Red Hat Bugzilla – Bug 132884
Xorg overflows it's own stack.
Last modified: 2013-03-01 00:14:48 EST
Description of problem:
around line 243 has
xkbDoodadWireDesc * doodadWire;
which on first sight LOOKS ok but is not. SIZEOF() is not a macro
wrapper for sizeof() but it's actually a preprocessor wrapper where
the result is sc_xkbDoodadWireDesc, which is #define'd to 20 (on the
wire). However the in core struct is *SMALLER* than 20 bytes so this
bzero is corrupting memory beyond the end of the struct. The obvious
fix is to make this sizeof() not SIZEOF()
*** Bug 132882 has been marked as a duplicate of this bug. ***
Status update: We discussed this issue on today's team confcall and
Kevin indicated that he did a preliminary investigation of this in
which it seemed that there is no real overflow.
Further investigation is needed in order to be conclusive, and also
to determine what if any real actual security implications there are
Setting FC3Target status for tracking. If further investigation
ends up concluding there is a real issue, we can raise this to
FC3Blocker and/or security update priority.
gcc disagrees and detected an actual overflow due to size mismatch.
This is a GCC bug.
Glad to hear that this is a GCC bug. The xkbDoodadWireDesc is union
of five other stucts all of which are exactly 20 bytes long. I would
have been surprised if this turned out to be a problem.