Bug 132884 – Xorg overflows it's own stack.

Bug 132884 - Xorg overflows it's own stack.

Summary:	Xorg overflows it's own stack.

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	xorg-x11 (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Brian Stein
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	132882 (view as bug list)
Depends On:
Blocks:	FC3Target
	Show dependency tree / graph

Reported:	2004-09-18 14:00 EDT by Brian Stein
Modified:	2013-03-01 00:14 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-09-22 05:26:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Arjan van de Ven 2004-09-18 14:00:57 EDT

Description of problem:

sc/lib/X11/XKBSetGeom.c
around line 243 has

xkbDoodadWireDesc *     doodadWire;
...
        bzero(doodadWire,SIZEOF(xkbDoodadWireDesc));

which on first sight LOOKS ok but is not. SIZEOF() is not a macro
wrapper for sizeof() but it's actually a preprocessor wrapper where
the result is sc_xkbDoodadWireDesc, which is #define'd to 20 (on the
wire). However the in core struct is *SMALLER* than 20 bytes so this
bzero is corrupting memory beyond the end of the struct. The obvious
fix is to make this sizeof() not SIZEOF()

Comment 1 Warren Togami 2004-09-18 23:12:41 EDT

*** Bug 132882 has been marked as a duplicate of this bug. ***

Comment 3 Mike A. Harris 2004-09-21 21:48:36 EDT

Status update:  We discussed this issue on today's team confcall and
Kevin indicated that he did a preliminary investigation of this in
which it seemed that there is no real overflow.

Further investigation is needed in order to be conclusive, and also
to determine what if any real actual security implications there are
if any.

Setting FC3Target status for tracking.  If further investigation
ends up concluding there is a real issue, we can raise this to
FC3Blocker and/or security update priority.

Comment 4 Arjan van de Ven 2004-09-22 02:33:09 EDT

gcc disagrees and detected an actual overflow due to size mismatch.

Comment 5 Jakub Jelinek 2004-09-22 05:26:49 EDT

This is a GCC bug.

Comment 6 Kevin E. Martin 2004-09-22 10:13:06 EDT

Glad to hear that this is a GCC bug.  The xkbDoodadWireDesc is union
of five other stucts all of which are exactly 20 bytes long.  I would
have been surprised if this turned out to be a problem.

Note You need to log in before you can comment on or make changes to this bug.