Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 588346 - XineramaQueryScreens() from an X client on a big endian machine cause the Xserver to crash
XineramaQueryScreens() from an X client on a big endian machine cause the Xse...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xorg-x11-server (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Adam Jackson
Desktop QE
: Patch, Triaged
Depends On:
Blocks: 726826
  Show dependency treegraph
 
Reported: 2010-05-03 10:15 EDT by Olivier Fourdan
Modified: 2018-10-27 09:41 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-20 22:10:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch by spoyarek@redhat.com (1.12 KB, patch)
2010-05-03 10:15 EDT, Olivier Fourdan 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0303 normal SHIPPED_LIVE Low: xorg-x11-server security and bug fix update 2012-02-21 02:24:37 EST

  None (edit)
Description Olivier Fourdan 2010-05-03 10:15:01 EDT 
Created attachment 411011 [details]
proposed patch by spoyarek@redhat.com

Description of problem:

When an X client running on a big endian system (e.g. SPARC/Solaris) does a XineramaQueryScreens(), the X server crashes.

Version-Release number of selected component (if applicable):

xorg-x11-server-Xnest-1.1.1-48.76.el5

How reproducible:

Always

Steps to Reproduce:
1. From a Red Hat Enterprise Linux X server, login via ssh to a Solaris/SPARC machine
2. Run an application that does a XineramaQueryScreens()
  
Actual results:

The X server crashes

Expected results:

The X server does not crash

Additional info:

This is due to the swap of bytes that is done when dealing with a big endian client.

In Procxf86XineramaQueryScreens() from hw/xfree86/modes/xf86Xinerama.c :

268 int
269 Procxf86XineramaQueryScreens(ClientPtr client)
270 {
271     xXineramaQueryScreensReply  rep;
272     ScreenPtr   pScreen = screenInfo.screens[xf86_XINERAMA_SCREEN];
273     ScrnInfoPtr         scrn = xf86Screens[pScreen->myNum];
274     xf86CrtcConfigPtr   xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
275 
276     REQUEST_SIZE_MATCH(xXineramaQueryScreensReq);
277 
278     rep.type = X_Reply;
279     rep.sequenceNumber = client->sequence;
280     rep.number = xf86XineramaScreenCount (pScreen);
281     rep.length = rep.number * sz_XineramaScreenInfo >> 2;
282     if(client->swapped) {
283         register int n;
284         swaps(&rep.sequenceNumber, n);
285         swapl(&rep.length, n);
286         swapl(&rep.number, n);xf86XineramaScreenCount
287     }
288     WriteToClient(client, sizeof(xXineramaQueryScreensReply), (char *)&rep);
289 
290     if(rep.number) {
291         xXineramaScreenInfo scratch;
292         int i;
293 
294         for(i = 0; i < rep.number; i++) {
295             xf86CrtcPtr crtc = xf86_config->crtc[i];

So the value of rep.number we use line 294 has its byte swapped from line 286 causing "i" to go way beyond the value initially returned by xf86XineramaScreenCount() line 280, causing the crash of the X server.

The fix proposed by Siddhesh Poyarekar is to save the actual value of "rep.number" before performing the byte swap so it can be reused later in the code.
Comment 2 RHEL Product and Program Management 2010-09-29 12:47:24 EDT 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2011-05-31 11:35:45 EDT 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 7 Adam Jackson 2011-08-18 10:09:18 EDT 
Built in xorg-x11-server-1.1.1-48.84.el5

MODIFIED
Comment 11 errata-xmlrpc 2012-02-20 22:10:39 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0303.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.