Bug 43988

Summary: crtc->desiredMode.name can point to freed memory.
Product: xorg Reporter: Tony DeFeo <tdefeo>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED DUPLICATE QA Contact: Xorg Project Team <xorg-team>
Severity: major    
Priority: high Keywords: patch
Version: git   
Hardware: All   
OS: Linux (All)   
Whiteboard: 2012BRB_Reviewed
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 40982, 44202    
Attachments:
Description Flags
Patch containing my fix to the bug.
none
Updated patch to fix bug (original patch was missing a null check). none

Description Tony DeFeo 2011-12-20 10:27:09 UTC 
Created attachment 54603 [details]
Patch containing my fix to the bug.

While using valgrind to look for memory leaks in a touchscreen driver I'm working on, I stumbled upon the following:

The crtc->desiredMode element contains a copy of the desired mode, including a copy of the pointer to the mode name. When entering/leaving virtual terminal, the original mode & name get freed, leaving crtc->desiredMode.name pointing to freed memory. This free memory is read accessed later when the desired mode is copied.

This did not cause a crash in my instance, thought it theoretically could.

I have attached patch files with my fix for your reference.

Server was built by me from git code, and is version 1.11.99.1

Thanks,
Tony DeFeo
Comment 1 Tony DeFeo 2011-12-20 11:38:59 UTC 
Created attachment 54609 [details] [review]
Updated patch to fix bug (original patch was missing a null check).
Comment 2 Julien Cristau 2011-12-23 13:28:45 UTC 
> --- Comment #1 from Tony DeFeo <tdefeo@itsgames.com> 2011-12-20 11:38:59 PST ---
> Created attachment 54609 [details] [review]
>   --> https://bugs.freedesktop.org/attachment.cgi?id=54609
> Updated patch to fix bug (original patch was missing a null check).
> 
Could you please send the patch to xorg-devel@lists.x.org per
http://www.x.org/wiki/Development/Documentation/SubmittingPatches?
Comment 3 Jeremy Huddleston Sequoia 2012-01-02 20:48:55 UTC 
Use C comments, not C++ comments (ie /* ... */ rather than // ....)
Comment 4 Jeremy Huddleston Sequoia 2012-03-24 11:54:10 UTC 
Tony: ping
Comment 5 Alan Coopersmith 2013-02-10 17:44:40 UTC 
I think this is fixed by
http://cgit.freedesktop.org/xorg/xserver/commit/?id=deb08658e2a6b1647a7213a316c6f3019bcdce48

*** This bug has been marked as a duplicate of bug 36108 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.