| Summary: | use after free on subsequenct erroneous calls | ||||||
|---|---|---|---|---|---|---|---|
| Product: | xorg | Reporter: | Tobias Stoeckmann <tobias> | ||||
| Component: | Lib/ICE | Assignee: | Xorg Project Team <xorg-team> | ||||
| Status: | RESOLVED FIXED | QA Contact: | Xorg Project Team <xorg-team> | ||||
| Severity: | normal | ||||||
| Priority: | medium | Keywords: | patch | ||||
| Version: | git | ||||||
| Hardware: | Other | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| i915 platform: | i915 features: | ||||||
| Attachments: |
|
||||||
patch committed ac4bb20e74e064b219de70e9b54516a921fdb7c3 Thanks. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 128149 [details] My proposed patch The function IceAuthFileName is vulnerable to a use after free. The flaw can be triggered by calling the function three times: - First call succeeds and stores the path in buf, a dynamically allocated buffer with size bsize. - Second call fails due to out of memory. It frees buf, but keeps the old size in bsize. - Third call only checks if bsize is large enough. Then it uses buf without allocating it again -- the use after free happens. In order to exploit this, an attacker must change environment variables between each call, namely ICEAUTHORITY or HOME. It also takes subsequent calls. Due to these limitations, I don't consider this to be of high priority.