Possble SEGV (buffer overflow) in glXQueryServerString()
Describe the issue
The glXQueryServerString()
function trusts the on-the-wire string length returned in the xcb_glx_query_server_string_reply_t
message. This may lead to a buffer overread in memcpy()
.
Here is the relevant source code + annotations:
libGLX_mesa.so:glx_query.c
char * __glXQueryServerString(Display * dpy, ...)
{
xcb_connection_t *c = XGetXCBConnection(dpy);
xcb_glx_query_server_string_reply_t *reply =
xcb_glx_query_server_string_reply(...);
...
/* <---- To reproduce, set reply->str_len = 999999 in GDB */
uint32_t len = xcb_glx_query_server_string_string_length(reply);
char *buf = malloc(len);
/* <---- The len was never checked, and can be any value. This
* causes the following memcpy() to read beyond the end of
* the reply buffer. */
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
...
}
System information
System:
Host: gjd-VirtualBox Kernel: 6.2.0-24-generic arch: x86_64 bits: 64
compiler: N/A Desktop: GNOME v: 44.0 tk: GTK v: 3.24.37 wm: gnome-shell
dm: GDM3 Distro: Ubuntu 23.04 (Lunar Lobster)
CPU:
Info: 8-core model: Intel Xeon E5-2630 v4 bits: 64 type: MCP arch: Broadwell
rev: 1 cache: L1: 512 KiB L2: 2 MiB L3: 200 MiB
Speed (MHz): avg: 2195 min/max: N/A cores: 1: 2195 2: 2195 3: 2195 4: 2195
5: 2195 6: 2195 7: 2195 8: 2195 bogomips: 35118
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3
Graphics:
Device-1: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter
driver: vboxvideo v: kernel ports: active: VGA-1 empty: none bus-ID: 00:02.0
chip-ID: 80ee:beef
Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.8
compositor: gnome-shell driver: X: loaded: modesetting unloaded: fbdev,vesa
alternate: vboxvideo dri: swrast gpu: vboxvideo display-ID: :1 screens: 1
Screen-1: 0 s-res: 3576x1999 s-dpi: 96
Monitor-1: VGA-1 model: VBOX monitor res: 3576x1999 size: N/A
API: OpenGL v: 4.5 Mesa 23.0.4-0ubuntu1~23.04.1 renderer: llvmpipe (LLVM
15.0.7 256 bits) direct-render: Yes