Ubuntu
lightdm package

(over)filling password field makes logon difficult

Bug #969023 reported by Alan Pope 🍺🐧🐱 🦄
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Undecided
Unassigned
lightdm (Ubuntu)
Fix Released
Undecided
Michael Terry

Bug Description

Get to the lightdm logon screen
Choose a user that requires a password.
Press and hold a key in the password field for some time

At this point pressing Enter doesn't do anything, the user can't continue to remove the password, can't double click the password field to highlight (and remove) text. So it seems the only way out is to reboot or switch to a tty and restart lightdm.

http://www.youtube.com/watch?v=gWMrAaxz-Rg

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: lightdm 1.1.9-0ubuntu1
Uname: Linux 3.3.0-030300rc5-generic x86_64
ApportVersion: 1.95-0ubuntu1
Architecture: amd64
Date: Fri Mar 30 10:38:17 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120203)
ProcEnviron:
 LANGUAGE=en_GB:en
 TERM=linux
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~mterry/lightdm/malformed
Ken VanDine (community): Approve
Diff: 62 lines (+29/-16)
1 file modified
liblightdm-gobject/greeter.c (+29/-16)
lp:ubuntu/precise/lightdm
Revision history for this message
Alan Pope 🍺🐧🐱 🦄 (popey) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Revision history for this message
Alan Pope 🍺🐧🐱 🦄 (popey) wrote :
Download full text (8.7 KiB)

I get a load of this in my /var/log/lightdm/x-0-greeter.log

** (python:2216): WARNING **: (../../atk-adaptor/bridge.c:793):adaptor_init: runtime check failed: (root)
[+153.88s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+153.88s] DEBUG: Starting authentication for user checkbox...
[+153.88s] DEBUG: Wrote 24 bytes to daemon
[+153.89s] DEBUG: Read 8 bytes from daemon
[+153.89s] DEBUG: Read 38 bytes from daemon
[+153.89s] DEBUG: Prompt user with 1 message(s)
[+154.25s] DEBUG: Setting keyboard layout to 'gb'
[+155.36s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+155.36s] DEBUG: Starting authentication for user alan...
[+155.36s] DEBUG: Wrote 20 bytes to daemon
[+155.37s] DEBUG: Read 8 bytes from daemon
[+155.37s] DEBUG: Read 34 bytes from daemon
[+155.37s] DEBUG: Prompt user with 1 message(s)
[+155.73s] DEBUG: Setting keyboard layout to 'gb'
[+248.67s] DEBUG: Providing response to display manager
[+248.67s] DEBUG: Wrote 16 bytes to daemon
[+301.85s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+301.85s] DEBUG: Starting authentication for user checkbox...
[+301.85s] DEBUG: Wrote 24 bytes to daemon
[+302.20s] DEBUG: Setting keyboard layout to 'gb'
[+304.32s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+304.32s] DEBUG: Starting authentication for guest account...
[+304.32s] DEBUG: Wrote 12 bytes to daemon
[+304.68s] DEBUG: Setting keyboard layout to 'gb'
[+307.69s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+307.69s] DEBUG: Starting authentication for user alan...
[+307.69s] DEBUG: Wrote 20 bytes to daemon
[+308.15s] DEBUG: Setting keyboard layout to 'gb'
[+308.98s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+308.98s] DEBUG: Starting authentication for user checkbox...
[+308.98s] DEBUG: Wrote 24 bytes to daemon
[+309.34s] DEBUG: Setting keyboard layout to 'gb'
[+309.59s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+309.59s] DEBUG: Starting authentication for guest account...
[+309.59s] DEBUG: Wrote 12 bytes to daemon
[+309.96s] DEBUG: Setting keyboard layout to 'gb'
[+312.79s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+312.79s] DEBUG: Starting authentication for user alan...
[+312.79s] DEBUG: Wrote 20 bytes to daemon
[+313.25s] DEBUG: Setting keyboard layout to 'gb'
[+318.37s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+318.37s] DEBUG: Starting authentication for user alan...
[+318.37s] DEBUG: Wrote 20 bytes to daemon
[+318.89s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+318.89s] DEBUG: Starting authentication for user alan...
[+318.89s] DEBUG: Wrote 20 bytes to daemon
[+319.12s] DEBUG: unity-greeter.vala:494: Failed to write state: Error writing to file: Bad address
[+319.12s] DEBUG: Starting authentication for user alan...
[+319.12s] DEBUG: Wrote 20 bytes to daemon
[+319.28s] DEBUG: unit...

Read more...

Sebastien Bacher (seb128)
affects: lightdm (Ubuntu) → unity-greeter (Ubuntu)
Changed in unity-greeter (Ubuntu):
assignee: nobody → Michael Terry (mterry)
Revision history for this message
Michael Terry (mterry) wrote :

Switching to lightdm. It doesn't handle too-long response strings well. In lightdm_greeter_respond() and other similar functions, liblightdm-gobject silently fails to write the string when talking to the lightdm daemon, but sends the message headers to the daemon anyway.

This seems to confuse lightdm and we block on a reply.

affects: unity-greeter (Ubuntu) → lightdm (Ubuntu)
Revision history for this message
Michael Terry (mterry) wrote :

FYI, it takes a little over a 1000 characters to cause the problem.

Revision history for this message
Michael Terry (mterry) wrote :

So I have a patch that prevents the greeter from sending such bad packets to the daemon.

With this patch, the behavior looks similar, but is recoverable. Pressing Enter will still grey out the prompt box, but pressing up or down to move to a new entry will clear the prompt and still allow logging in. Also, pressing Escape will reset the prompt. So we prevent the DOS attack.

To properly fix this (i.e. to present the user with a warning), liblightdm-gobject would need quite a few changes to be able to bubble such errors up (perhaps including API changes, as lightdm_greeter_respond does not seem to allow for errors).

So I think this patch is all we likely want to do for 12.04.

Michael Terry (mterry)
Changed in lightdm:
status: New → Fix Committed
Changed in lightdm (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Fixed in 1.2.0

Changed in lightdm:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.2.0-0ubuntu1

---------------
lightdm (1.2.0-0ubuntu1) precise; urgency=low

  * New upstream release.
    - Backup .xsession-errors on login (LP: #951597)
    - Handle failures in pam_setcred
    - Open log files in append mode (LP: #951597)
    - Add extra checks in liblightdm so that it doesn't send invalid messages
      to the daemon (LP: #969023)
    - Fix gdmflexiserver not being added to the path (broken since 1.1.4)
      (LP: #953554)
    - Fix PAM conversations after authentication from locking up sessions
      (LP: #956848)
    - Fix PAM informational messages locking up autologin
    - Change XDMCP manage timeout from 10ms to 126s (maximum specified in the
      XDMCP specification)
    - Fix greeter-show-guest example (LP: #972711)
 -- Robert Ancell <email address hidden> Thu, 05 Apr 2012 17:26:50 +1000

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.