Bug 132884 - Xorg overflows it's own stack.
Summary: Xorg overflows it's own stack.
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Brian Stein
QA Contact: David Lawrence
: 132882 (view as bug list)
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
Reported: 2004-09-18 18:00 UTC by Brian Stein
Modified: 2013-03-01 05:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-09-22 09:26:49 UTC

Attachments (Terms of Use)

Description Arjan van de Ven 2004-09-18 18:00:57 UTC
Description of problem:

around line 243 has

xkbDoodadWireDesc *     doodadWire;

which on first sight LOOKS ok but is not. SIZEOF() is not a macro
wrapper for sizeof() but it's actually a preprocessor wrapper where
the result is sc_xkbDoodadWireDesc, which is #define'd to 20 (on the
wire). However the in core struct is *SMALLER* than 20 bytes so this
bzero is corrupting memory beyond the end of the struct. The obvious
fix is to make this sizeof() not SIZEOF()

Comment 1 Warren Togami 2004-09-19 03:12:41 UTC
*** Bug 132882 has been marked as a duplicate of this bug. ***

Comment 3 Mike A. Harris 2004-09-22 01:48:36 UTC
Status update:  We discussed this issue on today's team confcall and
Kevin indicated that he did a preliminary investigation of this in
which it seemed that there is no real overflow.

Further investigation is needed in order to be conclusive, and also
to determine what if any real actual security implications there are
if any.

Setting FC3Target status for tracking.  If further investigation
ends up concluding there is a real issue, we can raise this to
FC3Blocker and/or security update priority.

Comment 4 Arjan van de Ven 2004-09-22 06:33:09 UTC
gcc disagrees and detected an actual overflow due to size mismatch.

Comment 5 Jakub Jelinek 2004-09-22 09:26:49 UTC
This is a GCC bug.

Comment 6 Kevin E. Martin 2004-09-22 14:13:06 UTC
Glad to hear that this is a GCC bug.  The xkbDoodadWireDesc is union
of five other stucts all of which are exactly 20 bytes long.  I would
have been surprised if this turned out to be a problem.

Note You need to log in before you can comment on or make changes to this bug.