Bug 56508 - 4-byte buffer overflow in MakeBigReq
Summary: 4-byte buffer overflow in MakeBigReq
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2012-10-29 04:48 UTC by Karl Tomlinson
Modified: 2013-03-09 01:44 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
don't memmove the last word (2.74 KB, patch)
2012-10-29 04:48 UTC, Karl Tomlinson 		no flags Details | Splinter Review
View All

Description Karl Tomlinson 2012-10-29 04:48:24 UTC 
Created attachment 69207 [details] [review]
don't memmove the last word

MakeBigReq() needs to make the request one 32-bit word larger (to squeeze in a larger length value).  It saves the last word in _BRdat, to correctly append with a bufmax check in Data32(), but still memmoves the every word in the request after the first word.  That is one too many words.  One overflows (in certain situations).
Comment 1 Karl Tomlinson 2012-10-29 04:52:51 UTC 
As this is a macro, of course all libraries that use the macro or SetReqLen to create large requests will need to be recompiled.
Comment 2 Karl Tomlinson 2012-10-29 04:54:53 UTC 
The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that bug.
Comment 3 Peter Hutterer 2013-02-18 01:19:30 UTC 
Confirmed and I have a reliable reproducer here. Requirement for the overrun is that the fixed-length bit of the request is aligned at the end of the dpy buffer.
Comment 4 Alan Coopersmith 2013-03-09 01:44:21 UTC 
Patch pushed to git master:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.