diff options
author | Ulrich Sibiller <uli42@gmx.de> | 2020-10-02 22:11:04 +0200 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2020-10-17 22:36:19 +0200 |
commit | ae037701fe9a6337375d51abb2ea5b7aafdb434e (patch) | |
tree | 255cb8e504ca769ea0e8d8b26875692d99a46be8 | |
parent | 2b0976e93809291eaff0725a5c0772e00a450e2b (diff) | |
download | nx-libs-ae037701fe9a6337375d51abb2ea5b7aafdb434e.tar.gz nx-libs-ae037701fe9a6337375d51abb2ea5b7aafdb434e.tar.bz2 nx-libs-ae037701fe9a6337375d51abb2ea5b7aafdb434e.zip |
nxagent: fix stack smashing
In compext Atom has the size of XlibAtom. Therefore calling functions
of Compext.c requires to use/pass XlibAtom. Same for Window/XlibWindow.
==15438==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcdc0 at pc 0x5555556a81b5 bp 0x7fffffffcd10 sp 0x7fffffffcd08
WRITE of size 8 at 0x7fffffffcdc0 thread T0
#0 0x5555556a81b4 in NXGetCollectedProperty nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c:4124
#1 0x5555557d0488 in nxagentCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Clipboard.c:1202
#2 0x555555723340 in nxagentHandleCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:3923
#3 0x55555571d4db in nxagentHandleProxyEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:3007
#4 0x55555571bb92 in nxagentHandleClientMessageEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:2595
#5 0x555555717dfc in nxagentDispatchEvents nx-X11/programs/Xserver/hw/nxagent/Events.c:1827
#6 0x555555750813 in nxagentBlockHandler nx-X11/programs/Xserver/hw/nxagent/Handlers.c:437
#7 0x5555556c1b5d in BlockHandler nx-X11/programs/Xserver/dix/dixutils.c:403
#8 0x5555556d47ff in WaitForSomething nx-X11/programs/Xserver/os/WaitFor.c:232
#9 0x555555665b22 in Dispatch nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c:365
#10 0x5555555ed760 in main nx-X11/programs/Xserver/dix/main.c:350
#11 0x7ffff604909a in __libc_start_main ../csu/libc-start.c:308
#12 0x5555555edc09 in _start (nx-X11/programs/Xserver/nxagent+0x99c09)
Address 0x7fffffffcdc0 is located in stack of thread T0 at offset 32 in frame
#0 0x5555557d0324 in nxagentCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Clipboard.c:1190
This frame has 5 object(s):
[32, 36) 'atomReturnType' <== Memory access at offset 32 partially overflows this variable
[96, 100) 'resultFormat'
[160, 168) 'ulReturnItems'
[224, 232) 'ulReturnBytesLeft'
[288, 296) 'pszReturnData'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c:4124 in NXGetCollectedProperty
...
4 files changed, 22 insertions, 4 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c index ecc3f19be..7ca22ffad 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c @@ -1188,7 +1188,7 @@ static void transferSelection(int resource) void nxagentCollectPropertyEvent(int resource) { - Atom atomReturnType; + XlibAtom atomReturnType; int resultFormat; unsigned long ulReturnItems; unsigned long ulReturnBytesLeft; diff --git a/nx-X11/programs/Xserver/hw/nxagent/Events.c b/nx-X11/programs/Xserver/hw/nxagent/Events.c index 346ee48d8..847d40918 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Events.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Events.c @@ -3924,7 +3924,7 @@ void nxagentHandleCollectPropertyEvent(XEvent *X) } else { - Atom atomReturnType; + XlibAtom atomReturnType; int resultFormat; unsigned long ulReturnItems; unsigned long ulReturnBytesLeft; @@ -3940,8 +3940,8 @@ void nxagentHandleCollectPropertyEvent(XEvent *X) if (result == True) { - Window window = nxagentPropertyRequests[resource].window; - Atom property = nxagentPropertyRequests[resource].property; + XlibWindow window = nxagentPropertyRequests[resource].window; + XlibAtom property = nxagentPropertyRequests[resource].property; nxagentImportProperty(window, property, atomReturnType, resultFormat, ulReturnItems, ulReturnBytesLeft, pszReturnData); diff --git a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c index 230c9abae..3492ef473 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c +++ b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c @@ -23,6 +23,12 @@ /* */ /**************************************************************************/ +/* + * let the types be the Xlib types by undefining _XSERVER64. This + * means, when calling the functions of this file from nxagent (where + * Agent.h has been included) you need to use/provide XlibAtom and + * XlibWindow instead of Atom and Window + */ #undef _XSERVER64 #include <sys/socket.h> diff --git a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.h b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.h index c0259a939..885d262a6 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.h +++ b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.h @@ -827,19 +827,31 @@ extern int NXCollectProperty( Display* /* display */, unsigned int /* resource */, Window /* window */, +#ifdef XlibAtom + XlibAtom /* property */, +#else Atom /* property */, +#endif long /* long_offset */, long /* long_length */, Bool /* delete */, +#ifdef XlibAtom + XlibAtom /* req_type */ +#else Atom /* req_type */ #endif +#endif ); extern int NXGetCollectedProperty( #if NeedFunctionPrototypes Display* /* display */, unsigned int /* resource */, +#ifdef XlibAtom + XlibAtom* /* actual_type_return */, +#else Atom* /* actual_type_return */, +#endif int* /* actual_format_return */, unsigned long* /* nitems_return */, unsigned long* /* bytes_after_return */, |