search

merge / xf86-input-tslib

X.org tslib input driver
MIT License
7 stars 2 forks source link

absbit does not recognize ABS_X, ABS_Y. #10

Closed KwonTae-young closed 6 years ago

KwonTae-young commented 6 years ago

Hello.

I have recently seen strange cases. I am using tsc2007. Below is the version I am using.

tslib: 1.17
xf86-input-tslib: 1.1.1

Segmentation fault occurred when executing xf86-input-tslib. The related logs are shown below.

[   150.382] (==) RandR enabled
[   150.542] (II) config/udev: Adding input device TSC2007 Touchscreen (/dev/input/event0)
[   150.543] (**) TSC2007 Touchscreen: Applying InputClass "libinput touchscreen catchall"
[   150.543] (**) TSC2007 Touchscreen: Applying InputClass "tslib touchscreen catchall"
[   150.543] (II) LoadModule: "tslib"
[   150.543] (II) Loading /usr/lib/xorg/modules/input/tslib_drv.so
[   150.549] (II) Module tslib: vendor="X.Org Foundation"
[   150.549]    compiled for 1.19.3, module version = 1.1.1
[   150.549]    Module class: X.Org XInput Driver
[   150.549]    ABI class: X.Org XInput driver, version 24.1
[   150.549] (II) Using input driver 'tslib' for 'TSC2007 Touchscreen'
[   150.549] (**) TSC2007 Touchscreen: always reports core events
[   150.549] (**) Option "path" "/dev/input/event0"
[   150.564] (II) tslib: TSC2007 Touchscreen: using libts version 901
[   150.564] (**) TSC2007 Touchscreen: always reports core events
[   150.564] (EE) tslib: TSC2007 Touchscreen: no touchscreen device(EE) PreInit returned 2 for "TSC2007 Touchscreen"
[   150.564] (EE)
[   150.564] (EE) Backtrace:
[   150.564] (EE)
[   150.564] (EE) Segmentation fault at address 0x0
[   150.564] (EE)
Fatal server error:
[   150.564] (EE) Caught signal 11 (Segmentation fault). Server aborting
[   150.565] (EE)
[   150.565] (EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
[   150.565] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[   150.565] (EE)
[   150.565] (EE) Server terminated with error (1). Closing log file.

I checked the relevant parts and confirmed the problem in the following section. https://github.com/merge/xf86-input-tslib/blob/master/src/tslib.c#L544-L555 tsc2007 is not multi touch. So it should be priv->abs_x_only = 1; but return BadValue;

So I checked the related values as follows.

#endif /* TSLIB_VERSION_MT */

        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine ABS_MT_POSITION_X=0x%x ABS_MT_POSITION_Y=0x%x\n", __func__, __LINE__, ABS_MT_POSITION_X, ABS_MT_POSITION_Y);
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine ABS_X=0x%x ABS_Y=0x%x\n", __func__, __LINE__, ABS_X, ABS_Y);
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine BIT_WORD(ABS_MT_POSITION_X)=0x%x BIT_WORD(ABS_MT_POSITION_Y)=0x%x\n", __func__, __LINE__, BIT_WORD(ABS_MT_POSITION_X), BIT_WORD(ABS_MT_POSITION_Y));
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine BIT_WORD(ABS_X)=0x%x BIT_WORD(ABS_Y)=0x%x\n", __func__, __LINE__, BIT_WORD(ABS_X), BIT_WORD(ABS_Y));
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine absbit[BIT_WORD(ABS_MT_POSITION_X)]=0x%x absbit[BIT_WORD(ABS_MT_POSITION_Y)]=0x%x\n", __func__, __LINE__, absbit[BIT_WORD(ABS_MT_POSITION_X)], absbit[BIT_WORD(ABS_MT_POSITION_Y)]);
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine BIT_MASK(ABS_MT_POSITION_X)=0x%x BIT_MASK(ABS_MT_POSITION_Y)=0x%x\n", __func__, __LINE__, BIT_MASK(ABS_MT_POSITION_X), BIT_MASK(ABS_MT_POSITION_Y));
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine absbit[BIT_WORD(ABS_X)]=0x%x absbit[BIT_WORD(ABS_Y)]=0x%x\n", __func__, __LINE__, absbit[BIT_WORD(ABS_X)], absbit[BIT_WORD(ABS_Y)]);
        xf86IDrvMsg(pInfo, X_INFO, "%s() %dLine BIT_MASK(ABS_X)=0x%x BIT_MASK(ABS_Y)=0x%x\n", __func__, __LINE__, BIT_MASK(ABS_X), BIT_MASK(ABS_Y));

        if (!(absbit[BIT_WORD(ABS_MT_POSITION_X)] & BIT_MASK(ABS_MT_POSITION_X)) ||
        !(absbit[BIT_WORD(ABS_MT_POSITION_Y)] & BIT_MASK(ABS_MT_POSITION_Y))) {
        if (!(absbit[BIT_WORD(ABS_X)] & BIT_MASK(ABS_X)) ||
            !(absbit[BIT_WORD(ABS_Y)] & BIT_MASK(ABS_Y))) {
            xf86IDrvMsg(pInfo, X_ERROR, "no touchscreen device");
            return BadValue;
        } else {
            priv->abs_x_only = 1;
        }
    } else {
        priv->abs_x_only = 0;
    }

Below is the log.

[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 623Line ABS_MT_POSITION_X=0x35 ABS_MT_POSITION_Y=0x36
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 624Line ABS_X=0x0 ABS_Y=0x1
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 625Line BIT_WORD(ABS_MT_POSITION_X)=0x1 BIT_WORD(ABS_MT_POSITION_Y)=0x1
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 626Line BIT_WORD(ABS_X)=0x0 BIT_WORD(ABS_Y)=0x0
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 628Line absbit[BIT_WORD(ABS_MT_POSITION_X)]=0x0 absbit[BIT_WORD(ABS_MT_POSITION_Y)]=0x0
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 629Line BIT_MASK(ABS_MT_POSITION_X)=0x200000 BIT_MASK(ABS_MT_POSITION_Y)=0x400000
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 630Line absbit[BIT_WORD(ABS_X)]=0x1000000 absbit[BIT_WORD(ABS_Y)]=0x1000000
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 631Line BIT_MASK(ABS_X)=0x1 BIT_MASK(ABS_Y)=0x2
[   107.986] (II) tslib: TSC2007 Touchscreen: xf86TslibInit() 635Line

When checking, the absbit[BIT_WORD(ABS_X)] and absbit[BIT_WORD(ABS_Y)] values are the same. And the values are different from BIT_MASK(ABS_X) and BIT_MASK(ABS_Y). So now it is return BadValue;

The log below is the information of my tsc2007 which I confirmed with evtest.

root@test:~# evtest
No device specified, trying to scan all of /dev/input/event*
Available devices:
/dev/input/event0:      TSC2007 Touchscreen
Select the device event number [0-0]: 0
Input driver version is 1.0.1
Input device ID: bus 0x18 vendor 0x0 product 0x0 version 0x0
Input device name: "TSC2007 Touchscreen"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 330 (BTN_TOUCH)
  Event type 3 (EV_ABS)
    Event code 0 (ABS_X)
      Value   2114
      Min        0
      Max     4095
    Event code 1 (ABS_Y)
      Value   2264
      Min        0
      Max     4095
    Event code 24 (ABS_PRESSURE)
      Value      0
      Min        0
      Max     4095
Properties:
Testing ... (interrupt to exit)
Event: time 1532238399.675718, type 1 (EV_KEY), code 330 (BTN_TOUCH), value 1
Event: time 1532238399.675718, type 3 (EV_ABS), code 0 (ABS_X), value 1611
Event: time 1532238399.675718, type 3 (EV_ABS), code 1 (ABS_Y), value 2138
Event: time 1532238399.675718, type 3 (EV_ABS), code 24 (ABS_PRESSURE), value 1091
Event: time 1532238399.675718, -------------- SYN_REPORT ------------
Event: time 1532238399.695299, type 1 (EV_KEY), code 330 (BTN_TOUCH), value 0
Event: time 1532238399.695299, type 3 (EV_ABS), code 24 (ABS_PRESSURE), value 0
Event: time 1532238399.695299, -------------- SYN_REPORT ------------

The values of absbit[BIT_WORD(ABS_X)] and absbit[BIT_WORD(ABS_Y)] seem to be strange.

I'm sorry I do not have enough English.

merge commented 6 years ago

thanks for the feedback. If you have time, look at xf86-input-evdev and see how they check for the ABS_X/Y codes. They use libevdev, and I guess we should do so too.

You could also look at how evtest does it...

KwonTae-young commented 6 years ago

I can not see now because of other things right now. But I will make time soon and compare it with evdev.

KwonTae-young commented 6 years ago

This was a bug I made.

I edited the string using strcpy() in xf86-input-tslib.(to read the x, y values #7 ) It seems that the absbit is broken because of buffer overflow in this stage.

Sorry. This was my bug. :(