Bug 43988 - crtc->desiredMode.name can point to freed memory.
Summary: crtc->desiredMode.name can point to freed memory.
Status: RESOLVED DUPLICATE of bug 36108
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: All Linux (All)
: high major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard: 2012BRB_Reviewed
Keywords: patch
Depends on:
Blocks: xserver-1.12 xserver-1.13
  Show dependency treegraph
 
Reported: 2011-12-20 10:27 UTC by Tony DeFeo
Modified: 2013-02-10 17:44 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Patch containing my fix to the bug. (2.90 KB, application/octet-stream)
2011-12-20 10:27 UTC, Tony DeFeo
no flags Details
Updated patch to fix bug (original patch was missing a null check). (2.94 KB, patch)
2011-12-20 11:38 UTC, Tony DeFeo
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Tony DeFeo 2011-12-20 10:27:09 UTC
Created attachment 54603 [details]
Patch containing my fix to the bug.

While using valgrind to look for memory leaks in a touchscreen driver I'm working on, I stumbled upon the following:

The crtc->desiredMode element contains a copy of the desired mode, including a copy of the pointer to the mode name. When entering/leaving virtual terminal, the original mode & name get freed, leaving crtc->desiredMode.name pointing to freed memory. This free memory is read accessed later when the desired mode is copied.

This did not cause a crash in my instance, thought it theoretically could.

I have attached patch files with my fix for your reference.

Server was built by me from git code, and is version 1.11.99.1

Thanks,
Tony DeFeo
Comment 1 Tony DeFeo 2011-12-20 11:38:59 UTC
Created attachment 54609 [details] [review]
Updated patch to fix bug (original patch was missing a null check).
Comment 2 Julien Cristau 2011-12-23 13:28:45 UTC
> --- Comment #1 from Tony DeFeo <tdefeo@itsgames.com> 2011-12-20 11:38:59 PST ---
> Created attachment 54609 [details] [review]
>   --> https://bugs.freedesktop.org/attachment.cgi?id=54609
> Updated patch to fix bug (original patch was missing a null check).
> 
Could you please send the patch to xorg-devel@lists.x.org per
http://www.x.org/wiki/Development/Documentation/SubmittingPatches?
Comment 3 Jeremy Huddleston Sequoia 2012-01-02 20:48:55 UTC
Use C comments, not C++ comments (ie /* ... */ rather than // ....)
Comment 4 Jeremy Huddleston Sequoia 2012-03-24 11:54:10 UTC
Tony: ping
Comment 5 Alan Coopersmith 2013-02-10 17:44:40 UTC
I think this is fixed by
http://cgit.freedesktop.org/xorg/xserver/commit/?id=deb08658e2a6b1647a7213a316c6f3019bcdce48

*** This bug has been marked as a duplicate of bug 36108 ***


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.