98468 – XServer crashes when client passes bad offset in XvShmPutImage

Bug 98468 - XServer crashes when client passes bad offset in XvShmPutImage

Summary: XServer crashes when client passes bad offset in XvShmPutImage

Status:	RESOLVED MOVED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/General (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-28 12:24 UTC by Joris Guisson
Modified:	2018-12-13 22:36 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Joris Guisson 2016-10-28 12:24:33 UTC

We have encountered a crash in xorg on debian jessie (xorg-server-1.16.4).

Our client was sometimes passing a bogus shmaddr in XShmSegmentInfo, when calling XvShmPutImage. This results in a crash in ProcXvShmPutImage (Xext/xvdisp.c), in the following code:

 width = stuff->width;
 height = stuff->height;
 size_needed = (*pPort->pAdaptor->ddQueryImageAttributes) (client,
                                                           pPort, pImage,
                                                           &width, &height,
                                                           NULL, NULL);
 if ((size_needed + stuff->offset) > shmdesc->size)
     return BadAccess;


The if test is not good enough. If offset is big enough to cause a wrap around, size_needed + stuff->offset will be smaller then or equal shmdesc->size.

So an additional check to see if stuff->offset is smaller then shmdesc->size is needed here.

Comment 1 Joris Guisson 2016-10-28 12:26:56 UTC

This is a backtrace of the crash:

#0  memcpy () at ../sysdeps/i386/i586/memcpy.S:84
#1  0xb6d0acec in memcpy (__len=<optimized out>, __src=0xb084bfec, __dest=<optimized out>) at /usr/include/i386-linux-gnu/bits/string3.h:51
#2  sna_video_copy_data (video=0x80807590, frame=0xbfc303bc, buf=0xb084bfec <error: Cannot access memory at address 0xb084bfec>) at ../../../src/sna/sna_video.c:526
#3  0xb6d0ec45 in sna_video_textured_put_image (client=0x80b5f860, draw=0x80b66c00, port=0x80809598, gc=0x80b74650, src_x=0, src_y=0, src_w=768, src_h=576, drw_x=267, drw_y=0, drw_w=1386, drw_h=1040, format=0xb6dd4bc0 <Images+256>, 
    buf=0xb084bfec <error: Cannot access memory at address 0xb084bfec>, sync=0, width=768, height=576) at ../../../src/sna/sna_video_textured.c:222
#4  0x80157912 in XvdiPutImage (client=0x80b5f860, pDraw=0x80b66c00, pPort=0x80809598, pGC=0x80b74650, src_x=0, src_y=0, src_w=768, src_h=576, drw_x=267, drw_y=0, drw_w=1386, drw_h=1040, image=0xb6dd4bc0 <Images+256>, 
    data=0xb084bfec <error: Cannot access memory at address 0xb084bfec>, sync=0, width=768, height=576) at ../../Xext/xvmain.c:673
#5  0x80158f3c in ProcXvShmPutImage (client=0x80b5f860) at ../../Xext/xvdisp.c:1014
#6  0x8015b59c in ProcXvDispatch (client=0x80b5f860) at ../../Xext/xvdisp.c:1201
#7  0x800b2086 in Dispatch () at ../../dix/dispatch.c:432
#8  0x800b626a in dix_main (argc=13, argv=0xbfc306e4, envp=0x802e7b1c <noPanoramiXExtension>) at ../../dix/main.c:296
#9  0x8009ff2a in main (argc=13, argv=0xbfc306e4, envp=0xbfc3071c) at ../../dix/stubmain.c:34

Comment 2 GitLab Migration User 2018-12-13 22:36:22 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/507.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.