[PATCH wayland 2/2] connection: fix demarshal of invalid header
Pekka Paalanen
ppaalanen at gmail.com
Wed Mar 13 10:45:48 UTC 2019
On Tue, 12 Mar 2019 23:11:03 +0000
Simon Ser <contact at emersion.fr> wrote:
> Hi,
>
> On Wednesday, March 6, 2019 12:58 PM, Pekka Paalanen <ppaalanen at gmail.com> wrote:
> > From: Pekka Paalanen pekka.paalanen at collabora.com
> >
> > The size argument to wl_connection_demarshal() is taken from the message by the
> > caller wl_client_connection_data(), therefore 'size' is untrusted data
> > controllable by a Wayland client. The size should always be at least the header
> > size, otherwise the header is invalid.
> >
> > If the size is smaller than header size, it leads to reading past the end of
> > allocated memory. Furthermore if size is zero, wl_closure_init() changes
> > behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
> > memory.
> >
> > Check that 'size' fits at least the header. The space for arguments is already
> > properly checked.
> >
> > This makes the request_bogus_size test free of errors under Valgrind.
> >
> > Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52
> >
> > Signed-off-by: Pekka Paalanen pekka.paalanen at collabora.com
>
> Both patches look good to me. I've also tested them with -fsanitize=address.
>
> Take this with a grain of salt since I'm not very familiar with libwayland's
> demarshalling code, but this is:
>
> Reviewed-by: Simon Ser <contact at emersion.fr>
Hi,
I added your R-b and made a MR:
https://gitlab.freedesktop.org/wayland/wayland/merge_requests/2
Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20190313/a9d2a657/attachment.sig>
More information about the wayland-devel
mailing list