| Summary: | out of bounds memory read in fbBltOne() | ||
|---|---|---|---|
| Product: | xorg | Reporter: | Matthieu Herrb <matthieu.herrb> |
| Component: | Server/General | Assignee: | Xorg Project Team <xorg-team> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | high | CC: | billy.biggs, djm, eich, keithp, kettenis, sndirsch |
| Version: | 6.8.2 | ||
| Hardware: | x86 (IA32) | ||
| OS: | OpenBSD | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Bug Depends on: | |||
| Bug Blocks: | 1690 | ||
| Attachments: | |||
|
Description
Matthieu Herrb
2005-07-20 09:33:09 UTC
Created attachment 3111 [details] [review] genius-KB19eNB I've marked with <--- the address (src value) that is out of bounds. Bump the severity a bit, since this really makes the X server almost unusable on recent OpenBSD. src is a 19x10x1 pixmap. It is exactly 40 bytes long, starting at 0x86f83fd8. It happens to be just at the end of a page. When X segfaults, it was trying to access the adress 0x86f84000 which is one byte after the end of the pixmap, which is on a different page that, with the new OpenBSD malloc, is not readable as the following procmap excerpt shows it: 0x86f83000 0x86f84000 rw- COW NNC 1 0 0 0x86f84000 0x86f85000 --- COW NNC 1 0 0 One of the OpenBSD developpers, Thierry Deval, tried to analyse the problem. Here are his words: I'm pretty sure the X bug is in the LoadBits macro (at least that's where it crashes). Indeed, if leftShift != 0 and the number of significant bits to move is less than the remaining shifted word (i.e. rightShift), we don't need to complete the pattern with the next word. The diff I propose may not necessarily be the best, but seems to render my X and FireFox use more stable. Well, I'm running for several hours only, so I must test further... Created attachment 3160 [details]
Xorg logfile
looks reasonable to me, adding to the block list so we get more eyes on it. I got several reports that the proposed patch is wrong. It's causing corruption, specifically in text entry fields in firefox. Someone with more knowledge on fb internals really needs to look at this. Created attachment 2877 [details]
Standalone testcase for the bug; link with /usr/X11R6/lib/modules/libfb.a
Created attachment 2878 [details] [review] Patch that fixes the problem *** Bug 4069 has been marked as a duplicate of this bug. *** Created attachment 3097 [details]
Standalone testcase for the fbBlt() bug; link with /usr/X11R6/lib/modules/libfb.a
Created attachment 3098 [details] [review] Patch that fixes the fbBlt() problem Found a rather similar bug in fbBlt() (by code inspection). Again there is a potential read past the end of a buffer. The fix here is a bit more elegant though. Keith, sorry for pestering you with so many bugs. But maybe you want to comment. Latest patches from Mark commited. Several weeks of use under OpenBSD have not revelaed any new problems. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.