Bug 1914

Summary: size limit for -fp argument
Product: xorg Reporter: Alexander Gottwald <ago>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: alan.coopersmith, eich, roland.mainz
Version: git   
Hardware: x86 (IA32)   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 1802    
Attachments:
Description Flags
proposed patch roland.mainz: 6.8-branch-

Description Alexander Gottwald 2004-11-24 06:31:31 UTC 
The xserver has length checks for all commandline arguments including the
argument to -fp. The fontpath can be quite long and the limit of 256 characters
is reached quite fast.
Comment 1 Alexander Gottwald 2004-11-24 06:34:46 UTC 
Created attachment 1365 [details] [review]
proposed patch

The patch check for "-fp" as argument and skips the length check for "-fp" and
the next argument and continues with the check of the argument for unprintable
characters
Comment 2 Roland Mainz 2004-11-24 14:27:41 UTC 
Nice catch (I remember that Sun staff hit the same problem a while ago but I
don't know whether they made a patch to cure the problem) :)
Comment 3 Alexander Gottwald 2004-11-25 04:51:29 UTC 
/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.544; previous revision: 1.543
/cvs/xorg/xc/programs/Xserver/os/utils.c,v  <--  utils.c
new revision: 1.10; previous revision: 1.11

fixed in HEAD
Comment 4 Alexander Gottwald 2004-11-25 04:57:02 UTC 
/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.369.2.4; previous revision: 1.369.2.3
/cvs/xorg/xc/programs/Xserver/os/utils.c,v  <--  utils.c
new revision: 1.1.4.3.2.5; previous revision: 1.1.4.3.2.4

fixed in CYGWIN
Comment 5 Alan Coopersmith 2004-12-03 10:45:37 UTC 
Yes, we hit this when setting up our VSW5 scripts to run with Xorg, but we
didn't patch it, just changed the scripts to put the font path settings in
xorg.conf instead of passing them on the command line.
Comment 6 Egbert Eich 2004-12-07 10:41:25 UTC 
I wonder if this may create a security problem.
Doing away with the test means that one can pass an arbitrarily long argument to
-fp.
There must have been a reason that we were so restrictive on the argument length.
Comment 7 Alexander Gottwald 2004-12-13 08:12:49 UTC 
the pointer to the -fp argument is directly assigned to defaultFontPath which is
handled in dix/dixfonts.c(SetDefaultFontPath). the code there can handle strings
of arbitrary length. The result is the fontpath string splitted on "," which
passed on to SetFontPathElements. If there are size restrictions later on then
it could be exploited with xset -fp too.
Comment 8 Roland Mainz 2004-12-14 11:52:08 UTC 
Comment on attachment 1365 [details] [review]
proposed patch

Approval for X11R6.8.x stable branch DENIED in the 2004-12-13 release-wranglers
phone call as the possible security side-effects need to be figured-out first
(e.g. all consumers of this code need to be audited for security issues).

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.