[PATCH] os: Make sure big requests have sufficient length.

Michal Srb msrb at suse.com
Mon Sep 25 07:29:59 UTC 2017


On neděle 24. září 2017 0:20:07 CEST Eric Anholt wrote:
> Michal Srb <msrb at suse.com> writes:
> > Here is a script that can be used to crash X server using a broken big
> > request for PolyLine. It connects to DISPLAY=:1 and doesn't support
> > authentication. Look inside the script for more details.
> > 
> > Other requests could be used to crash X server in similar way, for example
> > SetFontPath.
> 
> I noticed this still in my mailbox.  I tried writing an mergeable unit
> test for it at:
> 
> https://github.com/anholt/xserver/commit/d0e9d732750aa8eb7eeb33adce321f1dfee
> f265d
> 
> but it doesn't manage to crash the server because I can't set the endian
> mode using xcb (and xcb, sensibly, doesn't let me get an fd without
> doing connection setup on it).
> 
> I don't know much about the codepath with the bug, but hopefully this
> sparks some discussion.

Hi,

I think in your test case the underflow of the request length still happens, 
but it doesn't crash because nobody tries to access the data. It ends inside 
ProcPolyLine because the Drawable and the GC are not valid.

In my test case the client was big endian, so it crashed inside SProcPoly 
trying to swap the (incorrectly) huge request.

I think if you supply valid Drawable and GC, you should get crash even with 
little endian.

Michal Srb


More information about the xorg-devel mailing list