Bug 41308 - Xv and XInput request dispatch off-by-ones
Summary: Xv and XInput request dispatch off-by-ones
Alias: None
Product: xorg
Classification: Unclassified
Component: Security (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
Depends on:
Reported: 2011-09-28 12:14 UTC by Adam Jackson
Modified: 2019-11-19 08:57 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Adam Jackson 2011-09-28 12:14:45 UTC

Comment 1 Adam Jackson 2011-09-28 12:21:38 UTC
I'm reasonably sure that, for most people, these are not real security bugs on their own.  However, to be paranoid, I'm reporting them here first so people can verify; and it's entirely possible that in combination with other bugs they _could_ be real security problems.

Both Xv and XI's dispatch code have the following pattern:

  if (stuff->data > xvNumRequests) {
    SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest);
    return BadRequest;

  return XvProcVector[stuff->data](client);

This is wrong, > should be >= and as a result you can dispatch one past the end of the mentioned function pointer array.  On my machine (Linux, amd64, fairly typical linker and option setup) this isn't an issue, since the memory map looks like:

% nm -an hw/xfree86/dixmods/extmod/.libs/libextmod.so | grep -A1 XvProcVector
00000000002228a0 d SXvProcVector
0000000000222940 d SwappedVector
00000000002247c0 d XvProcVector
0000000000224860 d ProcXvMCVector

(SwappedVector belonging to the screensaver extension).  So yes, you'd dispatch to something unexpected, but it's just another request proc, not system().

Similarly for XI:

% nm -an hw/xfree86/Xorg | grep -A1 ProcIVector
00000000007c8aa0 d SProcIVector
00000000007c8ca0 d ProcIVector
00000000007c8e88 d .dynamic

Here you would probably crash, since .dynamic is unlikely to be a useful function pointer.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.