Bug 12299 - swap_char2b() Heap Overflow Vulnerability [CVE-2007-4990]
Summary: swap_char2b() Heap Overflow Vulnerability [CVE-2007-4990]
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: App/xfs (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2007-09-05 23:38 UTC by Matthieu Herrb
Modified: 2007-12-10 21:31 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
iDefense draft (3.19 KB, text/plain)
2007-09-05 23:38 UTC, Matthieu Herrb
no flags Details
proposed patch (1.14 KB, patch)
2007-09-06 10:31 UTC, Matthieu Herrb
no flags Details | Splinter Review
update version of patch (1.15 KB, patch)
2007-09-06 13:51 UTC, Matthieu Herrb
no flags Details | Splinter Review
reproducer (1.07 KB, text/plain)
2007-09-11 02:25 UTC, Matthieu Herrb
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2007-09-05 23:38:10 UTC
iDefense has sent us the attached draft advisory.
A fist look at the code seem to confirm the problem.
Patch should not be too hard. Looking at it.
Again probably not a blocker for 7.3 release.
Comment 1 Matthieu Herrb 2007-09-05 23:38:42 UTC
Created attachment 11444 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:31:38 UTC
Created attachment 11451 [details] [review]
proposed patch

Someone with more knowledge of the FS protocol should check the values I used in the consistency tests ? I'm not sure they are ok and haven't tried to validate them at run time...
Comment 3 Matthieu Herrb 2007-09-06 13:51:41 UTC
Created attachment 11454 [details] [review]
update version of patch

I did some experiments myself. 
With proper expression grouping the code now looks correct to me.
Comment 4 Matthieu Herrb 2007-09-06 14:41:19 UTC
Both issues (#12298 and this one) share CVE-2007-4568
Comment 5 Daniel Stone 2007-09-08 18:52:48 UTC
CCing Guillem Jover, the xfstt maintainer.
Comment 6 Guillem Jover 2007-09-09 17:55:15 UTC
(In reply to comment #3)
> Created an attachment (id=11454) [details]
> update version of patch
> 
> I did some experiments myself. 
> With proper expression grouping the code now looks correct to me.

The patch seems fine, that's mostly what it's being done in xfstt. You could use sz_fsQueryXExtents8Req and sz_fsQueryXBitmaps8Req istead of the SIZEOF, but I've not checked if those are used in the rest of the code base.
Comment 7 Matthieu Herrb 2007-09-11 02:25:51 UTC
Created attachment 11503 [details]
reproducer

Simple program to reproduce the problem in QueryExtents16

tfs2 localhost:7100 hello
Comment 8 Matthieu Herrb 2007-09-21 00:51:55 UTC
(In reply to comment #4)
> Both issues (#12298 and this one) share CVE-2007-4568
> 

iDefense has allocated a new ID for this one : CVE-2007-4990
Comment 9 Matthieu Herrb 2007-10-02 10:21:01 UTC
Fixed in commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32
Public now


bug/show.html.tmpl processed on Sep 28, 2016 at 03:33:22.
(provided by the Example extension).