typo in mod() macro leads to 3rd-party controllable Xorg crash/exploit
Bug #551193 reported by
Kees Cook
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
X.Org X server |
Fix Released
|
High
|
|||
xorg-server (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
Changed in xorg-server (Ubuntu): | |
assignee: | nobody → Bryce Harrington (bryceharrington) |
importance: | Undecided → High |
milestone: | none → ubuntu-10.04-beta-2 |
status: | New → Fix Committed |
Changed in xorg-server (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in xorg-server (Ubuntu): | |
milestone: | ubuntu-10.04-beta-2 → none |
Changed in xorg-server (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in xorg-server (Ubuntu): | |
assignee: | Bryce Harrington (bryceharrington) → nobody |
Changed in xorg-server: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
To post a comment you must log in.
Description of problem: www.buffalonews .com/entertainm ent/moviestv/ index.html Xorg crashes:
When attempting to load http://
#0 0x0020161f in fbCopyAreammx (pSrc=0x8cdea90, pDst=0x8cb9620, src_x=0, src_y=3846, dst_x=18, dst_y=3871, width=920, height=60788) at fbmmx.c:2240 Areammx (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=3846, xMask=0, yMask=0, xDst=18, yDst=3871, width=920, height=64598) at fbmmx.c:2303 0x8cf5030, pMskPicture=0x0, pDstPicture= 0x8c304f0, xSrc=0, ySrc=-926, xMsk=0, yMsk=0, xDst=18, yDst=789, width=920, height=178) at cw_render.c:275
#1 0x00201776 in fbCompositeCopy
#2 0x001f24fb in fbComposite (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=994, xMask=0, yMask=0, xDst=18, yDst=3871, width=920, height=178) at fbpict.c:1299
#3 0x00247eeb in XAAComposite (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=-926, xMask=0, yMask=0, xDst=18, yDst=789, width=920, height=178) at xaaPict.c:536
#4 0x0070c8d8 in i830_xaa_composite (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=-926, xMask=0, yMask=0, xDst=18, yDst=789, width=920, height=178) at i830_xaa.c:873
#5 0x0815e026 in cwComposite (op=1 '\001', pSrcPicture=
#6 0x0815a996 in damageComposite (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=-926, xMask=0, yMask=0, xDst=18, yDst=789, width=920, height=178) at damage.c:541
#7 0x08147b23 in CompositePicture (op=1 '\001', pSrc=0x8cf5030, pMask=0x0, pDst=0x8c304f0, xSrc=0, ySrc=-926, xMask=0, yMask=0, xDst=18, yDst=789, width=920, height=178) at picture.c:1789
#8 0x0814d95f in ProcRenderComposite (client=0x8c6c5c8) at render.c:758
#9 0x0814acd5 in ProcRenderDispatch (client=0xafa4f000) at render.c:2005
#10 0x0808815a in Dispatch () at dispatch.c:459
#11 0x0806fab5 in main (argc=10, argv=0xbfefe174, envp=Cannot access memory at address 0xafa4f008
This also hoses my virtual terminals (ctrl+alt+F1 gives me a white screen) and I have to reboot to get them back.
Version-Release number of selected component (if applicable): server- Xorg-1. 1.1-48. 52.el5
xorg-x11-
How reproducible:
always
Steps to Reproduce: ftp.mozilla. org/pub/ mozilla. org/firefox/ nightly/ latest- mozilla- 1.9.1/firefox- 3.5b4pre. en-US.linux- i686.tar. bz2 www.buffalonews .com/entertainm ent/moviestv/ index.html
1. Grab the latest Firefox 3.5:
http://
2. install it (bzip2 -dc firefox*bz2 | tar -x)
3. Run it (cd firefox; ./firefox)
4. Visit http://
==> crash