[Bug 1099113] New: Heap overflow in X server compiled using GCC8 with LTO
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113 Bug ID: 1099113 Summary: Heap overflow in X server compiled using GCC8 with LTO Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: X.Org Assignee: xorg-maintainer-bugs@forge.provo.novell.com Reporter: msrb@suse.com QA Contact: xorg-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- This problem was already reported publicly on xorg-devel@x.lists.org: https://lists.x.org/archives/xorg-devel/2018-June/057186.html Since commit 83913de2 (xorg-server-1.19.99.903-20-g83913de25) X server causes undefined behavior in XKBGAlloc.c by calling strlen on char[4] which does not need to contain '\0'. Strlen would read into memory behind the array and (if it did not crash) return some bogus huge number. That was later clamped back to 4 and used to memcpy data around. GCC8 with LTO can prove that the strlen is called on char[4] and as such must not return number bigger than 3 or cause undefined behavior. The clamping to 4 is optimized away. In practice it means that the memcpy is called with bigger buffer than the destination. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113
Michal Srb
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113#c1
--- Comment #1 from Michal Srb
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113
http://bugzilla.opensuse.org/show_bug.cgi?id=1099113#c2
Michal Srb
participants (1)
-
bugzilla_noreply@novell.com