| Summary: | XInput Extension Memory Corruption Vulnerability | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | xorg | Reporter: | Matthieu Herrb <matthieu.herrb> | ||||||||||
| Component: | Security | Assignee: | X.Org Security <xorg_security> | ||||||||||
| Status: | RESOLVED FIXED | QA Contact: | X.Org Security <xorg_security> | ||||||||||
| Severity: | normal | ||||||||||||
| Priority: | medium | CC: | jcristau, sndirsch | ||||||||||
| Version: | 7.3 (2007.09) | ||||||||||||
| Hardware: | Other | ||||||||||||
| OS: | All | ||||||||||||
| Whiteboard: | |||||||||||||
| i915 platform: | i915 features: | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Matthieu Herrb
2007-12-04 12:58:41 UTC
Created attachment 12942 [details]
Draft advisory
Created attachment 13025 [details] [review] Proposed but untested patch This patch is intended to both fix the reported issue, and the problem of swapping twice as far as the end of the request on 64-bit machines, when the code uses a pointer of type "long" to iterate over the CARD32's (which could at least lead to a denial-of-service, if not a full exploit). Created attachment 13095 [details] [review] backport to XFree86 and Xorg 6.8 I've backported this across register removals.. Created attachment 13246 [details]
Testcase
Testcase for 7 of the 8 modified calls (only tests the initial issue, not the
long vs. CARD32 on 64-bit platforms).
IMPORTANT: test case must be built and run on a machine of opposite endianness
of the system under test - for example, when testing X server on x86, run
testcase on a SPARC machine.
To test, run:
./testcase-13522 -1
./testcase-13522 -2
./testcase-13522 -3
./testcase-13522 -4
./testcase-13522 -5
./testcase-13522 -6
./testcase-13522 -7
Without the fix, the X server crashes, with it, for all the above it should
print:
TEST PASSED: illegal call returned BadLength
Patch has been committed dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 and this is public now. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.