During X server security testing, current lucid xserver was terminated on invalid request (1:7.5+5ubuntu1) Example: X_RenderCreateSolidFill 0000000: 6c00 0b00 0000 0000 0000 0000 9521 0500 l............!.. 0000010: 9400 2000 0000 0000 0000 0000 8802 1d00 ................ X_XFixesQueryVersion 0000020: 9400 0300 0400 0000 0000 0000 X_XFixesSetPictureClipRegion 9416 0400 ................ 0000030: 9400 2000 0000 0800 0000 0000 ............ (gdb) bt #0 0x080f0a79 in ProcXFixesSetPictureClipRegion (client=0x95a6410) at ../../xfixes/region.c:782 #1 0x080f1f9a in ProcXFixesDispatch (client=0x95a6410) at ../../xfixes/xfixes.c:157 #2 0x08072477 in Dispatch () at ../../dix/dispatch.c:439 #3 0x08066d7a in main (argc=1, argv=0xbf8c3f84, envp=0xbf8c3f8c) at ../../dix/main.c:285 ProcRenderCreateSolidFill creates picture with drawable=0 Other functions use the drawable without checking it, e.g. ./xfixes/region.c:782 int ProcXFixesSetPictureClipRegion (ClientPtr client) { #ifdef RENDER PicturePtr pPicture; RegionPtr pRegion; ScreenPtr pScreen; PictureScreenPtr ps; REQUEST(xXFixesSetPictureClipRegionReq); REQUEST_SIZE_MATCH (xXFixesSetPictureClipRegionReq); VERIFY_PICTURE(pPicture, stuff->picture, client, DixSetAttrAccess, RenderErrBase + BadPicture); pScreen = pPicture->pDrawable->pScreen; ps = GetPictureScreen (pScreen); <<<< crash This might also affect int ProcXFixesCreateRegionFromPicture (ClientPtr client) in xfixes/region.c and static int dmxProcRenderSetPictureTransform(ClientPtr client) { in xfixes/region.c (search for VERIFY_PICTURE) Credits to me@halfdog.net
Not exploitable (assuming the zero page is never mapped, which is true), clearing security group.
commit ba2432a020a9f9bd0892f643117795336ba0fc16 Author: Adam Jackson <ajax@redhat.com> Date: Thu Apr 10 11:34:28 2014 -0400 xfixes: Forbid manipulating clip for source-only pictures (#28968)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.