Closed
Bug 803762
Opened 12 years ago
Closed 12 years ago
Invalid write in MakeBigReq memmove XRenderCompositeTrapezoids
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: inferno, Assigned: karlt)
References
Details
(Keywords: crash, sec-vector, testcase, Whiteboard: [asan][valgrind])
Attachments
(2 files, 1 obsolete file)
1.25 KB,
text/html
|
Details | |
2.75 KB,
patch
|
Details | Diff | Splinter Review |
Reproduces on trunk on my Ubuntu 12 machine. ASAN is not able to unwind stack properly, so including the valgrind stack.
==31181== Invalid write of size 2
==31181== at 0x4C2CECE: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31181== by 0xBE70E14: XRenderCompositeTrapezoids (string3.h:58)
==31181== by 0x9B8ECC9: _cairo_xlib_surface_composite_trapezoids (cairo-xlib-surface.c:2983)
==31181== by 0x9B55DFD: _cairo_surface_composite_trapezoids (cairo-surface.c:2396)
==31181== by 0x9B580DA: _composite_traps_draw_func (cairo-surface-fallback.c:561)
==31181== by 0x9B57DBC: _clip_and_composite (cairo-surface-fallback.c:472)
==31181== by 0x9B58B34: _clip_and_composite_trapezoids (cairo-surface-fallback.c:875)
==31181== by 0x9B5931E: _cairo_surface_fallback_stroke (cairo-surface-fallback.c:1111)
==31181== by 0x9B55BD1: _cairo_surface_stroke (cairo-surface.c:2302)
==31181== by 0x9B2193D: _cairo_gstate_stroke (cairo-gstate.c:1166)
==31181== by 0x9B0DFF8: _moz_cairo_stroke_preserve (cairo.c:2416)
==31181== by 0xA03E5E9: mozilla::gfx::DrawTargetCairo::DrawPattern(mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::DrawTargetCairo::DrawPatternType) (DrawTargetCairo.cpp:512)
==31181== Address 0x5eee092 is 2 bytes after a block of size 16,384 alloc'd
==31181== at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31181== by 0xCF46E2D: XOpenDisplay (OpenDis.c:256)
==31181== by 0xEE67937: gdk_display_open (gdkdisplay-x11.c:166)
==31181== by 0x818FFDB: XREMain::XRE_mainStartup(bool*) (nsAppRunner.cpp:3329)
==31181== by 0x8191B14: XREMain::XRE_main(int, char**, nsXREAppData const*) (nsAppRunner.cpp:3843)
==31181== by 0x8191DCC: XRE_main (nsAppRunner.cpp:3933)
==31181== by 0x401EF8: do_main(int, char**) (nsBrowserApp.cpp:174)
==31181== by 0x4021AE: main (nsBrowserApp.cpp:279)
==31181==
Updated•12 years ago
|
Comment 1•12 years ago
|
||
I'm not clear on whether we can do anything about this. It looks like a bug directly inside X.
Reporter | ||
Comment 2•12 years ago
|
||
Feel free to close it then. I didn't know whether it was a Firefox or X bug, so I filed just in case.
Assignee | ||
Comment 3•12 years ago
|
||
It looks like libX11 is overflowing its output buffer. That would be a serious bug that we should report, but I can't see from the code how that would happen. This is the code in Xlibint.h designed protect against that:
#define Data(dpy, data, len) {\
if (dpy->bufptr + (len) <= dpy->bufmax) {\
memcpy(dpy->bufptr, data, (int)len);\
dpy->bufptr += ((len) + 3) & ~3;\
} else\
_XSend(dpy, data, len);\
}
I'm not reproducing with libX11 1.5.0 and libXrender 0.9.7, where the code looks unchanged from precise's 1.4.99.1 and 0.9.6.
Are you able to get local variables in the XRenderCompositeTrapezoids frame from gdb "bt 3 full" or similar?
Reporter | ||
Comment 4•12 years ago
|
||
(gdb) bt 3 full
#0 0x0000000004c2cece in _vgr20181ZZ_libcZdsoZa_memcpyZAGLIBCZu2Zd2Zd5 ()
from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
No symbol table info available.
#1 0x000000000be8ee15 in XRenderCompositeTrapezoids (dpy=0x5ebe080,
op=<optimized out>, src=<optimized out>, dst=67109384,
maskFormat=0x6046ee0, xSrc=<optimized out>, ySrc=2, traps=0x292e0080,
ntrap=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:58
_BRdat = 131735
_BRlen = <optimized out>
info = 0x6045ec0
req = 0x5eef518
n = <optimized out>
len = 113790
max_req = 4194303
#2 0x0000000009bac326 in _cairo_xlib_surface_composite_trapezoids (
op=CAIRO_OPERATOR_OVER, pattern=0x7feff6a00, abstract_dst=0x21033b20,
antialias=CAIRO_ANTIALIAS_DEFAULT, src_x=171, src_y=2, dst_x=171, dst_y=2,
width=1427, height=14, traps=0x2a145f80, num_traps=11379, clip_region=0x0)
at /usr/local/google/home/aarya/firefox/src/gfx/cairo/cairo/src/cairo-xlib-surface.c:2983
attributes = {matrix = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0,
y0 = 0}, extend = CAIRO_EXTEND_REPEAT,
filter = CAIRO_FILTER_NEAREST, has_component_alpha = 0,
---Type <return> to continue, or q <return> to quit---
x_offset = 0, y_offset = 0, extra = 0x4025ae0000000000}
dst = 0x21033b20
src = 0x2442ecc0
display = 0x20fb78c0
status = 0
operation = DO_RENDER
render_reference_x = 663
render_reference_y = 2
render_src_x = 663
render_src_y = 2
pict_format = 0x6046ee0
xtraps_stack = {{top = 562828872, bottom = 0, left = {p1 = {
x = 563631240, y = 0}, p2 = {x = -16829336, y = 7}}, right = {
p1 = {x = 563632424, y = 0}, p2 = {x = 563639560, y = 0}}}, {
top = 563633576, bottom = 0, left = {p1 = {x = 547997496, y = 0},
p2 = {x = 563636456, y = 0}}, right = {p1 = {x = 547995096,
y = 0}, p2 = {x = 562829448, y = 0}}}, {top = 563625704,
bottom = 0, left = {p1 = {x = 562831208, y = 0}, p2 = {
x = 562827528, y = 0}}, right = {p1 = {x = 562825160, y = 0},
p2 = {x = 563630568, y = 0}}}, {top = 547995704, bottom = 0,
left = {p1 = {x = 562828616, y = 0}, p2 = {x = 547994392, y = 0}},
right = {p1 = {x = 562826152, y = 0}, p2 = {x = 547994264,
y = 0}}}, {top = 547994104, bottom = 0, left = {p1 = {
---Type <return> to continue, or q <return> to quit---
x = 547994040, y = 0}, p2 = {x = 563640616, y = 0}}, right = {
p1 = {x = 563640584, y = 0}, p2 = {x = 562826056, y = 0}}}, {
top = 562825544, bottom = 0, left = {p1 = {x = 547997944, y = 0},
p2 = {x = 563640104, y = 0}}, right = {p1 = {x = 563639528,
y = 0}, p2 = {x = 563627656, y = 0}}}, {top = 563637256,
bottom = 0, left = {p1 = {x = 563637320, y = 0}, p2 = {
x = 563636872, y = 0}}, right = {p1 = {x = 563636936, y = 0},
p2 = {x = 563635368, y = 0}}}, {top = 563634408, bottom = 0,
left = {p1 = {x = 563633352, y = 0}, p2 = {x = 563627976, y = 0}},
right = {p1 = {x = 563625992, y = 0}, p2 = {x = 547997976,
y = 0}}}, {top = 563627720, bottom = 0, left = {p1 = {
x = 563627432, y = 0}, p2 = {x = 563626696, y = 0}}, right = {
p1 = {x = 563626760, y = 0}, p2 = {x = 563625672, y = 0}}}, {
top = 563625736, bottom = 0, left = {p1 = {x = 562824456, y = 0},
p2 = {x = 563632360, y = 0}}, right = {p1 = {x = 547994552,
y = 0}, p2 = {x = 563624648, y = 0}}}, {top = 563640392,
bottom = 0, left = {p1 = {x = 562830760, y = 0}, p2 = {
x = 562828104, y = 0}}, right = {p1 = {x = 562823944, y = 0},
p2 = {x = 547996728, y = 0}}}, {top = 562824104, bottom = 0,
left = {p1 = {x = 547996824, y = 0}, p2 = {x = 563624904, y = 0}},
right = {p1 = {x = 547995544, y = 0}, p2 = {x = 562824712,
y = 0}}}, {top = 547998232, bottom = 0, left = {p1 = {
x = 562826376, y = 0}, p2 = {x = 547998392, y = 0}}, right = {
---Type <return> to continue, or q <return> to quit---
p1 = {x = 547995032, y = 0}, p2 = {x = 547997176, y = 0}}}, {
top = 547998456, bottom = 0, left = {p1 = {x = 562825320, y = 0},
p2 = {x = 563631272, y = 0}}, right = {p1 = {x = 563631336,
y = 0}, p2 = {x = -16828856, y = 7}}}, {top = 562825992,
bottom = 0, left = {p1 = {x = 562825960, y = 0}, p2 = {
x = 562827144, y = 0}}, right = {p1 = {x = 547998744, y = 0},
p2 = {x = 547997336, y = 0}}}, {top = 562831272, bottom = 0,
left = {p1 = {x = 562826472, y = 0}, p2 = {x = 547995000, y = 0}},
right = {p1 = {x = 562831048, y = 0}, p2 = {x = 563624488,
y = 0}}}, {top = 563624392, bottom = 0, left = {p1 = {
x = 563624360, y = 0}, p2 = {x = 547999032, y = 0}}, right = {
p1 = {x = 563624552, y = 0}, p2 = {x = 562826824, y = 0}}}, {
top = 547999128, bottom = 0, left = {p1 = {x = 562826696, y = 0},
p2 = {x = 563624584, y = 0}}, right = {p1 = {x = 547999224,
y = 0}, p2 = {x = 547999256, y = 0}}}, {top = 547999288,
bottom = 0, left = {p1 = {x = 563624680, y = 0}, p2 = {
x = 562826504, y = 0}}, right = {p1 = {x = 547999384, y = 0},
p2 = {x = 563626408, y = 0}}}, {top = 563624712, bottom = 0,
left = {p1 = {x = 547999480, y = 0}, p2 = {x = 547999512, y = 0}},
right = {p1 = {x = 563628776, y = 0}, p2 = {x = 563624776,
y = 0}}}, {top = 563629704, bottom = 0, left = {p1 = {
x = 547999608, y = 0}, p2 = {x = 562828744, y = 0}}, right = {
p1 = {x = -16829752, y = 7}, p2 = {x = 547999768, y = 0}}}, {
---Type <return> to continue, or q <return> to quit---
top = 547999672, bottom = 0, left = {p1 = {x = 547997208, y = 0},
p2 = {x = 547998360, y = 0}}, right = {p1 = {x = 548000440,
y = 0}, p2 = {x = 547997144, y = 0}}}, {top = 562827944,
bottom = 0, left = {p1 = {x = 563630600, y = 0}, p2 = {
x = 562825416, y = 0}}, right = {p1 = {x = 548000024, y = 0},
p2 = {x = 562824552, y = 0}}}, {top = 548000088, bottom = 0,
left = {p1 = {x = 563625352, y = 0}, p2 = {x = 548000152, y = 0}},
right = {p1 = {x = 548000184, y = 0}, p2 = {x = 563629032,
y = 0}}}, {top = 563625256, bottom = 0, left = {p1 = {
x = 548000280, y = 0}, p2 = {x = 562825608, y = 0}}, right = {
p1 = {x = 563625416, y = 0}, p2 = {x = 563628968, y = 0}}}, {
top = 548000408, bottom = 0, left = {p1 = {x = 563638920, y = 0},
p2 = {x = 563625480, y = 0}}, right = {p1 = {x = 548000504,
y = 0}, p2 = {x = 548000536, y = 0}}}, {top = 548000568,
bottom = 0, left = {p1 = {x = 548000600, y = 0}, p2 = {
x = 548000632, y = 0}}, right = {p1 = {x = 563625640, y = 0},
p2 = {x = 548000696, y = 0}}}, {top = 548000728, bottom = 0,
left = {p1 = {x = 562829672, y = 0}, p2 = {x = 548000792, y = 0}},
right = {p1 = {x = 563628392, y = 0}, p2 = {x = 563625960,
y = 0}}}, {top = 563625928, bottom = 0, left = {p1 = {
x = 563626120, y = 0}, p2 = {x = 4354, y = 0}}, right = {p1 = {
x = 939663120, y = 0}, p2 = {x = 702545984, y = 0}}}, {
top = 0, bottom = 0, left = {p1 = {x = 0, y = 0}, p2 = {x = 0,
---Type <return> to continue, or q <return> to quit---
y = 0}}, right = {p1 = {x = 547995448, y = 0}, p2 = {
x = 3432184, y = 0}}}, {top = 705978168, bottom = 0, left = {
p1 = {x = 1092028, y = 0}, p2 = {x = -16818224, y = 7}},
right = {p1 = {x = 0, y = 0}, p2 = {x = -16817120, y = 7}}}, {
top = -16815616, bottom = 7, left = {p1 = {x = -16818240, y = 7},
p2 = {x = -16817120, y = 7}}, right = {p1 = {x = 1, y = 7},
p2 = {x = -16818128, y = 1}}}, {top = 1887, bottom = 1771,
left = {p1 = {x = -16819712, y = 7}, p2 = {x = -16818400, y = 7}},
right = {p1 = {x = -16818128, y = 7}, p2 = {x = 699443624,
y = 0}}}, {top = -16820128, bottom = 7, left = {p1 = {
x = -16818408, y = 7}, p2 = {x = 558717696, y = 0}}, right = {
p1 = {x = -16820272, y = 7}, p2 = {x = 162930326, y = 0}}}, {
top = -16820128, bottom = 7, left = {p1 = {x = -16818128, y = 1},
p2 = {x = 1887, y = 1771}}, right = {p1 = {x = -16819712,
y = 7}, p2 = {x = -16818400, y = 7}}}, {top = -16818128,
bottom = 7, left = {p1 = {x = 45, y = -120}, p2 = {x = -16818392,
y = 7}}, right = {p1 = {x = -16820112, y = 7}, p2 = {
x = -16816432, y = 7}}}, {top = -16820160, bottom = 1771,
left = {p1 = {x = 1887, y = 1}, p2 = {x = -16820080, y = 7}},
right = {p1 = {x = -16820128, y = -1}, p2 = {x = 1887,
y = 1771}}}, {top = -16818408, bottom = 7, left = {p1 = {
x = -16818400, y = 7}, p2 = {x = -16818128, y = 7}}, right = {
p1 = {x = 699443680, y = 0}, p2 = {x = -16818128, y = 7}}}, {
---Type <return> to continue, or q <return> to quit---
top = -16818408, bottom = 7, left = {p1 = {x = 558717696, y = 0},
p2 = {x = -16820080, y = 7}}, right = {p1 = {x = 162930326,
y = 0}, p2 = {x = -16820704, y = 7}}}, {top = 0, bottom = -1,
left = {p1 = {x = 1887, y = 1771}, p2 = {x = -16818408, y = 7}},
right = {p1 = {x = -16818400, y = 7}, p2 = {x = -16818128,
y = 7}}}, {top = 0, bottom = 7, left = {p1 = {x = -16819360,
y = 7}, p2 = {x = 408659, y = 1827}}, right = {p1 = {
x = -16816432, y = 7}, p2 = {x = -16818408, y = 1771}}}, {
top = 1887, bottom = 1, left = {p1 = {x = -1377013468,
y = 1072561592}, p2 = {x = 873022038, y = 1071010215}},
right = {p1 = {x = -16820016, y = 7}, p2 = {x = 162931777,
y = 0}}}, {top = 408921, bottom = 1651, left = {p1 = {
x = -16818352, y = 7}, p2 = {x = -16818400, y = 7}}, right = {
p1 = {x = -16818128, y = 7}, p2 = {x = -16818408, y = 7}}}, {
top = 162887804, bottom = -1, left = {p1 = {x = -16819968, y = 7},
p2 = {x = 162931877, y = 0}}, right = {p1 = {x = -16820512,
y = 7}, p2 = {x = 0, y = 5}}}, {top = 1, bottom = 7, left = {
p1 = {x = -16818128, y = 7}, p2 = {x = -16819664, y = 7}},
right = {p1 = {x = 162890245, y = 0}, p2 = {x = 0, y = 7}}}, {
top = -16819360, bottom = 7, left = {p1 = {x = -699616344,
y = 1071313788}, p2 = {x = -16818352, y = 7}}, right = {p1 = {
x = -16818408, y = 7}, p2 = {x = -16819360, y = 7}}}, {
top = -54, bottom = 116, left = {p1 = {x = -16819656, y = 7},
---Type <return> to continue, or q <return> to quit---
p2 = {x = 54, y = -116}}, right = {p1 = {x = 0, y = 0}, p2 = {
x = -699616344, y = -1077218436}}}, {top = 558717696,
bottom = 0, left = {p1 = {x = -16819616, y = 7}, p2 = {
x = 162897448, y = 0}}, right = {p1 = {x = 484587224, y = 0},
p2 = {x = -16818392, y = 7}}}, {top = -16818336, bottom = 7,
left = {p1 = {x = -16819360, y = 7}, p2 = {x = 484587208, y = 0}},
right = {p1 = {x = -16819360, y = 7}, p2 = {x = 162894585,
y = 0}}}, {top = -16819360, bottom = 7, left = {p1 = {
x = 408704, y = 1707}, p2 = {x = 408762, y = 1723}}, right = {
p1 = {x = 408820, y = 1745}, p2 = {x = -16819360, y = 7}}}, {
top = 58, bottom = 16, left = {p1 = {x = 56, y = 26}, p2 = {x = 0,
y = 408876}}, right = {p1 = {x = 1771, y = 1072693248}, p2 = {
x = 408822, y = 1887}}}}
xtraps = 0x292e0080
i = 11379
Assignee | ||
Comment 5•12 years ago
|
||
Thanks. The only bad code I've found is the __clang_analyzer__ block at http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint.h?id=ae39d82b01359b07dd1fe092d867f79ea95a5438#n575
Is this the regular Precise libX11 or has libX11 been compiled specially for ASAN in a way that might cause __clang_analyzer__ to be defined?
Assignee | ||
Comment 6•12 years ago
|
||
I guess it is libXrender that is more relevant but perhaps any object using SetReqLen compiled with __clang_analyzer__ could cause problems.
Could cairo-xlib-surface in Firefox have been compiled with DEBUG and __clang_analyzer__ defined?
http://hg.mozilla.org/mozilla-central/annotate/1c3e4cb1f754/gfx/cairo/cairo/src/cairo-xlib-surface.c#l75
Reporter | ||
Comment 7•12 years ago
|
||
(In reply to Karl Tomlinson (:karlt) from comment #5)
> Thanks. The only bad code I've found is the __clang_analyzer__ block at
> http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint.
> h?id=ae39d82b01359b07dd1fe092d867f79ea95a5438#n575
>
> Is this the regular Precise libX11 or has libX11 been compiled specially for
> ASAN in a way that might cause __clang_analyzer__ to be defined?
I don't think ASAN defines clang analyzer. Also, this bug reproduces with a regular build under valgrind.
Assignee | ||
Comment 8•12 years ago
|
||
OK, yes, that should rule out involvement of that code.
In gdb, "frame 1" "print *dpy" may provide some clues.
Reporter | ||
Comment 9•12 years ago
|
||
$1 = {ext_data = 0x0, free_funcs = 0x5eef570, fd = 6, conn_checker = 0,
proto_major_version = 11, proto_minor_version = 0,
vendor = 0x5eef600 "The X.Org Foundation", resource_base = 67108864,
resource_mask = 2097151, resource_id = 0, resource_shift = 0,
resource_alloc = 0xcf6fe70 <_XAllocID>, byte_order = 0, bitmap_unit = 32,
bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7,
pixmap_format = 0x5eef660, vnumber = 11, release = 11103000, head = 0x0,
tail = 0x0, qlen = 0, last_request_read = 1703, request = 1729,
last_req = 0x5eef518 "\230\n", buffer = 0x5eeb530 "\230\n\302\002\003\001",
bufptr = 0x5eef530 "", bufmax = 0x5eef530 "", max_request_size = 65535,
db = 0x6047ee0, synchandler = 0x0, display_name = 0x5ebf310 ":0",
default_screen = 0, nscreens = 1, screens = 0x5eef750, motion_buffer = 256,
flags = 128, min_keycode = 8, max_keycode = 255, keysyms = 0x0,
modifiermap = 0x0, keysyms_per_keycode = 0,
xdefaults = 0x5ef9e20 "*customization:\t-color\nXft.dpi:\t96\nXft.antialias:\t1\nXft.hinting:\t1\nXft.hintstyle:\thintslight\nXft.rgba:\trgb\nXft.lcdfilter:\tlcddefault\n", scratch_buffer = 0x0, scratch_length = 0, ext_number = 15,
ext_procs = 0x213fbac0, event_vec = {0xcf71990 <_XUnknownWireEvent>,
0xcf71990 <_XUnknownWireEvent>,
0xcf719d0 <_XWireToEvent> <repeats 33 times>, 0xd272b80 <_xgeWireToEvent>,
0xcf71990 <_XUnknownWireEvent> <repeats 62 times>,
0xd26d290 <wire_to_event>, 0xd26e450 <wire_to_event>,
0x1151a290 <XInputWireToEvent> <repeats 17 times>,
---Type <return> to continue, or q <return> to quit---
0xd26fcb0 <wire_to_event>, 0xd26fcb0 <wire_to_event>,
0xcfc57e0 <wire_to_event>, 0xcf71990 <_XUnknownWireEvent>,
0x10cd2e80 <XFixesWireToEvent>, 0x10cd2e80 <XFixesWireToEvent>,
0x10cd2e80 <XFixesWireToEvent>, 0x11723a60 <XRRWireToEvent>,
0x11723a60 <XRRWireToEvent>, 0x11d38fa0 <XDamageWireToEvent>,
0xcf71990 <_XUnknownWireEvent>}, wire_vec = {
0xcf719c0 <_XUnknownNativeEvent>, 0xcf719c0 <_XUnknownNativeEvent>,
0x0 <repeats 33 times>, 0xd272af0 <_xgeEventToWire>,
0xcf719c0 <_XUnknownNativeEvent> <repeats 62 times>,
0xd26d1b0 <event_to_wire>, 0xd26e390 <event_to_wire>,
0x11516490 <_XiEventToWire> <repeats 17 times>, 0xd270360 <event_to_wire>,
0xd270360 <event_to_wire>, 0xcf719c0 <_XUnknownNativeEvent>,
0xcf719c0 <_XUnknownNativeEvent>, 0x10cd2d70 <XFixesEventToWire>,
0x10cd2d70 <XFixesEventToWire>, 0x10cd2d70 <XFixesEventToWire>,
0x11723830 <XRREventToWire>, 0x11723830 <XRREventToWire>,
0x11d38ee0 <XDamageEventToWire>, 0xcf719c0 <_XUnknownNativeEvent>},
lock_meaning = 0, lock = 0x0, async_handlers = 0x0, bigreq_size = 4194303,
lock_fns = 0x0, idlist_alloc = 0xcf6fec0 <_XAllocIDs>, key_bindings = 0x0,
cursor_font = 67109002, atoms = 0x5effdf0, mode_switch = 0, num_lock = 0,
context_db = 0x0, error_vec = 0x0, cms = {defaultCCCs = 0x0,
clientCmaps = 0x2166d1a0 "\250\001", perVisualIntensityMaps = 0x0},
im_filters = 0x0, qfree = 0x20a663a0, next_event_serial_num = 286,
flushes = 0x0, im_fd_info = 0x0, im_fd_length = 0,
---Type <return> to continue, or q <return> to quit---
conn_watchers = 0x5efdc20, watcher_count = 1, filedes = 0x5eeb4c0 "\006",
savedsynchandler = 0x0, resource_max = 2097146, xcmisc_opcode = 0,
xkb_info = 0x5ef9ef0, trans_conn = 0x0, xcb = 0x5ebf360, next_cookie = 0,
generic_event_vec = {0x0 <repeats 15 times>,
0x1151bb10 <XInputWireToCookie>, 0x0 <repeats 112 times>},
generic_event_copy_vec = {0x0 <repeats 15 times>,
0x1151ac40 <XInputCopyCookie>, 0x0 <repeats 112 times>}, cookiejar = 0x0}
Assignee | ||
Comment 10•12 years ago
|
||
Thanks!
> last_req = 0x5eef518 "\230\n", buffer = 0x5eeb530 "\230\n\302\002\003\001",
last_req set in _XGetRequest() from GetReq(); '\n' == 10 == RenderTrapezoids,
sizeof(xRenderTrapezoidsReq) == 0x18, which takes bufptr up to bufmax.
> bufptr = 0x5eef530 "", bufmax = 0x5eef530 "", max_request_size = 65535,
|len| passed to SetReqLen == 113790 > 65535, so MakeBigReq() is used.
MakeBigReq() needs to make the request 4 bytes larger (to squeeze in a larger
length value). It saves the last 4 bytes in _BRdat, to correctly append with
a bufmax check in Data32(), but still memmoves the every word in the request after
the first word. That is one too many words! One overflows.
Buggy code in Xlibint.h:
> #ifdef LONG64
> #define MakeBigReq(req,n) \
> { \
> CARD64 _BRdat; \
> CARD32 _BRlen = req->length - 1; \
> req->length = 0; \
> _BRdat = ((CARD32 *)req)[_BRlen]; \
> memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
> ((CARD32 *)req)[1] = _BRlen + n + 2; \
> Data32(dpy, &_BRdat, 4); \
> }
Assignee | ||
Comment 11•12 years ago
|
||
Bug has existed since the first 2003 version in the freedesktop repo:
http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint.h?id=deae12c6b683898f5213992d561a59d4ea889cca#n515
Keywords: sec-vector
Summary: Invalid write in _cairo_xlib_surface_composite_trapezoids → Invalid write in MakeBigReq memmove XRenderCompositeTrapezoids
Assignee | ||
Comment 12•12 years ago
|
||
I can prepare and test a patch.
I don't know the appropriate way to disclose. Is there anything more appropriate than filing at https://bugs.freedesktop.org/enter_bug.cgi?product=xorg&component=Lib/Xlib ?
Abhishek, do you have a preferred method to disclose this?
Are you happy if I report this and include your email address?
Reporter | ||
Comment 13•12 years ago
|
||
Yes Karl, please go ahead and file this bug.
Assignee | ||
Comment 14•12 years ago
|
||
Jeff: can you look over this and check it makes sense, please?
The parentheses are not necessary but clarify.
The case where req->length = 1 was already not functional.
The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that
bug.
Assignee: nobody → karlt
Attachment #674509 -
Flags: review?(jmuizelaar)
Comment 15•12 years ago
|
||
Comment on attachment 674509 [details] [diff] [review]
MakeBigReq: don't move the last word, already handled by Data32
Review of attachment 674509 [details] [diff] [review]:
-----------------------------------------------------------------
This looks correct to me. It might be worth adding a comment about what MakeBigReq is trying to do and the assumption that length > 1
Attachment #674509 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 16•12 years ago
|
||
I'll file a bug on freedesktop early next week, if I don't hear otherwise.
Assignee | ||
Comment 17•12 years ago
|
||
Attachment #674509 -
Attachment is obsolete: true
Assignee | ||
Updated•12 years ago
|
Comment 18•12 years ago
|
||
The bug at freedesktop.org hasn't even been commented since it was reported
(at least that I can see). How can we escalate this issue so that it gets
the proper attention over there?
Reporter | ||
Comment 19•12 years ago
|
||
feel free to close it here - bug is fixed - http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d
Assignee | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Comment 20•10 years ago
|
||
Bad news :-/ It seems this X bug is still not fully fixed in up-to-date linux distros, even 2 years after its fix landed in libX11. See bug 1145965 (particularly bug 1145965 comment 28) for details.
Abishek's original testcase here does indeed seem to be WORKSFORME in an ASAN build, so some part of this did become WORKSFORME, but I can trigger what seems to be the exact same bug with the testcase over in bug 1145965.
Comment 22•10 years ago
|
||
As discussed on bug 1145965 (which is now a dupe of this one):
- Ubuntu is issuing security updates for this; 15.04 beta got a libxrender update with the fix this morning. (This is tracked in https://launchpad.net/bugs/1441381 , which is currently private since this is a security vulnerability.)
- Debian Stable 7.8.0 is vulnerable, and I've notified their security-contact email & got a response indicating that they plan to ship an update.
- Latest Fedora release (21) seems to be unaffected, from my testing.
- Latest OpenSuse release (13.2) seems to be unaffected, from my testing.
Also, Canonical requested a CVE for the original libX11 bug/fix:
http://www.openwall.com/lists/oss-security/2015/04/08/4
Comment 23•10 years ago
|
||
[Copypasting duplicate bug 1145965 comment 49 over here]:
Summing up:
* the latest stable versions of all vulnerable linux distros that I'm aware of (Ubuntu & Debian stable releases) have now received security updates to address this.
* Ubuntu 15.04 beta also received an update, and Debian unstable was already unaffected.
* Ubuntu LTS (14.04) received an update as well; I haven't tested it, but I'll trust Ubuntu QA on that. (we may want to have our QA sanity-check as well)
* Latest Fedora & OpenSuse already had safe libxrender packages, based on my testing. (I wasn't able to reproduce any ASAN issues there.)
* I haven't tested other distros beyond those 4.
So, I think this is fixed everywhere -- or at least, I'm not aware of any linux distros that are still vulnerable to this.
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•