Closed Bug 803762 Opened 12 years ago Closed 12 years ago

Invalid write in MakeBigReq memmove XRenderCompositeTrapezoids

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: inferno, Assigned: karlt)

References

Details

(Keywords: crash, sec-vector, testcase, Whiteboard: [asan][valgrind])

Attachments

(2 files, 1 obsolete file)

Testcase
1.25 KB, text/html
Details
don't move the last word, with comments
2.75 KB, patch
Details | Diff | Splinter Review
Attached file Testcase
Reproduces on trunk on my Ubuntu 12 machine. ASAN is not able to unwind stack properly, so including the valgrind stack. ==31181== Invalid write of size 2 ==31181== at 0x4C2CECE: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31181== by 0xBE70E14: XRenderCompositeTrapezoids (string3.h:58) ==31181== by 0x9B8ECC9: _cairo_xlib_surface_composite_trapezoids (cairo-xlib-surface.c:2983) ==31181== by 0x9B55DFD: _cairo_surface_composite_trapezoids (cairo-surface.c:2396) ==31181== by 0x9B580DA: _composite_traps_draw_func (cairo-surface-fallback.c:561) ==31181== by 0x9B57DBC: _clip_and_composite (cairo-surface-fallback.c:472) ==31181== by 0x9B58B34: _clip_and_composite_trapezoids (cairo-surface-fallback.c:875) ==31181== by 0x9B5931E: _cairo_surface_fallback_stroke (cairo-surface-fallback.c:1111) ==31181== by 0x9B55BD1: _cairo_surface_stroke (cairo-surface.c:2302) ==31181== by 0x9B2193D: _cairo_gstate_stroke (cairo-gstate.c:1166) ==31181== by 0x9B0DFF8: _moz_cairo_stroke_preserve (cairo.c:2416) ==31181== by 0xA03E5E9: mozilla::gfx::DrawTargetCairo::DrawPattern(mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::DrawTargetCairo::DrawPatternType) (DrawTargetCairo.cpp:512) ==31181== Address 0x5eee092 is 2 bytes after a block of size 16,384 alloc'd ==31181== at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31181== by 0xCF46E2D: XOpenDisplay (OpenDis.c:256) ==31181== by 0xEE67937: gdk_display_open (gdkdisplay-x11.c:166) ==31181== by 0x818FFDB: XREMain::XRE_mainStartup(bool*) (nsAppRunner.cpp:3329) ==31181== by 0x8191B14: XREMain::XRE_main(int, char**, nsXREAppData const*) (nsAppRunner.cpp:3843) ==31181== by 0x8191DCC: XRE_main (nsAppRunner.cpp:3933) ==31181== by 0x401EF8: do_main(int, char**) (nsBrowserApp.cpp:174) ==31181== by 0x4021AE: main (nsBrowserApp.cpp:279) ==31181==
Severity: normal → critical
Component: General → Graphics
Keywords: crash, testcase
Product: Firefox → Core
Whiteboard: [asan][valgrind]
I'm not clear on whether we can do anything about this. It looks like a bug directly inside X.
Feel free to close it then. I didn't know whether it was a Firefox or X bug, so I filed just in case.
It looks like libX11 is overflowing its output buffer. That would be a serious bug that we should report, but I can't see from the code how that would happen. This is the code in Xlibint.h designed protect against that: #define Data(dpy, data, len) {\ if (dpy->bufptr + (len) <= dpy->bufmax) {\ memcpy(dpy->bufptr, data, (int)len);\ dpy->bufptr += ((len) + 3) & ~3;\ } else\ _XSend(dpy, data, len);\ } I'm not reproducing with libX11 1.5.0 and libXrender 0.9.7, where the code looks unchanged from precise's 1.4.99.1 and 0.9.6. Are you able to get local variables in the XRenderCompositeTrapezoids frame from gdb "bt 3 full" or similar?
(gdb) bt 3 full #0 0x0000000004c2cece in _vgr20181ZZ_libcZdsoZa_memcpyZAGLIBCZu2Zd2Zd5 () from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so No symbol table info available. #1 0x000000000be8ee15 in XRenderCompositeTrapezoids (dpy=0x5ebe080, op=<optimized out>, src=<optimized out>, dst=67109384, maskFormat=0x6046ee0, xSrc=<optimized out>, ySrc=2, traps=0x292e0080, ntrap=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:58 _BRdat = 131735 _BRlen = <optimized out> info = 0x6045ec0 req = 0x5eef518 n = <optimized out> len = 113790 max_req = 4194303 #2 0x0000000009bac326 in _cairo_xlib_surface_composite_trapezoids ( op=CAIRO_OPERATOR_OVER, pattern=0x7feff6a00, abstract_dst=0x21033b20, antialias=CAIRO_ANTIALIAS_DEFAULT, src_x=171, src_y=2, dst_x=171, dst_y=2, width=1427, height=14, traps=0x2a145f80, num_traps=11379, clip_region=0x0) at /usr/local/google/home/aarya/firefox/src/gfx/cairo/cairo/src/cairo-xlib-surface.c:2983 attributes = {matrix = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}, extend = CAIRO_EXTEND_REPEAT, filter = CAIRO_FILTER_NEAREST, has_component_alpha = 0, ---Type <return> to continue, or q <return> to quit--- x_offset = 0, y_offset = 0, extra = 0x4025ae0000000000} dst = 0x21033b20 src = 0x2442ecc0 display = 0x20fb78c0 status = 0 operation = DO_RENDER render_reference_x = 663 render_reference_y = 2 render_src_x = 663 render_src_y = 2 pict_format = 0x6046ee0 xtraps_stack = {{top = 562828872, bottom = 0, left = {p1 = { x = 563631240, y = 0}, p2 = {x = -16829336, y = 7}}, right = { p1 = {x = 563632424, y = 0}, p2 = {x = 563639560, y = 0}}}, { top = 563633576, bottom = 0, left = {p1 = {x = 547997496, y = 0}, p2 = {x = 563636456, y = 0}}, right = {p1 = {x = 547995096, y = 0}, p2 = {x = 562829448, y = 0}}}, {top = 563625704, bottom = 0, left = {p1 = {x = 562831208, y = 0}, p2 = { x = 562827528, y = 0}}, right = {p1 = {x = 562825160, y = 0}, p2 = {x = 563630568, y = 0}}}, {top = 547995704, bottom = 0, left = {p1 = {x = 562828616, y = 0}, p2 = {x = 547994392, y = 0}}, right = {p1 = {x = 562826152, y = 0}, p2 = {x = 547994264, y = 0}}}, {top = 547994104, bottom = 0, left = {p1 = { ---Type <return> to continue, or q <return> to quit--- x = 547994040, y = 0}, p2 = {x = 563640616, y = 0}}, right = { p1 = {x = 563640584, y = 0}, p2 = {x = 562826056, y = 0}}}, { top = 562825544, bottom = 0, left = {p1 = {x = 547997944, y = 0}, p2 = {x = 563640104, y = 0}}, right = {p1 = {x = 563639528, y = 0}, p2 = {x = 563627656, y = 0}}}, {top = 563637256, bottom = 0, left = {p1 = {x = 563637320, y = 0}, p2 = { x = 563636872, y = 0}}, right = {p1 = {x = 563636936, y = 0}, p2 = {x = 563635368, y = 0}}}, {top = 563634408, bottom = 0, left = {p1 = {x = 563633352, y = 0}, p2 = {x = 563627976, y = 0}}, right = {p1 = {x = 563625992, y = 0}, p2 = {x = 547997976, y = 0}}}, {top = 563627720, bottom = 0, left = {p1 = { x = 563627432, y = 0}, p2 = {x = 563626696, y = 0}}, right = { p1 = {x = 563626760, y = 0}, p2 = {x = 563625672, y = 0}}}, { top = 563625736, bottom = 0, left = {p1 = {x = 562824456, y = 0}, p2 = {x = 563632360, y = 0}}, right = {p1 = {x = 547994552, y = 0}, p2 = {x = 563624648, y = 0}}}, {top = 563640392, bottom = 0, left = {p1 = {x = 562830760, y = 0}, p2 = { x = 562828104, y = 0}}, right = {p1 = {x = 562823944, y = 0}, p2 = {x = 547996728, y = 0}}}, {top = 562824104, bottom = 0, left = {p1 = {x = 547996824, y = 0}, p2 = {x = 563624904, y = 0}}, right = {p1 = {x = 547995544, y = 0}, p2 = {x = 562824712, y = 0}}}, {top = 547998232, bottom = 0, left = {p1 = { x = 562826376, y = 0}, p2 = {x = 547998392, y = 0}}, right = { ---Type <return> to continue, or q <return> to quit--- p1 = {x = 547995032, y = 0}, p2 = {x = 547997176, y = 0}}}, { top = 547998456, bottom = 0, left = {p1 = {x = 562825320, y = 0}, p2 = {x = 563631272, y = 0}}, right = {p1 = {x = 563631336, y = 0}, p2 = {x = -16828856, y = 7}}}, {top = 562825992, bottom = 0, left = {p1 = {x = 562825960, y = 0}, p2 = { x = 562827144, y = 0}}, right = {p1 = {x = 547998744, y = 0}, p2 = {x = 547997336, y = 0}}}, {top = 562831272, bottom = 0, left = {p1 = {x = 562826472, y = 0}, p2 = {x = 547995000, y = 0}}, right = {p1 = {x = 562831048, y = 0}, p2 = {x = 563624488, y = 0}}}, {top = 563624392, bottom = 0, left = {p1 = { x = 563624360, y = 0}, p2 = {x = 547999032, y = 0}}, right = { p1 = {x = 563624552, y = 0}, p2 = {x = 562826824, y = 0}}}, { top = 547999128, bottom = 0, left = {p1 = {x = 562826696, y = 0}, p2 = {x = 563624584, y = 0}}, right = {p1 = {x = 547999224, y = 0}, p2 = {x = 547999256, y = 0}}}, {top = 547999288, bottom = 0, left = {p1 = {x = 563624680, y = 0}, p2 = { x = 562826504, y = 0}}, right = {p1 = {x = 547999384, y = 0}, p2 = {x = 563626408, y = 0}}}, {top = 563624712, bottom = 0, left = {p1 = {x = 547999480, y = 0}, p2 = {x = 547999512, y = 0}}, right = {p1 = {x = 563628776, y = 0}, p2 = {x = 563624776, y = 0}}}, {top = 563629704, bottom = 0, left = {p1 = { x = 547999608, y = 0}, p2 = {x = 562828744, y = 0}}, right = { p1 = {x = -16829752, y = 7}, p2 = {x = 547999768, y = 0}}}, { ---Type <return> to continue, or q <return> to quit--- top = 547999672, bottom = 0, left = {p1 = {x = 547997208, y = 0}, p2 = {x = 547998360, y = 0}}, right = {p1 = {x = 548000440, y = 0}, p2 = {x = 547997144, y = 0}}}, {top = 562827944, bottom = 0, left = {p1 = {x = 563630600, y = 0}, p2 = { x = 562825416, y = 0}}, right = {p1 = {x = 548000024, y = 0}, p2 = {x = 562824552, y = 0}}}, {top = 548000088, bottom = 0, left = {p1 = {x = 563625352, y = 0}, p2 = {x = 548000152, y = 0}}, right = {p1 = {x = 548000184, y = 0}, p2 = {x = 563629032, y = 0}}}, {top = 563625256, bottom = 0, left = {p1 = { x = 548000280, y = 0}, p2 = {x = 562825608, y = 0}}, right = { p1 = {x = 563625416, y = 0}, p2 = {x = 563628968, y = 0}}}, { top = 548000408, bottom = 0, left = {p1 = {x = 563638920, y = 0}, p2 = {x = 563625480, y = 0}}, right = {p1 = {x = 548000504, y = 0}, p2 = {x = 548000536, y = 0}}}, {top = 548000568, bottom = 0, left = {p1 = {x = 548000600, y = 0}, p2 = { x = 548000632, y = 0}}, right = {p1 = {x = 563625640, y = 0}, p2 = {x = 548000696, y = 0}}}, {top = 548000728, bottom = 0, left = {p1 = {x = 562829672, y = 0}, p2 = {x = 548000792, y = 0}}, right = {p1 = {x = 563628392, y = 0}, p2 = {x = 563625960, y = 0}}}, {top = 563625928, bottom = 0, left = {p1 = { x = 563626120, y = 0}, p2 = {x = 4354, y = 0}}, right = {p1 = { x = 939663120, y = 0}, p2 = {x = 702545984, y = 0}}}, { top = 0, bottom = 0, left = {p1 = {x = 0, y = 0}, p2 = {x = 0, ---Type <return> to continue, or q <return> to quit--- y = 0}}, right = {p1 = {x = 547995448, y = 0}, p2 = { x = 3432184, y = 0}}}, {top = 705978168, bottom = 0, left = { p1 = {x = 1092028, y = 0}, p2 = {x = -16818224, y = 7}}, right = {p1 = {x = 0, y = 0}, p2 = {x = -16817120, y = 7}}}, { top = -16815616, bottom = 7, left = {p1 = {x = -16818240, y = 7}, p2 = {x = -16817120, y = 7}}, right = {p1 = {x = 1, y = 7}, p2 = {x = -16818128, y = 1}}}, {top = 1887, bottom = 1771, left = {p1 = {x = -16819712, y = 7}, p2 = {x = -16818400, y = 7}}, right = {p1 = {x = -16818128, y = 7}, p2 = {x = 699443624, y = 0}}}, {top = -16820128, bottom = 7, left = {p1 = { x = -16818408, y = 7}, p2 = {x = 558717696, y = 0}}, right = { p1 = {x = -16820272, y = 7}, p2 = {x = 162930326, y = 0}}}, { top = -16820128, bottom = 7, left = {p1 = {x = -16818128, y = 1}, p2 = {x = 1887, y = 1771}}, right = {p1 = {x = -16819712, y = 7}, p2 = {x = -16818400, y = 7}}}, {top = -16818128, bottom = 7, left = {p1 = {x = 45, y = -120}, p2 = {x = -16818392, y = 7}}, right = {p1 = {x = -16820112, y = 7}, p2 = { x = -16816432, y = 7}}}, {top = -16820160, bottom = 1771, left = {p1 = {x = 1887, y = 1}, p2 = {x = -16820080, y = 7}}, right = {p1 = {x = -16820128, y = -1}, p2 = {x = 1887, y = 1771}}}, {top = -16818408, bottom = 7, left = {p1 = { x = -16818400, y = 7}, p2 = {x = -16818128, y = 7}}, right = { p1 = {x = 699443680, y = 0}, p2 = {x = -16818128, y = 7}}}, { ---Type <return> to continue, or q <return> to quit--- top = -16818408, bottom = 7, left = {p1 = {x = 558717696, y = 0}, p2 = {x = -16820080, y = 7}}, right = {p1 = {x = 162930326, y = 0}, p2 = {x = -16820704, y = 7}}}, {top = 0, bottom = -1, left = {p1 = {x = 1887, y = 1771}, p2 = {x = -16818408, y = 7}}, right = {p1 = {x = -16818400, y = 7}, p2 = {x = -16818128, y = 7}}}, {top = 0, bottom = 7, left = {p1 = {x = -16819360, y = 7}, p2 = {x = 408659, y = 1827}}, right = {p1 = { x = -16816432, y = 7}, p2 = {x = -16818408, y = 1771}}}, { top = 1887, bottom = 1, left = {p1 = {x = -1377013468, y = 1072561592}, p2 = {x = 873022038, y = 1071010215}}, right = {p1 = {x = -16820016, y = 7}, p2 = {x = 162931777, y = 0}}}, {top = 408921, bottom = 1651, left = {p1 = { x = -16818352, y = 7}, p2 = {x = -16818400, y = 7}}, right = { p1 = {x = -16818128, y = 7}, p2 = {x = -16818408, y = 7}}}, { top = 162887804, bottom = -1, left = {p1 = {x = -16819968, y = 7}, p2 = {x = 162931877, y = 0}}, right = {p1 = {x = -16820512, y = 7}, p2 = {x = 0, y = 5}}}, {top = 1, bottom = 7, left = { p1 = {x = -16818128, y = 7}, p2 = {x = -16819664, y = 7}}, right = {p1 = {x = 162890245, y = 0}, p2 = {x = 0, y = 7}}}, { top = -16819360, bottom = 7, left = {p1 = {x = -699616344, y = 1071313788}, p2 = {x = -16818352, y = 7}}, right = {p1 = { x = -16818408, y = 7}, p2 = {x = -16819360, y = 7}}}, { top = -54, bottom = 116, left = {p1 = {x = -16819656, y = 7}, ---Type <return> to continue, or q <return> to quit--- p2 = {x = 54, y = -116}}, right = {p1 = {x = 0, y = 0}, p2 = { x = -699616344, y = -1077218436}}}, {top = 558717696, bottom = 0, left = {p1 = {x = -16819616, y = 7}, p2 = { x = 162897448, y = 0}}, right = {p1 = {x = 484587224, y = 0}, p2 = {x = -16818392, y = 7}}}, {top = -16818336, bottom = 7, left = {p1 = {x = -16819360, y = 7}, p2 = {x = 484587208, y = 0}}, right = {p1 = {x = -16819360, y = 7}, p2 = {x = 162894585, y = 0}}}, {top = -16819360, bottom = 7, left = {p1 = { x = 408704, y = 1707}, p2 = {x = 408762, y = 1723}}, right = { p1 = {x = 408820, y = 1745}, p2 = {x = -16819360, y = 7}}}, { top = 58, bottom = 16, left = {p1 = {x = 56, y = 26}, p2 = {x = 0, y = 408876}}, right = {p1 = {x = 1771, y = 1072693248}, p2 = { x = 408822, y = 1887}}}} xtraps = 0x292e0080 i = 11379
Thanks. The only bad code I've found is the __clang_analyzer__ block at http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint.h?id=ae39d82b01359b07dd1fe092d867f79ea95a5438#n575 Is this the regular Precise libX11 or has libX11 been compiled specially for ASAN in a way that might cause __clang_analyzer__ to be defined?
I guess it is libXrender that is more relevant but perhaps any object using SetReqLen compiled with __clang_analyzer__ could cause problems. Could cairo-xlib-surface in Firefox have been compiled with DEBUG and __clang_analyzer__ defined? http://hg.mozilla.org/mozilla-central/annotate/1c3e4cb1f754/gfx/cairo/cairo/src/cairo-xlib-surface.c#l75
(In reply to Karl Tomlinson (:karlt) from comment #5) > Thanks. The only bad code I've found is the __clang_analyzer__ block at > http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint. > h?id=ae39d82b01359b07dd1fe092d867f79ea95a5438#n575 > > Is this the regular Precise libX11 or has libX11 been compiled specially for > ASAN in a way that might cause __clang_analyzer__ to be defined? I don't think ASAN defines clang analyzer. Also, this bug reproduces with a regular build under valgrind.
OK, yes, that should rule out involvement of that code. In gdb, "frame 1" "print *dpy" may provide some clues.
$1 = {ext_data = 0x0, free_funcs = 0x5eef570, fd = 6, conn_checker = 0, proto_major_version = 11, proto_minor_version = 0, vendor = 0x5eef600 "The X.Org Foundation", resource_base = 67108864, resource_mask = 2097151, resource_id = 0, resource_shift = 0, resource_alloc = 0xcf6fe70 <_XAllocID>, byte_order = 0, bitmap_unit = 32, bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7, pixmap_format = 0x5eef660, vnumber = 11, release = 11103000, head = 0x0, tail = 0x0, qlen = 0, last_request_read = 1703, request = 1729, last_req = 0x5eef518 "\230\n", buffer = 0x5eeb530 "\230\n\302\002\003\001", bufptr = 0x5eef530 "", bufmax = 0x5eef530 "", max_request_size = 65535, db = 0x6047ee0, synchandler = 0x0, display_name = 0x5ebf310 ":0", default_screen = 0, nscreens = 1, screens = 0x5eef750, motion_buffer = 256, flags = 128, min_keycode = 8, max_keycode = 255, keysyms = 0x0, modifiermap = 0x0, keysyms_per_keycode = 0, xdefaults = 0x5ef9e20 "*customization:\t-color\nXft.dpi:\t96\nXft.antialias:\t1\nXft.hinting:\t1\nXft.hintstyle:\thintslight\nXft.rgba:\trgb\nXft.lcdfilter:\tlcddefault\n", scratch_buffer = 0x0, scratch_length = 0, ext_number = 15, ext_procs = 0x213fbac0, event_vec = {0xcf71990 <_XUnknownWireEvent>, 0xcf71990 <_XUnknownWireEvent>, 0xcf719d0 <_XWireToEvent> <repeats 33 times>, 0xd272b80 <_xgeWireToEvent>, 0xcf71990 <_XUnknownWireEvent> <repeats 62 times>, 0xd26d290 <wire_to_event>, 0xd26e450 <wire_to_event>, 0x1151a290 <XInputWireToEvent> <repeats 17 times>, ---Type <return> to continue, or q <return> to quit--- 0xd26fcb0 <wire_to_event>, 0xd26fcb0 <wire_to_event>, 0xcfc57e0 <wire_to_event>, 0xcf71990 <_XUnknownWireEvent>, 0x10cd2e80 <XFixesWireToEvent>, 0x10cd2e80 <XFixesWireToEvent>, 0x10cd2e80 <XFixesWireToEvent>, 0x11723a60 <XRRWireToEvent>, 0x11723a60 <XRRWireToEvent>, 0x11d38fa0 <XDamageWireToEvent>, 0xcf71990 <_XUnknownWireEvent>}, wire_vec = { 0xcf719c0 <_XUnknownNativeEvent>, 0xcf719c0 <_XUnknownNativeEvent>, 0x0 <repeats 33 times>, 0xd272af0 <_xgeEventToWire>, 0xcf719c0 <_XUnknownNativeEvent> <repeats 62 times>, 0xd26d1b0 <event_to_wire>, 0xd26e390 <event_to_wire>, 0x11516490 <_XiEventToWire> <repeats 17 times>, 0xd270360 <event_to_wire>, 0xd270360 <event_to_wire>, 0xcf719c0 <_XUnknownNativeEvent>, 0xcf719c0 <_XUnknownNativeEvent>, 0x10cd2d70 <XFixesEventToWire>, 0x10cd2d70 <XFixesEventToWire>, 0x10cd2d70 <XFixesEventToWire>, 0x11723830 <XRREventToWire>, 0x11723830 <XRREventToWire>, 0x11d38ee0 <XDamageEventToWire>, 0xcf719c0 <_XUnknownNativeEvent>}, lock_meaning = 0, lock = 0x0, async_handlers = 0x0, bigreq_size = 4194303, lock_fns = 0x0, idlist_alloc = 0xcf6fec0 <_XAllocIDs>, key_bindings = 0x0, cursor_font = 67109002, atoms = 0x5effdf0, mode_switch = 0, num_lock = 0, context_db = 0x0, error_vec = 0x0, cms = {defaultCCCs = 0x0, clientCmaps = 0x2166d1a0 "\250\001", perVisualIntensityMaps = 0x0}, im_filters = 0x0, qfree = 0x20a663a0, next_event_serial_num = 286, flushes = 0x0, im_fd_info = 0x0, im_fd_length = 0, ---Type <return> to continue, or q <return> to quit--- conn_watchers = 0x5efdc20, watcher_count = 1, filedes = 0x5eeb4c0 "\006", savedsynchandler = 0x0, resource_max = 2097146, xcmisc_opcode = 0, xkb_info = 0x5ef9ef0, trans_conn = 0x0, xcb = 0x5ebf360, next_cookie = 0, generic_event_vec = {0x0 <repeats 15 times>, 0x1151bb10 <XInputWireToCookie>, 0x0 <repeats 112 times>}, generic_event_copy_vec = {0x0 <repeats 15 times>, 0x1151ac40 <XInputCopyCookie>, 0x0 <repeats 112 times>}, cookiejar = 0x0}
Thanks! > last_req = 0x5eef518 "\230\n", buffer = 0x5eeb530 "\230\n\302\002\003\001", last_req set in _XGetRequest() from GetReq(); '\n' == 10 == RenderTrapezoids, sizeof(xRenderTrapezoidsReq) == 0x18, which takes bufptr up to bufmax. > bufptr = 0x5eef530 "", bufmax = 0x5eef530 "", max_request_size = 65535, |len| passed to SetReqLen == 113790 > 65535, so MakeBigReq() is used. MakeBigReq() needs to make the request 4 bytes larger (to squeeze in a larger length value). It saves the last 4 bytes in _BRdat, to correctly append with a bufmax check in Data32(), but still memmoves the every word in the request after the first word. That is one too many words! One overflows. Buggy code in Xlibint.h: > #ifdef LONG64 > #define MakeBigReq(req,n) \ > { \ > CARD64 _BRdat; \ > CARD32 _BRlen = req->length - 1; \ > req->length = 0; \ > _BRdat = ((CARD32 *)req)[_BRlen]; \ > memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ > ((CARD32 *)req)[1] = _BRlen + n + 2; \ > Data32(dpy, &_BRdat, 4); \ > }
Bug has existed since the first 2003 version in the freedesktop repo: http://cgit.freedesktop.org/xorg/lib/libX11/tree/include/X11/Xlibint.h?id=deae12c6b683898f5213992d561a59d4ea889cca#n515
Keywords: sec-vector
Summary: Invalid write in _cairo_xlib_surface_composite_trapezoids → Invalid write in MakeBigReq memmove XRenderCompositeTrapezoids
I can prepare and test a patch. I don't know the appropriate way to disclose. Is there anything more appropriate than filing at https://bugs.freedesktop.org/enter_bug.cgi?product=xorg&component=Lib/Xlib ? Abhishek, do you have a preferred method to disclose this? Are you happy if I report this and include your email address?
Yes Karl, please go ahead and file this bug.
Jeff: can you look over this and check it makes sense, please? The parentheses are not necessary but clarify. The case where req->length = 1 was already not functional. The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that bug.
Assignee: nobody → karlt
Attachment #674509 - Flags: review?(jmuizelaar)
Comment on attachment 674509 [details] [diff] [review] MakeBigReq: don't move the last word, already handled by Data32 Review of attachment 674509 [details] [diff] [review]: ----------------------------------------------------------------- This looks correct to me. It might be worth adding a comment about what MakeBigReq is trying to do and the assumption that length > 1
Attachment #674509 - Flags: review?(jmuizelaar) → review+
I'll file a bug on freedesktop early next week, if I don't hear otherwise.
Attachment #674509 - Attachment is obsolete: true
The bug at freedesktop.org hasn't even been commented since it was reported (at least that I can see). How can we escalate this issue so that it gets the proper attention over there?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Bad news :-/ It seems this X bug is still not fully fixed in up-to-date linux distros, even 2 years after its fix landed in libX11. See bug 1145965 (particularly bug 1145965 comment 28) for details. Abishek's original testcase here does indeed seem to be WORKSFORME in an ASAN build, so some part of this did become WORKSFORME, but I can trigger what seems to be the exact same bug with the testcase over in bug 1145965.
As discussed on bug 1145965 (which is now a dupe of this one): - Ubuntu is issuing security updates for this; 15.04 beta got a libxrender update with the fix this morning. (This is tracked in https://launchpad.net/bugs/1441381 , which is currently private since this is a security vulnerability.) - Debian Stable 7.8.0 is vulnerable, and I've notified their security-contact email & got a response indicating that they plan to ship an update. - Latest Fedora release (21) seems to be unaffected, from my testing. - Latest OpenSuse release (13.2) seems to be unaffected, from my testing. Also, Canonical requested a CVE for the original libX11 bug/fix: http://www.openwall.com/lists/oss-security/2015/04/08/4
[Copypasting duplicate bug 1145965 comment 49 over here]: Summing up: * the latest stable versions of all vulnerable linux distros that I'm aware of (Ubuntu & Debian stable releases) have now received security updates to address this. * Ubuntu 15.04 beta also received an update, and Debian unstable was already unaffected. * Ubuntu LTS (14.04) received an update as well; I haven't tested it, but I'll trust Ubuntu QA on that. (we may want to have our QA sanity-check as well) * Latest Fedora & OpenSuse already had safe libxrender packages, based on my testing. (I wasn't able to reproduce any ASAN issues there.) * I haven't tested other distros beyond those 4. So, I think this is fixed everywhere -- or at least, I'm not aware of any linux distros that are still vulnerable to this.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: