Bug 56508

Summary: 4-byte buffer overflow in MakeBigReq
Product: xorg Reporter: Karl Tomlinson <bugs.freedesktop>
Component: Lib/XlibAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: peter.hutterer, xorg_security
Version: unspecifiedKeywords: patch, security
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
don't memmove the last word none

Description Karl Tomlinson 2012-10-29 04:48:24 UTC 
Created attachment 69207 [details] [review]
don't memmove the last word

MakeBigReq() needs to make the request one 32-bit word larger (to squeeze in a larger length value).  It saves the last word in _BRdat, to correctly append with a bufmax check in Data32(), but still memmoves the every word in the request after the first word.  That is one too many words.  One overflows (in certain situations).
Comment 1 Karl Tomlinson 2012-10-29 04:52:51 UTC 
As this is a macro, of course all libraries that use the macro or SetReqLen to create large requests will need to be recompiled.
Comment 2 Karl Tomlinson 2012-10-29 04:54:53 UTC 
The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that bug.
Comment 3 Peter Hutterer 2013-02-18 01:19:30 UTC 
Confirmed and I have a reliable reproducer here. Requirement for the overrun is that the fixed-length bit of the request is aligned at the end of the dpy buffer.
Comment 4 Alan Coopersmith 2013-03-09 01:44:21 UTC 
Patch pushed to git master:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.