Bug 132884 - Xorg overflows it's own stack.
Xorg overflows it's own stack.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: xorg-x11 (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brian Stein
David Lawrence
:
: 132882 (view as bug list)
Depends On:
Blocks: FC3Target
  Show dependency treegraph
 
Reported: 2004-09-18 14:00 EDT by Brian Stein
Modified: 2013-03-01 00:14 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-22 05:26:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arjan van de Ven 2004-09-18 14:00:57 EDT
Description of problem:

sc/lib/X11/XKBSetGeom.c
around line 243 has

xkbDoodadWireDesc *     doodadWire;
...
        bzero(doodadWire,SIZEOF(xkbDoodadWireDesc));

which on first sight LOOKS ok but is not. SIZEOF() is not a macro
wrapper for sizeof() but it's actually a preprocessor wrapper where
the result is sc_xkbDoodadWireDesc, which is #define'd to 20 (on the
wire). However the in core struct is *SMALLER* than 20 bytes so this
bzero is corrupting memory beyond the end of the struct. The obvious
fix is to make this sizeof() not SIZEOF()
Comment 1 Warren Togami 2004-09-18 23:12:41 EDT
*** Bug 132882 has been marked as a duplicate of this bug. ***
Comment 3 Mike A. Harris 2004-09-21 21:48:36 EDT
Status update:  We discussed this issue on today's team confcall and
Kevin indicated that he did a preliminary investigation of this in
which it seemed that there is no real overflow.

Further investigation is needed in order to be conclusive, and also
to determine what if any real actual security implications there are
if any.

Setting FC3Target status for tracking.  If further investigation
ends up concluding there is a real issue, we can raise this to
FC3Blocker and/or security update priority.
Comment 4 Arjan van de Ven 2004-09-22 02:33:09 EDT
gcc disagrees and detected an actual overflow due to size mismatch.
Comment 5 Jakub Jelinek 2004-09-22 05:26:49 EDT
This is a GCC bug.
Comment 6 Kevin E. Martin 2004-09-22 10:13:06 EDT
Glad to hear that this is a GCC bug.  The xkbDoodadWireDesc is union
of five other stucts all of which are exactly 20 bytes long.  I would
have been surprised if this turned out to be a problem.

Note You need to log in before you can comment on or make changes to this bug.