Bug 6642 - XCB rendertest crashes server
XCB rendertest crashes server
Product: xorg
Classification: Unclassified
Component: Server/General
x86 (IA32) Linux (All)
: highest critical
Assigned To: ajax at nwnk dot net
: security
Depends on:
Blocks: 5387
  Show dependency treegraph
Reported: 2006-04-18 15:36 UTC by Bart Massey
Modified: 2006-11-08 08:13 UTC (History)
7 users (show)

See Also:
i915 platform:
i915 features:

statically linked XCB rendertest for Linux / x86 (1.03 MB, application/octet-stream)
2006-04-18 15:38 UTC, Bart Massey
no flags Details
Patch to correct the allocation size (792 bytes, patch)
2006-04-19 08:48 UTC, Eric Anholt
no flags Details | Splinter Review
Xlib/libXrender port of XCB's rendertest.c (18.92 KB, text/plain)
2006-04-25 15:57 UTC, Alan Coopersmith
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bart Massey 2006-04-18 15:36:54 UTC
When running rendertest from XCB xcb/xcb-demo, the Xorg X server crashes partway
through.  100% reproducible on a wide variety of graphics architectures, in
server versions 6.8-7.0.  Marked as a high priority/severity bug because it
indicates a potential security flaw.  The logged backtrace seems uninformative;
good thing it's easy to reproduce this bug.
Comment 1 Bart Massey 2006-04-18 15:38:29 UTC
Created attachment 5355 [details]
statically linked XCB rendertest for Linux / x86

This may require the appropriate gcc runtime .so to actually work.  Let me know
if you have troubles with it.
Comment 2 Eric Anholt 2006-04-19 08:48:45 UTC
Created attachment 5369 [details] [review]
Patch to correct the allocation size

Patch attached to fix the bug (I'm still not rendering what I expected, but
that's probably my problem).
Comment 3 Daniel Stone 2006-04-19 09:00:01 UTC
yay security
Comment 4 ajax at nwnk dot net 2006-04-23 09:02:06 UTC
This appears to affect us back to 6.8.0.  I can't tell you how happy that makes me.

If we need a CVE and coordinated deployment for this, then we should do so
_quickly_, such that 7.1 doesn't ship with this.
Comment 5 Matthieu Herrb 2006-04-23 19:15:38 UTC
I'll forward this to vendor-sec, and ask them for the CVE Id. 
Sorry I didn't notice this report before today. 
Does May 2. 14:00 UTC sound like a reasonable disclosure date ?
Comment 6 Matthieu Herrb 2006-04-24 01:29:40 UTC
This is now CVE-2006-1526 
Comment 7 Alan Coopersmith 2006-04-25 15:57:31 UTC
Created attachment 5468 [details]
Xlib/libXrender port of XCB's rendertest.c

Here's a quick hack-and-slash backport of enough of rendertest.c to test for
this crash from XCB to old-fashioned libX11/libXrender.   (At least on Solaris
it crashes Xorg 6.9.0, but doesn't crash 6.9.0 + the patch from this bug.)
Comment 8 Eric Anholt 2006-04-27 09:16:45 UTC
I've also got a rendercheck test for Triangles that exposes this, which I won't
push until we unembargo this.
Comment 9 ajax at nwnk dot net 2006-04-29 00:54:03 UTC
may 2 is fine for redhat and sun.  anyone who has objections should speak up
Comment 10 Matthieu Herrb 2006-05-03 00:24:54 UTC
This is public now
Comment 11 ajax at nwnk dot net 2006-05-03 00:39:52 UTC
Fixed in 1.1 branch and head.

Moving to block the 1.0 branch tracker, as this clearly needs to be included in
any future 1.0.x release.  Assigning to me for same.
Comment 12 Martin Pitt 2006-05-03 17:11:19 UTC
I have a question about the patch: is the "npoint" parameter of miTriStrip()
guaranteed to be checked for an upper bound? If it can get arbitrary ints, then
the current patch allows for a trivial integer overflow, and the buffer overflow
Comment 13 Martin Pitt 2006-05-03 17:23:22 UTC
In either case, adding something like

   if (ntri >= INT_MAX/sizeof (xTriangle))

right before the allocation can't hurt, just to be on the safe side.
Comment 14 Eric Anholt 2006-05-03 17:54:20 UTC
The number of points, tris, etc. is determined from the request size, which is
limited.  See ProcRenderTriStrip.
Comment 15 Martin Pitt 2006-05-03 19:56:19 UTC
FWIW, the attached rendertest.c ("Xlib/libXrender port of XCB's rendertest.c")
still crashes X.org 6.8.2 here with the given patch applied.
Comment 16 Matthieu Herrb 2006-05-03 20:21:00 UTC
(In reply to comment #15)

Can you provide some details (Xorg.0.log, backtrace, ...) ? It doesn't crash for
me one the systems I tried it (and does indeed crash without the patch)...
Comment 17 Daniel Stone 2006-11-04 09:43:05 UTC
pitti: ping?
Comment 18 Daniel Stone 2006-11-08 08:13:18 UTC
closing as unreproducible