xserver: Branch 'master'

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Sat Sep 11 17:07:48 UTC 2021 

 hw/xfree86/os-support/linux/lnx_video.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

New commits:
commit 72c5d153c920d769802ed73a1b9bfd0d32e7c178
Author: Aaron Plattner <aplattner at nvidia.com>
Date:   Fri Sep 10 11:02:00 2021 -0700

    xfree86: NUL-terminate strings in hwEnableIO
    
    The Linux version of xf86EnableIO calls a helper function called hwEnableIO().
    Except on Alpha, this function reads /proc/ioports looking for the 'keyboard'
    and 'timer' ports, extracts the port ranges, and enables access to them. It does
    this by reading 4 bytes from the string for the start port number and 4 bytes
    for the last port number, passing those to atoi(). However, it doesn't add a
    fifth byte for a NUL terminator, so some implementations of atoi() read past the
    end of this string, triggering an AddressSanitizer error:
    
      ==1383==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff71fd5b74 at pc 0x7fe1be0de3e0 bp 0x7fff71fd5ae0 sp 0x7fff71fd5288
      READ of size 5 at 0x7fff71fd5b74 thread T0
          #0 0x7fe1be0de3df in __interceptor_atoi /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520
          #1 0x564971adcc45 in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:138
          #2 0x564971adce87 in xf86EnableIO ../hw/xfree86/os-support/linux/lnx_video.c:174
          #3 0x5649719f6a30 in InitOutput ../hw/xfree86/common/xf86Init.c:439
          #4 0x564971585924 in dix_main ../dix/main.c:190
          #5 0x564971b6246e in main ../dix/stubmain.c:34
          #6 0x7fe1bdab6b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
          #7 0x564971490e9d in _start (/home/aaron/git/x/xserver/build.asan/hw/xfree86/Xorg+0xb2e9d)
    
      Address 0x7fff71fd5b74 is located in stack of thread T0 at offset 100 in frame
          #0 0x564971adc96a in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:118
    
        This frame has 3 object(s):
          [32, 40) 'n' (line 120)
          [64, 72) 'buf' (line 122)
          [96, 100) 'target' (line 122) <== Memory access at offset 100 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520 in __interceptor_atoi
      Shadow bytes around the buggy address:
        0x10006e3f2b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10006e3f2b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10006e3f2b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10006e3f2b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10006e3f2b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x10006e3f2b60: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2[04]f3
        0x10006e3f2b70: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10006e3f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
        0x10006e3f2b90: f1 f1 f8 f2 00 f2 f2 f2 f8 f3 f3 f3 00 00 00 00
        0x10006e3f2ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
        0x10006e3f2bb0: f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==1383==ABORTING
    
    Fix this by NUL-terminating the string.
    
    Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1193#note_1053306
    Signed-off-by: Aaron Plattner <aplattner at nvidia.com>

diff --git a/hw/xfree86/os-support/linux/lnx_video.c b/hw/xfree86/os-support/linux/lnx_video.c
index a24fce37b..fd83022f6 100644
--- a/hw/xfree86/os-support/linux/lnx_video.c
+++ b/hw/xfree86/os-support/linux/lnx_video.c
@@ -119,7 +119,7 @@ hwEnableIO(void)
     short i;
     size_t n=0;
     int begin, end;
-    char *buf=NULL, target[4];
+    char *buf=NULL, target[5];
     FILE *fp;
 
     if (ioperm(0, 1024, 1)) {
@@ -129,6 +129,8 @@ hwEnableIO(void)
     }
 
 #if !defined(__alpha__)
+    target[4] = '\0';
+
     /* trap access to the keyboard controller(s) and timer chip(s) */
     fp = fopen("/proc/ioports", "r");
     while (getline(&buf, &n, fp) != -1) {

More information about the xorg-commit mailing list