69267 – Putting a lot of data into wl_buffer can lead to SIGSEGV

Bug 69267 - Putting a lot of data into wl_buffer can lead to SIGSEGV

Summary: Putting a lot of data into wl_buffer can lead to SIGSEGV

Status:	RESOLVED FIXED

Alias:	None

Product:	Wayland
Classification:	Unclassified
Component:	wayland (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium critical
Assignee:	Wayland bug list
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-09-12 12:04 UTC by Marek Chalupa
Modified:	2014-04-21 21:51 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Marek Chalupa 2013-09-12 12:04:09 UTC

Hey,

I just were browsing the code and I discovered that in wl_buffer_put is possible to put into buffer more than 8192 bytes at once which means that we will use memory which doesn't belong to wl_buffer. I don't know if it's on purpose (because I did some debugging and nowhere were passed such an amount of bytes) but still this can be a hole.

I successfully got SIGSEGV doing this:

...
...
void *long_data = malloc(big_number)
wl_connection_write(connection, long_data, big_number);
...
...

Comment 1 Kristian Høgsberg 2014-04-21 21:51:09 UTC

commit bc609053188cb89bdcd4dbcf6de0eab2217d3274
Author: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Date:   Thu Apr 17 18:20:37 2014 +0300

    connection: Don't write past the end of the connection buffer
    
    If a message was too big to fit in the connection buffer, the code
    in wl_buffer_put would just write past the end of it.
    
    I haven't seen any real world use case that would trigger this bug, but
    it was possible to trigger it by sending a long enough string to the
    wl_data_source.offer request.
    
    https://bugs.freedesktop.org/show_bug.cgi?id=69267

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.