[PATCH] os: Make sure big requests have sufficient length.
Eric Anholt
eric at anholt.net
Mon Sep 25 19:55:47 UTC 2017
Michal Srb <msrb at suse.com> writes:
> On neděle 24. září 2017 0:20:07 CEST Eric Anholt wrote:
>> Michal Srb <msrb at suse.com> writes:
>> > Here is a script that can be used to crash X server using a broken big
>> > request for PolyLine. It connects to DISPLAY=:1 and doesn't support
>> > authentication. Look inside the script for more details.
>> >
>> > Other requests could be used to crash X server in similar way, for example
>> > SetFontPath.
>>
>> I noticed this still in my mailbox. I tried writing an mergeable unit
>> test for it at:
>>
>> https://github.com/anholt/xserver/commit/d0e9d732750aa8eb7eeb33adce321f1dfee
>> f265d
>>
>> but it doesn't manage to crash the server because I can't set the endian
>> mode using xcb (and xcb, sensibly, doesn't let me get an fd without
>> doing connection setup on it).
>>
>> I don't know much about the codepath with the bug, but hopefully this
>> sparks some discussion.
>
> Hi,
>
> I think in your test case the underflow of the request length still happens,
> but it doesn't crash because nobody tries to access the data. It ends inside
> ProcPolyLine because the Drawable and the GC are not valid.
>
> In my test case the client was big endian, so it crashed inside SProcPoly
> trying to swap the (incorrectly) huge request.
>
> I think if you supply valid Drawable and GC, you should get crash even with
> little endian.
I tried creating a gc against the root window and doing the drawing
there, but the request seems to process successfully. bigreq branch
updated with that code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20170925/97635f94/attachment-0001.sig>
More information about the xorg-devel
mailing list