domain=log_domain@entry=0x7f635e6006ff "GLib-GIO", log_level=log_level@entry=G_LOG_LEVEL_ERROR, 
    format=format@entry=0x7f635e6217b8 "No GSettings schemas are installed on the system") at ../../../glib/gmessages.c:1415
#3  0x00007f635e5ad1fa in g_settings_set_property (object=<optimized out>, prop_id=2, value=<optimized out>, pspec=<optimized out>) at ../../../gio/gsettings.c:591
#4  0x00007f635e46b681 in object_set_property (nqueue=0x55a285fd8e20, value=0x7ffe83d1e910, pspec=0x55a285fd4570, object=0x55a285fe3570) at ../../../gobject/gobject.c:1565
#5  g_object_new_internal (class=class@entry=0x55a285fee870, params=params@entry=0x7ffe83d1e9b0, n_params=n_params@entry=1) at ../../../gobject/gobject.c:1971
#6  0x00007f635e46d378 in g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=var_args@entry=0x7ffe83d1eb00) at ../../../gobject/gobject.c:2262
#7  0x00007f635e46d6cd in g_object_new (object_type=<optimized out>, first_property_name=<optimized out>) at ../../../gobject/gobject.c:1780
#8  0x000055a285196a5c in ?? ()
#9  0x000055a28517cfe6 in ?? ()
#10 0x00007f635e0180b3 in __libc_start_main (main=0x55a28517c8d0, argc=4, argv=0x7ffe83d1edc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe83d1edb8)
    at ../csu/libc-start.c:308
#11 0x000055a28517d21e in ?? ()

Okay, so gnome-session and gdm and nautilus and all the other programs crash for the exact same reason, and that is, glib2.0 tries to parse the binary gsettings.compiled file, fails for some reason, and returns NULL to its caller in g_settings_set_property():

544 static void
 545 g_settings_set_property (GObject      *object,
 546                          guint         prop_id,
 547                          const GValue *value,
 548                          GParamSpec   *pspec)
 549 {
...
 588             default_source = g_settings_schema_source_get_default ();
 589 
 590             if (default_source == NULL)
 591               g_error ("No GSettings schemas are installed on the system");
...

Now, this goes and logs the error to disk, and eventually hits a breakpoint in _g_log_abort(), called from g_logv(), the kernel finds that there is no debugger waiting for this breakpoint, and then collects a coredump, and terminates the process.

I followed the logic in g_settings_schema_source_get_default(). What it does is allocate a buffer for the binary file, read the file in, and then attempts to build a table by parsing the binary file. Interestingly, it explicitly marks the input as "trusted" and even has a comment to say that problems can occur if we parse a trusted binary file, that happens to be corrupted.

248 /**
 249  * g_settings_schema_source_new_from_directory:
...
 264  * If @trusted is %TRUE then `gschemas.compiled` is trusted not to be
 265  * corrupted. This assumption has a performance advantage, but can result
 266  * in crashes or inconsistent behaviour in the case of a corrupted file.
 267  * Generally, you should set @trusted to %TRUE for files installed by the
 268  * system and to %FALSE for files in the home directory.
 269  *
 270  * In either case, an empty file or some types of corruption in the file will
 271  * result in %G_FILE_ERROR_INVAL being returned.
...

I did some quick tests. If I changed each byte that was different individually, things worked without issue. So we need both of these byte changed to cause issues.

At the moment, I am reading up about the compiled gschema binary format, and how the glib library parses the binary file, and why we error out on corruption.

I tried the same corrupted gschema.compiled file on a fresh Impish install, and the latest glib version there crashes as well.

Daniel van Vugt (vanvugt) on 2021-07-02

Changed in glib2.0 (Ubuntu):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in mutter (Ubuntu):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in glib2.0 (Ubuntu Focal):
assignee:	nobody → Matthew Ruffell (mruffell)

Matthew Ruffell (mruffell) on 2021-07-12

no longer affects:	mutter (Ubuntu)
no longer affects:	mutter (Ubuntu Focal)
Changed in glib2.0 (Ubuntu):
status:	New → Fix Released
Changed in glib2.0 (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → High
summary:	- gdm fails to start in a VMware Horizon VDI environment with latest - mutter 3.36.9-0ubuntu0.20.04.1 in focal-updates + glib2.0: Uninitialised memory is written to gschema.compiled, failure to + parse this file leads to gdm, gnome-shell failing to start
description:	updated

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-07-12:

Debdiff for glib2.0 for Focal Edit (3.1 KiB, text/plain)

Attached is a debdiff for glib2.0 on Focal which fixes this problem.

tags:

added: sts-sponsor
removed: regression-update

Daniel van Vugt (vanvugt) on 2021-07-12

tags:

added: fixed-in-2.65.0 fixed-upstream

Revision history for this message

Iain Lane (laney) wrote on 2021-07-12:

#10

Thanks, sponsored to the queue

Revision history for this message

Dariusz Gadomski (dgadomski) wrote on 2021-07-12:

#11

Thanks Iain. Looks like both of us sponsored it for the queue. I'd appreciate rejecting either one of them.

Thanks!

Revision history for this message

Iain Lane (laney) wrote on 2021-07-12:

#12

> Looks like both of us sponsored it for the queue. I'd appreciate rejecting either one of them.

I pushed to the VCS[0] at the same time as sponsoring, so I'll reject the other one which doesn't quite match up with it.

[0] https://salsa.debian.org/gnome-team/glib/-/commits/ubuntu/2.64.6-1_ubuntu20.04.4/

Revision history for this message

Brian Murray (brian-murray) wrote on 2021-07-13: Please test proposed package

#13

Hello Matthew, or anyone else affected,

Accepted glib2.0 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.64.6-1~ubuntu20.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Focal):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-focal

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-07-14:

#14

Download full text (4.8 KiB)

Performing verification for Focal.

I will first reproduce the problem with glib2.0 2.64.6-1~ubuntu20.04.3 from -security with the libglib2.0-0 libglib2.0-bin libglib2.0-data packages.

I deleted all existing schemas from /usr/share/glib-2.0/schemas and replaced them with a set of schemas which reproduce the problem easily from my customer.

$ cd /usr/share/glib-2.0/schemas/
$ sudo rm *
$ sudo cp ~/schemas/* .

The gsettings.compiled from the customer has been corrupted, and when I reboot, gdm fails to start and I get a blank screen with a blinking insertion pointer.

The sha256 of the customers corrupted gsettings.compiled is:

$ sudo openssl sha256 /usr/share/glib-2.0/schemas/gschemas.compiled
SHA256(/usr/share/glib-2.0/schemas/gschemas.compiled)= 2c98dc9a7fdbac858a8d5ca7e4dd813f16058a46dba2c54b5239cd8cdba5bb3e

When I ssh back in, and recompile the file:

$ sudo glib-compile-schemas /usr/share/glib-2.0/schemas
Error parsing key “logout” in schema “org.gnome.settings-daemon.plugins.media-keys” as specified in override file “/usr/share/glib-2.0/schemas/50_vmware_viewagent.gschema.override”: 0-22:can not parse as value of type 'as'. Ignoring override for this key.
$ sudo openssl sha256 /usr/share/glib-2.0/schemas/gschemas.compiled
SHA256(/usr/share/glib-2.0/schemas/gschemas.compiled)= 78163b5f0000efbd6320ce0d355c9531bf657a4f4dc15f057d95ef144323cd56

The sha256 has changed. Doing a bindiff, I see:

$ sudo cmp -l /home/ubuntu/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 4F
00003771 A4 C2

We see two bytes different. These bytes are the uninitialised memory this bug is about. When I reboot, gdm starts fine, but that is because this time I got lucky and the parser for the gschema.compiled file thinks 4F and C2 are okay. But there are combinations which aren't okay, and will end up with a corrupted gschema.compiled file.

Re-compiling the file again:

$ sudo glib-compile-schemas /usr/share/glib-2.0/schemas
Error parsing key “logout” in schema “org.gnome.settings-daemon.plugins.media-keys” as specified in override file “/usr/share/glib-2.0/schemas/50_vmware_viewagent.gschema.override”: 0-22:can not parse as value of type 'as'. Ignoring override for this key.
$ sudo openssl sha256 /usr/share/glib-2.0/schemas/gschemas.compiled
SHA256(/usr/share/glib-2.0/schemas/gschemas.compiled)= 460c70faca7afc26fa88a0e5918d312478e15f20ad84f4afaa5d17627a823e01

The sha256 changed, and if we bindiff, the bytes have changed:

$ sudo cmp -l /home/ubuntu/schemas/gschemas.compiled /usr/share/glib-2.0/schemas/gschemas.compiled | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
0000376F E3 A6
00003771 A4 A1

If we run glib-compile-schemas through valgrind, it reports that we are writing to uninitialised memory:

https://paste.ubuntu.com/p/sxrQtbswpw/

I then enabled -proposed and installed libglib2.0-0 libglib2.0-bin libglib2.0-data version 2.64.6-1~ubuntu20.04.4.

Now, when I re-compile the gschemas.compiled file, the sha256 matches every time, meaning no more non-deterministic behaviour caused by writing unitialised memory to disk:

$ sudo gli...

Other bug subscribers

Patches

Debdiff for glib2.0 for Focal Edit

Add patch

Bug attachments

Add attachment

Remote bug watches

auto-gitlab.gnome.org-gnome-mutter-- #1619
[closed 5. Backend: X11 5. Monitor configuration] Edit
auto-gitlab.gnome.org-gnome-gvdb-- #2
[closed] Edit

Bug watches keep track of this bug in other bug trackers.

Changed in glib2.0 (Ubuntu Focal):
status:	Fix Committed → Fix Released

Ubuntuglib2.0 package

glib2.0: Uninitialised memory is written to gschema.compiled, failure to parse this file leads to gdm, gnome-shell failing to start

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
glib2.0 package