Bug 961439

Summary: xserver: busfault handler corrupts memory
Product: [openSUSE] openSUSE Tumbleweed Reporter: Egbert Eich <eich>
Component: X.OrgAssignee: Egbert Eich <eich>
Status: RESOLVED FIXED QA Contact: E-mail List <xorg-maintainer-bugs>
Severity: Normal    
Priority: P5 - None CC: pgeorgiadis
Version: CurrentFlags: eich: needinfo? (pgeorgiadis)
Target Milestone: ---   
Hardware: All   
OS: openSUSE 42.1   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: fix.

Description Egbert Eich 2016-01-11 21:46:20 UTC 
Created attachment 661373 [details]
fix.

The busfault handler contains this code:

    struct busfault     *busfault = NULL;
    xorg_list_for_each_entry(busfault, &busfaults, list) {
        if ((char *) busfault->addr <= (char *) fault && (char *) fault < (char *) busfault->addr + busfault->size) {
            break;
        }
    if (!busfault)
        goto panic;

This is clearly wrong: in case the list is empty or doesn't contain a matching entry we should have busfault == NULL, however it is set to busfaults.
When we go and write to the data structure we will most likely mess up other memory.
Comment 1 Egbert Eich 2016-01-11 22:14:46 UTC 
Fixed for X11:XOrg, 13.2 u. Leap 42.1.
MR ID#353153
Comment 3 Bernhard Wiedemann 2016-01-11 23:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (961439) was mentioned in
https://build.opensuse.org/request/show/353153 42.1+13.2 / xorg-x11-server
Comment 4 Swamp Workflow Management 2016-01-18 19:11:56 UTC 
openSUSE-RU-2016:0158-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 961439
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    xorg-x11-server-7.6_1.17.2-12.1
openSUSE 13.2 (src):    xorg-x11-server-7.6_1.16.1-28.1
Comment 7 Swamp Workflow Management 2016-02-05 18:14:32 UTC 
SUSE-RU-2016:0350-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 771521,867483,954321,961439,962295
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-30.14.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-30.14.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-30.14.1
Comment 8 Swamp Workflow Management 2016-02-05 18:15:43 UTC 
SUSE-RU-2016:0351-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 771521,867483,954321,961439,962295
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xorg-x11-server-7.6_1.15.2-46.1
SUSE Linux Enterprise Server 12-SP1 (src):    xorg-x11-server-7.6_1.15.2-46.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xorg-x11-server-7.6_1.15.2-46.1