[patch libICE] Fix use after free on subsequent calls
Matthieu Herrb
matthieu at herrb.eu
Tue Dec 6 21:42:03 UTC 2016
On Tue, Dec 06, 2016 at 10:26:59PM +0100, Matthieu Herrb wrote:
This is from https://bugs.freedesktop.org/show_bug.cgi?id=98822
> From: Tobias Stoeckmann <tobias at stoeckmann.org>
>
> The function IceAuthFileName is vulnerable to a use after free. The
> flaw can be triggered by calling the function three times:
>
> - First call succeeds and stores the path in buf, a dynamically
> allocated buffer with size bsize.
> - Second call fails due to out of memory. It frees buf, but keeps
> the old size in bsize.
> - Third call only checks if bsize is large enough. Then it uses
> buf without allocating it again -- the use after free happens.
>
> In order to exploit this, an attacker must change environment variables
> between each call, namely ICEAUTHORITY or HOME. It also takes subsequent
> calls. Due to these limitations, I don't consider this to be of high
> priority.
> ---
> src/authutil.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git src/authutil.c src/authutil.c
> index 04c0791..ca0504a 100644
> --- src/authutil.c
> +++ src/authutil.c
> @@ -114,8 +114,10 @@ IceAuthFileName (void)
> if (buf)
> free (buf);
> buf = malloc (size);
> - if (!buf)
> + if (!buf) {
> + bsize = 0;
> return (NULL);
> + }
> bsize = size;
> }
>
> --
> 2.10.2
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: https://lists.x.org/mailman/listinfo/xorg-devel
--
Matthieu Herrb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20161206/052c179c/attachment.sig>
More information about the xorg-devel
mailing list