Bug 3822 - out of bounds memory read in fbBltOne()
Summary: out of bounds memory read in fbBltOne()
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: 6.8.2
Hardware: x86 (IA32) OpenBSD
: high critical
Assignee: Xorg Project Team
QA Contact:
: 4069 (view as bug list)
Depends on:
Blocks: 1690
  Show dependency treegraph
Reported: 2005-07-20 09:33 UTC by Matthieu Herrb
Modified: 2005-09-30 17:54 UTC (History)
6 users (show)

See Also:
i915 platform:
i915 features:

Standalone testcase for the bug; link with /usr/X11R6/lib/modules/libfb.a (1.37 KB, text/plain)
2005-08-15 13:10 UTC, Mark Kettenis
no flags Details
Patch that fixes the problem (2.05 KB, patch)
2005-08-15 13:11 UTC, Mark Kettenis
no flags Details | Splinter Review
Standalone testcase for the fbBlt() bug; link with /usr/X11R6/lib/modules/libfb.a (1.30 KB, text/plain)
2005-08-29 00:36 UTC, Mark Kettenis
no flags Details
Patch that fixes the fbBlt() problem (660 bytes, patch)
2005-08-29 00:37 UTC, Mark Kettenis
no flags Details | Splinter Review

Description Matthieu Herrb 2005-07-20 09:33:09 UTC
OpenBSD recently switch to a new malloc() model, based on mmap() which
randomizes the addresses of the returned pages. So the probability of having a
hole at the end of a malloc()ed block has increased quite a bit. 
This has exposed a problem in fbBltOne() which happens after some times spent
browsing the web with firefox. 
I'm attaching a transcript of a debug session on Xorg 6.8.2. 

Unfortunatly, I don't know how to fix this exactly.
Comment 1 Matthieu Herrb 2005-07-20 09:34:34 UTC
Created attachment 3111 [details] [review]

I've marked with <--- the address (src value) that  is out of bounds.
Comment 2 Matthieu Herrb 2005-07-20 09:42:01 UTC
Bump the severity a bit, since this really makes the X server almost unusable on
recent OpenBSD. 
Comment 3 Matthieu Herrb 2005-07-20 16:20:58 UTC
src is a 19x10x1 pixmap. It is exactly 40 bytes long, starting at 0x86f83fd8. It
happens to be just at the end of a page.
When X segfaults, it was trying to access the adress 0x86f84000 which is one
byte after the end of the pixmap, which is on a different page that, with the
new OpenBSD malloc, is not readable as the following procmap excerpt shows it:

0x86f83000 0x86f84000 rw-  COW NNC 1 0 0
0x86f84000 0x86f85000 ---  COW NNC 1 0 0
Comment 4 Matthieu Herrb 2005-07-27 15:54:19 UTC
One of the OpenBSD developpers, Thierry Deval, tried  to analyse the problem.
Here are his words:

I'm pretty sure the X bug is in the LoadBits macro (at least that's where it
Indeed, if leftShift != 0 and the number of significant bits to move is less
than the remaining shifted word (i.e. rightShift), we don't need to complete the
pattern with the next word.

The diff I propose may not necessarily be the best, but seems to render my X and
FireFox use more stable. Well, I'm running for several hours only, so I must
test further...
Comment 5 Matthieu Herrb 2005-07-27 15:55:31 UTC
Created attachment 3160 [details]
Xorg logfile
Comment 6 Adam Jackson 2005-08-01 09:29:56 UTC
looks reasonable to me, adding to the block list so we get more eyes on it.
Comment 7 Matthieu Herrb 2005-08-11 06:14:52 UTC
I got several reports that the proposed patch is wrong. It's causing corruption,
specifically in text entry fields in firefox. 
Someone with more knowledge on fb internals really needs to look at this. 
Comment 8 Mark Kettenis 2005-08-15 13:10:31 UTC
Created attachment 2877 [details]
Standalone testcase for the bug; link with /usr/X11R6/lib/modules/libfb.a
Comment 9 Mark Kettenis 2005-08-15 13:11:58 UTC
Created attachment 2878 [details] [review]
Patch that fixes the problem
Comment 10 Mark Kettenis 2005-08-15 13:12:53 UTC
*** Bug 4069 has been marked as a duplicate of this bug. ***
Comment 11 Mark Kettenis 2005-08-29 00:36:45 UTC
Created attachment 3097 [details]
Standalone testcase for the fbBlt() bug; link with /usr/X11R6/lib/modules/libfb.a
Comment 12 Mark Kettenis 2005-08-29 00:37:26 UTC
Created attachment 3098 [details] [review]
Patch that fixes the fbBlt() problem
Comment 13 Mark Kettenis 2005-08-29 00:40:14 UTC
Found a rather similar bug in fbBlt() (by code inspection).  Again there is a
potential read past the end of a buffer.  The fix here is a bit more elegant
Comment 14 Egbert Eich 2005-09-01 02:21:59 UTC
Keith, sorry for pestering you with so many bugs. But maybe you want to comment.
Comment 15 Matthieu Herrb 2005-10-01 10:54:47 UTC
Latest patches from Mark commited. Several weeks of use under OpenBSD have not
revelaed any new problems.  

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.