Bug 132884
| Summary: | Xorg overflows it's own stack. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brian Stein <bstein> |
| Component: | xorg-x11 | Assignee: | Brian Stein <bstein> |
| Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | bstevens, jakub |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-09-22 09:26:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 123268 | ||
*** Bug 132882 has been marked as a duplicate of this bug. *** Status update: We discussed this issue on today's team confcall and Kevin indicated that he did a preliminary investigation of this in which it seemed that there is no real overflow. Further investigation is needed in order to be conclusive, and also to determine what if any real actual security implications there are if any. Setting FC3Target status for tracking. If further investigation ends up concluding there is a real issue, we can raise this to FC3Blocker and/or security update priority. gcc disagrees and detected an actual overflow due to size mismatch. This is a GCC bug. Glad to hear that this is a GCC bug. The xkbDoodadWireDesc is union of five other stucts all of which are exactly 20 bytes long. I would have been surprised if this turned out to be a problem. |
Description of problem: sc/lib/X11/XKBSetGeom.c around line 243 has xkbDoodadWireDesc * doodadWire; ... bzero(doodadWire,SIZEOF(xkbDoodadWireDesc)); which on first sight LOOKS ok but is not. SIZEOF() is not a macro wrapper for sizeof() but it's actually a preprocessor wrapper where the result is sc_xkbDoodadWireDesc, which is #define'd to 20 (on the wire). However the in core struct is *SMALLER* than 20 bytes so this bzero is corrupting memory beyond the end of the struct. The obvious fix is to make this sizeof() not SIZEOF()