Bug 176048
| Summary: | buffer overflow in xscreensaver from rawhide | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Burns <fedora> | ||||||
| Component: | xscreensaver | Assignee: | Ray Strode [halfline] <rstrode> | ||||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rawhide | CC: | jwz, mtasaka | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2006-09-24 02:30:34 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Andy Burns
2005-12-18 11:49:43 UTC
Still crashes with updated rawhide, but I have discovered it only crashes when xscreensaver is run as root, which is a bad thing to do anyway, however it did previously warn you how bad an idea it is to run as root instead of crashing ... Created attachment 123156 [details]
gdb log of xscreensaver run as root
Hello.
Andy's comment that "SEGV if run as root" perhaps made the
problem of this issue clearer.
Always reproducible for me if run as root, too. See the gdb log
attached.
Created attachment 123157 [details]
Patch for getgroups() in setuid.c
SEGV is called by getgroups() in set_ids_by_number() in
driver/setuid.c (see around the line 180).
sizeof(groups) returns 4*1024=4096! (not 1024), which must be
divided by sizeof(gid_t).
This patch is to give the correct value to getgroups() in
setuid.c.
checking with system updated to rawhide 2006-01-23 xscreensaver 1:4.23-1 works ok as non root, but daemon still crashes as root *** buffer overflow detected ***: xscreensaver terminated ======= Backtrace: ========= /lib64/libc.so.6(__chk_fail+0x2f)[0x3d5bbdca4f] /lib64/libc.so.6[0x3d5bbddd1e] xscreensaver[0x41231a] xscreensaver[0x412abb] xscreensaver[0x40797c] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3d5bb1cde4] xscreensaver[0x405559] ======= Memory map: ======== 00400000-00434000 r-xp 00000000 fd:00 25401151 /usr/bin/xscreensaver 00533000-00535000 rw-p 00033000 fd:00 25401151 /usr/bin/xscreensaver 00535000-00559000 rw-p 00535000 00:00 0 [heap] 3d23400000-3d23405000 r-xp 00000000 fd:00 25401201 /usr/lib64/libXxf86vm.so.1.0.0 3d23405000-3d23504000 ---p 00005000 fd:00 25401201 /usr/lib64/libXxf86vm.so.1.0.0 3d23504000-3d23505000 rw-p 00004000 fd:00 25401201 /usr/lib64/libXxf86vm.so.1.0.0 3d5b900000-3d5b919000 r-xp 00000000 fd:00 93389020 /lib64/ld-2.3.90.so 3d5ba19000-3d5ba1a000 r--p 00019000 fd:00 93389020 /lib64/ld-2.3.90.so 3d5ba1a000-3d5ba1b000 rw-p 0001a000 fd:00 93389020 /lib64/ld-2.3.90.so 3d5bb00000-3d5bc2f000 r-xp 00000000 fd:00 93389021 /lib64/libc-2.3.90.so 3d5bc2f000-3d5bd2f000 ---p 0012f000 fd:00 93389021 /lib64/libc-2.3.90.so 3d5bd2f000-3d5bd33000 r--p 0012f000 fd:00 93389021 /lib64/libc-2.3.90.so 3d5bd33000-3d5bd34000 rw-p 00133000 fd:00 93389021 /lib64/libc-2.3.90.so 3d5bd34000-3d5bd39000 rw-p 3d5bd34000 00:00 0 3d5c000000-3d5c002000 r-xp 00000000 fd:00 93389022 /lib64/libdl-2.3.90.so 3d5c002000-3d5c102000 ---p 00002000 fd:00 93389022 /lib64/libdl-2.3.90.so 3d5c102000-3d5c103000 r--p 00002000 fd:00 93389022 /lib64/libdl-2.3.90.so 3d5c103000-3d5c104000 rw-p 00003000 fd:00 93389022 /lib64/libdl-2.3.90.so 3d5c600000-3d5c605000 r-xp 00000000 fd:00 25418995 /usr/lib64/libXdmcp.so.6.0.0 3d5c605000-3d5c704000 ---p 00005000 fd:00 25418995 /usr/lib64/libXdmcp.so.6.0.0 3d5c704000-3d5c705000 rw-p 00004000 fd:00 25418995 /usr/lib64/libXdmcp.so.6.0.0 3d5ca00000-3d5caf9000 r-xp 00000000 fd:00 25418996 /usr/lib64/libX11.so.6.2.0 3d5caf9000-3d5cbf9000 ---p 000f9000 fd:00 25418996 /usr/lib64/libX11.so.6.2.0 3d5cbf9000-3d5cc00000 rw-p 000f9000 fd:00 25418996 /usr/lib64/libX11.so.6.2.0 3d5cd00000-3d5cd02000 r-xp 00000000 fd:00 25418994 /usr/lib64/libXau.so.6.0.0 3d5cd02000-3d5ce01000 ---p 00002000 fd:00 25418994 /usr/lib64/libXau.so.6.0.0 3d5ce01000-3d5ce02000 rw-p 00001000 fd:00 25418994 /usr/lib64/libXau.so.6.0.0 3d5d100000-3d5d10f000 r-xp 00000000 fd:00 25418997 /usr/lib64/libXext.so.6.4.0 3d5d10f000-3d5d20f000 ---p 0000f000 fd:00 25418997 /usr/lib64/libXext.so.6.4.0 3d5d20f000-3d5d210000 rw-p 0000f000 fd:00 25418997 /usr/lib64/libXext.so.6.4.0 3d5db00000-3d5db08000 r-xp 00000000 fd:00 25419010 /usr/lib64/libXrender.so.1.3.0 3d5db08000-3d5dc08000 ---p 00008000 fd:00 25419010 /usr/lib64/libXrender.so.1.3.0 3d5dc08000-3d5dc09000 rw-p 00008000 fd:00 25419010 /usr/lib64/libXrender.so.1.3.0 3d5e500000-3d5e502000 r-xp 00000000 fd:00 25419018 /usr/lib64/libXinerama.so.1.0.0 3d5e502000-3d5e601000 ---p 00002000 fd:00 25419018 /usr/lib64/libXinerama.so.1.0.0 3d5e601000-3d5e602000 rw-p 00001000 fd:00 25419018 /usr/lib64/libXinerama.so.1.0.0 3d5f500000-3d5f503000 r-xp 00000000 fd:00 25419020 /usr/lib64/libXrandr.so.2.0.0 3d5f503000-3d5f602000 ---p 00003000 fd:00 25419020 /usr/lib64/libXrandr.so.2.0.0 3d5f602000-3d5f603000 rw-p 00002000 fd:00 25419020 /usr/lib64/libXrandr.so.2.0.0 3d5f900000-3d5f917000 r-xp 00000000 fd:00 25403620 /usr/lib64/libXmu.so.6.2.0 3d5f917000-3d5fa16000 ---p 00017000 fd:00 25403620 /usr/lib64/libXmu.so.6.2.0 3d5fa16000-3d5fa18000 rw-p 00016000 fd:00 25403620 /usr/lib64/libXmu.so.6.2.0 3d5fb00000-3d5fb58000 r-xp 00000000 fd:00 25411002 /usr/lib64/libXt.so.6.0.0 3d5fb58000-3d5fc57000 ---p 00058000 fd:00 25411002 /usr/lib64/libXt.so.6.0.0 3d5fc57000-3d5fc5d000 rw-p 00057000 fd:00 25411002 /usr/lib64/libXt.so.6.0.0 3d5fc5d000-3d5fc5e000 rw-p 3d5fc5d000 00:00 0 3d61000000-3d6100f000 r-xp 00000000 fd:00 93389028 /lib64/libaudit.so.0.0.0 3d6100f000-3d6110e000 ---p 0000f000 fd:00 93389028 /lib64/libaudit.so.0.0.0 3d6110e000-3d61110000 rw-p 0000e000 fd:00 93389028 /lib64/libaudit.so.0.0.0 3d61500000-3d61509000 r-xp 00000000 fd:00 25419056 /usr/lib64/libSM.so.6.0.0 3d61509000-3d61609000 ---p 00009000 fd:00 25419056 /usr/lib64/libSM.so.6.0.0 3d61609000-3d6160a000 rw-p 00009000 fd:00 25419056 /usr/lib64/libSM.so.6.0.0 3d61700000-3d61716000 r-xp 00000000 fd:00 25419055 /usr/lib64/libICE.so.6.3.0 3d61716000-3d61816000 ---p 00016000 fd:00 25419055 /usr/lib64/libICE.so.6.3.0 3d61816000-3d61817000 rw-p 00016000 fd:00 25419055 /usr/lib64/libICE.so.6.3.0 3d61817000-3d6181b000 rw-p 3d61817000 00:00 0 3d62100000-3d6210b000 r-xp 00000000 fd:00 93389029 /lib64/libpam.so.0.81.1 3d6210b000-3d6220b000 ---p 0000b000 fd:00 93389029 /lib64/libpam.so.0.81.1 3d6220b000-3d6220c000 rw-p 0000b000 fd:00 93389029 /lib64/libpam.so.0.81.1 3d65100000-3d65105000 r-xp 00000000 fd:00 93389033 /lib64/libcrypt-2.3.90.so 3d65105000-3d65204000 ---p 00005000 fd:00 93389033 /lib64/libcrypt-2.3.90.so 3d65204000-3d65205000 r--p 00004000 fd:00 93389033 /lib64/libcrypt-2.3.90.so 3d65205000-3d65206000 rw-p 00005000 fd:00 93389033 /lib64/libcrypt-2.3.90.so 3d65206000-3d65234000 rw-p 3d65206000 00:00 0 3d65700000-3d65703000 r-xp 00000000 fd:00 15466555 /usr/lib64/libXxf86misc.so.1.1.0 3d65703000-3d65802000 ---p 00003000 fd:00 15466555 /usr/lib64/libXxf86misc.so.1.1.0 3d65802000-3d65803000 rw-p 00002000 fd:00 15466555 /usr/lib64/libXxf86misc.so.1.1.0 2b1d63f52000-2b1d63f53000 rw-p 2b1d63f52000 00:00 0 2b1d63f63000-2b1d63f6b000 rw-p 2b1d63f63000 00:00 0 2b1d63f6b000-2b1d63f75000 r-xp 00000000 fd:00 93388828 /lib64/libnss_files-2.3.90.so 2b1d63f75000-2b1d64074000 ---p 0000a000 fd:00 93388828 /lib64/libnss_files-2.3.90.so 2b1d64074000-2b1d64075000 r--p 00009000 fd:00 93388828 /lib64/libnss_files-2.3.90.so 2b1d64075000-2b1d64076000 rw-p 0000a000 fd:00 93388828 /lib64/libnss_files-2.3.90.so 2b1d64076000-2b1d64082000 r-xp 00000000 fd:00 93388812 /lib64/libgcc_s-4.1.0-20060121.so.1 2b1d64082000-2b1d64182000 ---p 0000c000 fd:00 93388812 /lib64/libgcc_s-4.1.0-20060121.so.1 2b1d64182000-2b1d64183000 rw-p 0000c000 fd:00 93388812 /lib64/libgcc_s-4.1.0-20060121.so.1 7fffffd30000-7fffffd46000 rw-p 7fffffd30000 00:00 0 [stack] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso] Yes. xscreensaver-4.23-1 leaves this problem unsolved (for root). If Andy's problem is from what I pointed out, current rawhide (xscreensaver-4.24-1) should fix this problem. Perhaps this bug is already fixed in 4.24 . |