Bug 12299 - swap_char2b() Heap Overflow Vulnerability [CVE-2007-4990]
Summary: swap_char2b() Heap Overflow Vulnerability [CVE-2007-4990]
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: App/xfs (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2007-09-05 23:38 UTC by Matthieu Herrb
Modified: 2007-12-10 21:31 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
iDefense draft (3.19 KB, text/plain)
2007-09-05 23:38 UTC, Matthieu Herrb
no flags Details
proposed patch (1.14 KB, patch)
2007-09-06 10:31 UTC, Matthieu Herrb
no flags Details | Splinter Review
update version of patch (1.15 KB, patch)
2007-09-06 13:51 UTC, Matthieu Herrb
no flags Details | Splinter Review
reproducer (1.07 KB, text/plain)
2007-09-11 02:25 UTC, Matthieu Herrb
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2007-09-05 23:38:10 UTC
iDefense has sent us the attached draft advisory.
A fist look at the code seem to confirm the problem.
Patch should not be too hard. Looking at it.
Again probably not a blocker for 7.3 release.
Comment 1 Matthieu Herrb 2007-09-05 23:38:42 UTC
Created attachment 11444 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:31:38 UTC
Created attachment 11451 [details] [review]
proposed patch

Someone with more knowledge of the FS protocol should check the values I used in the consistency tests ? I'm not sure they are ok and haven't tried to validate them at run time...
Comment 3 Matthieu Herrb 2007-09-06 13:51:41 UTC
Created attachment 11454 [details] [review]
update version of patch

I did some experiments myself. 
With proper expression grouping the code now looks correct to me.
Comment 4 Matthieu Herrb 2007-09-06 14:41:19 UTC
Both issues (#12298 and this one) share CVE-2007-4568
Comment 5 Daniel Stone 2007-09-08 18:52:48 UTC
CCing Guillem Jover, the xfstt maintainer.
Comment 6 Guillem Jover 2007-09-09 17:55:15 UTC
(In reply to comment #3)
> Created an attachment (id=11454) [details]
> update version of patch
> 
> I did some experiments myself. 
> With proper expression grouping the code now looks correct to me.

The patch seems fine, that's mostly what it's being done in xfstt. You could use sz_fsQueryXExtents8Req and sz_fsQueryXBitmaps8Req istead of the SIZEOF, but I've not checked if those are used in the rest of the code base.
Comment 7 Matthieu Herrb 2007-09-11 02:25:51 UTC
Created attachment 11503 [details]
reproducer

Simple program to reproduce the problem in QueryExtents16

tfs2 localhost:7100 hello
Comment 8 Matthieu Herrb 2007-09-21 00:51:55 UTC
(In reply to comment #4)
> Both issues (#12298 and this one) share CVE-2007-4568
> 

iDefense has allocated a new ID for this one : CVE-2007-4990
Comment 9 Matthieu Herrb 2007-10-02 10:21:01 UTC
Fixed in commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32
Public now


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.