Bug 600180

Summary: Buffer overflow in XKB geometry copying code.
Product: Red Hat Enterprise Linux 6 Reporter: Peter Hutterer <peter.hutterer>
Component: xorg-x11-serverAssignee: Peter Hutterer <peter.hutterer>
Status: CLOSED CURRENTRELEASE QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: rlat
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xorg-x11-server-1.7.7-7.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:58:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Peter Hutterer 2010-06-04 05:43:06 UTC
Description of problem:
Invalid write access when copying label fonts in the XKB geometry code xbk/xkbUtils:_XkbCopyGeom().

Classic bug of
foo = malloc(strlen(bar));
strcpy(foo, bar);

strcopy copies the null-byte, strlen doesn't count it, resulting in an invalid write past the allocated memory.

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg-1.7.7-2.el6.x86_64


How reproducible:
Tricky. Easy reproducible test case is "valgrind Xephyr :1" which yields a complaint of:

==8591== Invalid write of size 1
==8591==    at 0x4A0638F: strcpy (mc_replace_strmem.c:311)
==8591==    by 0x605593: _XkbCopyGeom (xkbUtils.c:1994)
==8591==    by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591==    by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591==    by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591==    by 0x447162: ActivateDevice (devices.c:530)
==8591==    by 0x4475D6: InitCoreDevices (devices.c:672)
==8591==    by 0x4449EE: main (main.c:254)
==8591==  Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd
==8591==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==8591==    by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980)
==8591==    by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591==    by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591==    by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591==    by 0x447162: ActivateDevice (devices.c:530)
==8591==    by 0x4475D6: InitCoreDevices (devices.c:672)
==8591==    by 0x4449EE: main (main.c:254)

This is with upstream, that has the identical source except for the removal of the libc wrappers. I the code in RHEL6 suffers from the same issue but valgrind doesn't give out for some reason. See

http://lists.freedesktop.org/archives/xorg-devel/2010-June/009604.html

Comment 1 RHEL Product and Program Management 2010-06-04 05:43:22 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 2 Peter Hutterer 2010-06-07 00:37:28 UTC
As pointed out in http://lists.freedesktop.org/archives/xorg-devel/2010-June/009610.html, this bug is sometimes masked by the X internal allocations wrappers padding out to 4-byte boundaries.

Comment 3 Peter Hutterer 2010-06-10 00:40:10 UTC
MODIFIED

xorg-x11-server-1.7.7-7.el6 is available in brew.

Comment 5 Radek Lat 2010-08-04 10:18:38 UTC
Tested and Verified on xorg-x11-server-Xorg-1.7.7-23.el6.x86_64
FIXED, VERIFIED

Comment 6 releng-rhel@redhat.com 2010-11-10 21:58:39 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.