98822 – use after free on subsequenct erroneous calls

Bug 98822 - use after free on subsequenct erroneous calls

Summary: use after free on subsequenct erroneous calls

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Lib/ICE (show other bugs)
Version:	git
Hardware:	Other All

Importance:	medium normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-11-22 20:13 UTC by Tobias Stoeckmann
Modified:	2016-12-10 08:09 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
My proposed patch (1.26 KB, application/mbox) 2016-11-22 20:13 UTC, Tobias Stoeckmann	no flags	Details
View All

Description Tobias Stoeckmann 2016-11-22 20:13:29 UTC

Created attachment 128149 [details]
My proposed patch

The function IceAuthFileName is vulnerable to a use after free. The
flaw can be triggered by calling the function three times:

- First call succeeds and stores the path in buf, a dynamically
  allocated buffer with size bsize.
- Second call fails due to out of memory. It frees buf, but keeps
  the old size in bsize.
- Third call only checks if bsize is large enough. Then it uses
  buf without allocating it again -- the use after free happens.

In order to exploit this, an attacker must change environment variables
between each call, namely ICEAUTHORITY or HOME. It also takes subsequent
calls. Due to these limitations, I don't consider this to be of high
priority.

Comment 1 Matthieu Herrb 2016-12-10 08:09:43 UTC

patch committed ac4bb20e74e064b219de70e9b54516a921fdb7c3
Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.