[Bug 80157] Buffer Overflow in xf86-video-intel

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jun 19 13:36:52 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=80157

--- Comment #22 from typingtothemaxbuyer at gmail.com ---
Good news, I've managed to see a crash while running with valgrind (valgrind
output pasted below, I'll attached xorg.0.log). I'm running git version 6b32cf3
with --enable-debug=valgrind.

==9913== Memcheck, a memory error detector
==9913== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==9913== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==9913== Command: /usr/bin/Xorg.valgrind -nolisten tcp :0 -auth
/tmp/serverauth.U3ZgNqfZFB vt1
==9913== Parent PID: 9912
==9913== 
==9913== Syscall param rt_sigaction(act->sa_mask) points to uninitialised
byte(s)
==9913==    at 0x547D5B1: __libc_sigaction (in /usr/lib/libpthread-2.19.so)
==9913==    by 0x59F684: busfault_init (busfault.c:145)
==9913==    by 0x5930DC: OsInit (osinit.c:191)
==9913==    by 0x43A96A: dix_main (main.c:163)
==9913==    by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913==  Address 0xffeffdf98 is on thread 1's stack
==9913== 
==9913== Warning: noted but unhandled ioctl 0x4b51 with no size/direction hints
==9913==    This could cause spurious value errors to appear.
==9913==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
**9913** SNA compiled for use with valgrind
==9913== Warning: noted but unhandled ioctl 0x6458 with no size/direction hints
==9913==    This could cause spurious value errors to appear.
==9913==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
==9913== Warning: noted but unhandled ioctl 0x641e with no size/direction hints
==9913==    This could cause spurious value errors to appear.
==9913==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
==9913== Syscall param writev(vector[...]) points to uninitialised byte(s)
==9913==    at 0x6772F27: writev (in /usr/lib/libc-2.19.so)
==9913==    by 0x596E1B: _XSERVTransSocketWritev (Xtranssock.c:2364)
==9913==    by 0x5920DC: FlushClient (io.c:936)
==9913==    by 0x5927BD: WriteToClient (io.c:851)
==9913==    by 0x4ED943: RecordFlushReplyBuffer (record.c:242)
==9913==    by 0x4EFEB3: ProcRecordEnableContext (record.c:2339)
==9913==    by 0x436A1E: Dispatch (dispatch.c:433)
==9913==    by 0x43AC05: dix_main (main.c:294)
==9913==    by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913==  Address 0xd67df52 is 50 bytes inside a block of size 1,072 alloc'd
==9913==    at 0x4C28730: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9913==    by 0x4F0191: ProcRecordCreateContext (record.c:1851)
==9913==    by 0x436A1E: Dispatch (dispatch.c:433)
==9913==    by 0x43AC05: dix_main (main.c:294)
==9913==    by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913== 
==9913== Invalid read of size 8
==9913==    at 0x591194: AttendClient (connection.c:1187)
==9913==    by 0x55FE14: DRI2SwapComplete (dri2.c:1011)
==9913==    by 0xB1BFD9F: frame_swap_complete.isra.37 (sna_dri2.c:1793)
==9913==    by 0xB1C17F9: sna_dri2_immediate_blit (sna_dri2.c:2076)
==9913==    by 0xB1C37F4: sna_dri2_schedule_swap (sna_dri2.c:2727)
==9913==    by 0x5601DD: DRI2SwapBuffers (dri2.c:1161)
==9913==    by 0x56194B: ProcDRI2Dispatch (dri2ext.c:413)
==9913==    by 0x436A1E: Dispatch (dispatch.c:433)
==9913==    by 0x43AC05: dix_main (main.c:294)
==9913==    by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913==  Address 0xd8b2828 is 8 bytes inside a block of size 336 free'd
==9913==    at 0x4C2999C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9913==    by 0x435F44: CloseDownClient (dispatch.c:3396)
==9913==    by 0x4369DF: Dispatch (dispatch.c:445)
==9913==    by 0x43AC05: dix_main (main.c:294)
==9913==    by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913== 
==9913== 
==9913== HEAP SUMMARY:
==9913==     in use at exit: 12,869,582 bytes in 47,746 blocks
==9913==   total heap usage: 320,044 allocs, 272,298 frees, 146,408,270 bytes
allocated
==9913== 
==9913== LEAK SUMMARY:
==9913==    definitely lost: 859 bytes in 28 blocks
==9913==    indirectly lost: 95 bytes in 4 blocks
==9913==      possibly lost: 1,973,644 bytes in 4,683 blocks
==9913==    still reachable: 10,894,984 bytes in 43,031 blocks
==9913==         suppressed: 0 bytes in 0 blocks
==9913== Rerun with --leak-check=full to see details of leaked memory
==9913== 
==9913== For counts of detected and suppressed errors, rerun with: -v
==9913== Use --track-origins=yes to see where uninitialised values come from
==9913== ERROR SUMMARY: 6317 errors from 3 contexts (suppressed: 1 from 1)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20140619/e553e5f2/attachment-0001.html>

More information about the intel-gfx-bugs mailing list