Segmentation fault in client_node_demarshal_update() due to alloca() overflow.
- PipeWire version (
pipewire --version
): current master (fd1112c4) - Distribution and distribution version (
PRETTY_NAME
from/etc/os-release
): ArchLinux - Desktop Environment: sway
- Kernel version (
uname -r
): 5.16.3-arch1-1
Description of Problem:
While investigating a misbehaving client I encountered a segfault in the deamon:
Trace:
#0 0x00007fb984c2c846 in client_node_demarshal_update (object=0x5594ef7924d0, msg=<optimized out>) at ../src/modules/module-client-node/protocol-native.c:944
#1 0x00007fb985cd6b0b in process_messages (data=0x5594ef751070) at ../src/modules/module-protocol-native.c:252
#2 0x00007fb985cd6cd1 in connection_data (data=0x5594ef751070, fd=<optimized out>, mask=1) at ../src/modules/module-protocol-native.c:318
#3 0x00007fb98661a5bb in loop_iterate (object=0x5594ef56ba08, timeout=<optimized out>) at ../spa/plugins/support/loop.c:337
#4 0x00007fb9866914bf in pw_main_loop_run (loop=loop@entry=0x5594ef56b8c0) at ../src/pipewire/main-loop.c:148
#5 0x00005594ed850411 in main (argc=<optimized out>, argv=<optimized out>) at ../src/daemon/pipewire.c:129
For some reason n_params is 1073741909
. Which leads to a large allocation of 8589935272 bytes which overflows the stack.
This is undefined behavior.
As client_node_demarshal_update()
is handling (potentially remote) user input it should not use alloca() but instead use calloc().
There are multiple other users of alloca()
with user-supplied input that should also be migrated to a safe alternative.
(calloc() for array allocations)