Bug 12299

Summary: swap_char2b() Heap Overflow Vulnerability [CVE-2007-4990]
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: App/xfsAssignee: X.Org Security <xorg_security>
Status: RESOLVED FIXED QA Contact: X.Org Security <xorg_security>
Severity: normal    
Priority: medium CC: dberkholz, guillem, thomas
Version: 7.2 (2007.02)Keywords: security
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
iDefense draft
none
proposed patch
none
update version of patch
none
reproducer none

Description Matthieu Herrb 2007-09-05 23:38:10 UTC 
iDefense has sent us the attached draft advisory.
A fist look at the code seem to confirm the problem.
Patch should not be too hard. Looking at it.
Again probably not a blocker for 7.3 release.
Comment 1 Matthieu Herrb 2007-09-05 23:38:42 UTC 
Created attachment 11444 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:31:38 UTC 
Created attachment 11451 [details] [review]
proposed patch

Someone with more knowledge of the FS protocol should check the values I used in the consistency tests ? I'm not sure they are ok and haven't tried to validate them at run time...
Comment 3 Matthieu Herrb 2007-09-06 13:51:41 UTC 
Created attachment 11454 [details] [review]
update version of patch

I did some experiments myself. 
With proper expression grouping the code now looks correct to me.
Comment 4 Matthieu Herrb 2007-09-06 14:41:19 UTC 
Both issues (#12298 and this one) share CVE-2007-4568
Comment 5 Daniel Stone 2007-09-08 18:52:48 UTC 
CCing Guillem Jover, the xfstt maintainer.
Comment 6 Guillem Jover 2007-09-09 17:55:15 UTC 
(In reply to comment #3)
> Created an attachment (id=11454) [details]
> update version of patch
> 
> I did some experiments myself. 
> With proper expression grouping the code now looks correct to me.

The patch seems fine, that's mostly what it's being done in xfstt. You could use sz_fsQueryXExtents8Req and sz_fsQueryXBitmaps8Req istead of the SIZEOF, but I've not checked if those are used in the rest of the code base.
Comment 7 Matthieu Herrb 2007-09-11 02:25:51 UTC 
Created attachment 11503 [details]
reproducer

Simple program to reproduce the problem in QueryExtents16

tfs2 localhost:7100 hello
Comment 8 Matthieu Herrb 2007-09-21 00:51:55 UTC 
(In reply to comment #4)
> Both issues (#12298 and this one) share CVE-2007-4568
> 

iDefense has allocated a new ID for this one : CVE-2007-4990
Comment 9 Matthieu Herrb 2007-10-02 10:21:01 UTC 
Fixed in commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32
Public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.