libICE issueshttps://gitlab.freedesktop.org/xorg/lib/libice/-/issues2018-08-17T05:46:04Zhttps://gitlab.freedesktop.org/xorg/lib/libice/-/issues/5libICE : Dereferencing a possible NULL pointer in error.c2018-08-17T05:46:04ZBugzilla Migration UserlibICE : Dereferencing a possible NULL pointer in error.c## Submitted by mah..@..ng.com
Assigned to **Xorg Project Team**
**[Link to original bug (#92885)](https://bugs.freedesktop.org/show_bug.cgi?id=92885)**
## Description
Created attachment 119532
Patch file
Component: LibIC...## Submitted by mah..@..ng.com
Assigned to **Xorg Project Team**
**[Link to original bug (#92885)](https://bugs.freedesktop.org/show_bug.cgi?id=92885)**
## Description
Created attachment 119532
Patch file
Component: LibICE
Version : 1.0.9
File where error is: src/error.c
Function where error is: _IceErrorSetupFailed
Line of Error: 188
In function _IceErrorSetupFailed at line no 187, IceAllocScratch is used to allocate memory for variable pStart and pBuf.
IceAllocScratch is using malloc for memory allocation, malloc can return NULL on failure.
So before dereferencing pStart and pBuf, NULL check must apply.
Suggested patch :
```
diff --git a/src/error.c b/src/error.c
index 9187256..fc50722 100644
--- a/src/error.c
+++ b/src/error.c
@@ -184,9 +184,11 @@ _IceErrorSetupFailed (
WORD64COUNT (bytes));
pBuf = pStart = IceAllocScratch (iceConn, PADDED_BYTES64 (bytes));
- STORE_STRING (pBuf, reason);
-
- IceWriteData (iceConn, PADDED_BYTES64 (bytes), pStart);
+ if (!pStart)
+ {
+ STORE_STRING (pBuf, reason);
+ IceWriteData (iceConn, PADDED_BYTES64 (bytes), pStart);
+ }
IceFlush (iceConn);
}
```
There are many similar cases in error.c, please check attached patch file.
**Attachment 119532**, "Patch file":
[0001-libICE-Dereferencing-a-possible-NULL-pointer-in-erro.patch](/uploads/e127f7817c14797798535ff9838ec9e8/0001-libICE-Dereferencing-a-possible-NULL-pointer-in-erro.patch)
Version: githttps://gitlab.freedesktop.org/xorg/lib/libice/-/issues/3Accessing freed memory in LibICE version 1.0.9 in file "process.c" at line 11...2019-04-10T10:20:20ZBugzilla Migration UserAccessing freed memory in LibICE version 1.0.9 in file "process.c" at line 1177 ,as the relevant pointer is not assigned NULL after freeing.## Submitted by Sachin Kumar Gupta
Assigned to **Xorg Project Team**
**[Link to original bug (#83235)](https://bugs.freedesktop.org/show_bug.cgi?id=83235)**
## Description
Created attachment 105420
Patch for the reported bug.
Com...## Submitted by Sachin Kumar Gupta
Assigned to **Xorg Project Team**
**[Link to original bug (#83235)](https://bugs.freedesktop.org/show_bug.cgi?id=83235)**
## Description
Created attachment 105420
Patch for the reported bug.
Component: LibICE
Version : 1.0.9
File where error is: src/process.c
Function where error is: ProcessAuthRequired
Line of Error: 1177
In reference to code mentioned below:
Here the "iceConn->connect_to_you" in "if conditional" may have been freed before by " IceReadCompleteMessage" which is a macro by internally calling "_IceRead" which calls "_IceFreeConnection", which frees "iceConn->connect_to_you" but does not assigns NULL to it , so even if "iceConn->connect_to_you" has been freed, the if conditional will evaluate TRUE as "iceConn->connect_to_you" has not been assigned NULL and in this case, it is being dereferenced later as:
iceConn->connect_to_you->auth_active = 1;
Code where error exists(LibICE v1.0.9 code):
```
if (iceConn->connect_to_you)
{
if ((int) message->authIndex >= _IceAuthCount)
{
_IceConnectionError *errorReply =
&(((_IceReply *) (replyWait->reply))->connection_error);
const char *tempstr
= "Received bad authIndex in the AuthRequired message";
char errIndex = (int) message->authIndex;
errorString = strdup(tempstr);
errorReply->type = ICE_CONNECTION_ERROR;
errorReply->error_message = errorString;
_IceErrorBadValue (iceConn, 0,
ICE_AuthRequired, 2, 1, &errIndex);
IceDisposeCompleteMessage (iceConn, authData);
return (1);
}
else
{
authProc = _IcePoAuthProcs[message->authIndex];
iceConn->connect_to_you->auth_active = 1;
}
}
```
File where fix is to be made:"src/shutdown.c"
Function where fix is required: _IceFreeConnection
LibICE version 1.0.9 code :
```
if (iceConn->connect_to_you)
free (iceConn->connect_to_you);
```
Recommended Code:
```
if (iceConn->connect_to_you)
{
free (iceConn->connect_to_you);
iceConn->connect_to_you = NULL;
}
```
I am attaching a patch for the same "shutdown.patch".
~~**Attachment 105420**~~, "Patch for the reported bug.":
[shutdown.patch](/uploads/902e91121675879ae102b5da98744be0/shutdown.patch)https://gitlab.freedesktop.org/xorg/lib/libice/-/issues/1Current /tmp/.ICE-unix handling can lead to local DoS2018-08-10T20:19:50ZBugzilla Migration UserCurrent /tmp/.ICE-unix handling can lead to local DoS## Submitted by Jean Delvare
Assigned to **Xorg Project Team**
**[Link to original bug (#22586)](https://bugs.freedesktop.org/show_bug.cgi?id=22586)**
## Description
When starting a new X session, one or more sockets are created i...## Submitted by Jean Delvare
Assigned to **Xorg Project Team**
**[Link to original bug (#22586)](https://bugs.freedesktop.org/show_bug.cgi?id=22586)**
## Description
When starting a new X session, one or more sockets are created in /tmp/.ICE-unix. One of these sockets is named after the PID of the process. This means that it is trivial for a local user of the system to prevent all other users from logging in, causing a local DoS. This can be done with the following command:
seq 1 $(cat /proc/sys/kernel/pid_max) | (cd /tmp/.ICE-unix && xargs touch)
I've verified it on a variety of Linux distributions, including Slackware 12.0, SLED10 SP2 and openSUSE 11.1.
Evil intentions left apart, as sockets created in /tmp/.ICE-unix are not deleted on logout, on systems with many users, logins will start failing eventually after some use time. I did experience this on a system with 3 users after just a few months (this is how I noticed the problem.)
I think that at least the sockets should be deleted when logging out. Then the socket names should be made non-predictable to prevent any local DoS attack.
Version: 7.4 (2008.09)