Ubuntu
x11-xserver-utils package

xhost double free or corruption

Bug #792628 reported by Emanuel Bronshtein
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
x11-xserver-utils (Ubuntu)
In Progress
Undecided
Kees Cook

Bug Description

Binary package hint: x11-xserver-utils

/usr/bin/xhost crash with very long hostname parameter .

test case :
emanuel@emanuel-desktop:/tmp$ xhost SI:`python -c "print 'A'*10000"`:`python -c "print 'A'*10000"`
*** glibc detected *** xhost: double free or corruption (out): 0x089a8f60 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6b961)[0x17b961]
/lib/i386-linux-gnu/libc.so.6(+0x6d28b)[0x17d28b]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18041d]
xhost[0x80491a9]
xhost[0x8049af9]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x126e37]
xhost[0x8048ca1]
======= Memory map: ========
00110000-0026a000 r-xp 00000000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026a000-0026b000 ---p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026b000-0026d000 r--p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026d000-0026e000 rw-p 0015c000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026e000-00271000 rw-p 00000000 00:00 0
00271000-0028b000 r-xp 00000000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
0028b000-0028c000 r--p 00019000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
0028c000-0028d000 rw-p 0001a000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
00311000-00312000 r-xp 00000000 00:00 0 [vdso]
00444000-0055a000 r-xp 00000000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055a000-0055b000 ---p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055b000-0055c000 r--p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055c000-0055e000 rw-p 00117000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055e000-0055f000 rw-p 00000000 00:00 0
006dd000-006e0000 r-xp 00000000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
006e0000-006e1000 r--p 00002000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
006e1000-006e2000 rw-p 00003000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
008a8000-008ac000 r-xp 00000000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
008ac000-008ad000 r--p 00003000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
008ad000-008ae000 rw-p 00004000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
00a68000-00a6a000 r-xp 00000000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00a6a000-00a6b000 r--p 00001000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00a6b000-00a6c000 rw-p 00002000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00c79000-00c90000 r-xp 00000000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00c90000-00c91000 r--p 00016000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00c91000-00c92000 rw-p 00017000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00e38000-00e54000 r-xp 00000000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00e54000-00e55000 r--p 0001b000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00e55000-00e56000 rw-p 0001c000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00f90000-00f92000 r-xp 00000000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00f92000-00f93000 r--p 00001000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00f93000-00f94000 rw-p 00002000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
08048000-0804b000 r-xp 00000000 08:01 2091 /usr/bin/xhost
0804b000-0804c000 r--p 00002000 08:01 2091 /usr/bin/xhost
0804c000-0804d000 rw-p 00003000 08:01 2091 /usr/bin/xhost
0899e000-089bf000 rw-p 00000000 00:00 0 [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b788c000-b788f000 rw-p 00000000 00:00 0
b78a6000-b78a8000 rw-p 00000000 00:00 0
bfb05000-bfb2b000 rw-p 00000000 00:00 0 [stack]
Aborted

tested on :
Ubuntu 11.04 , x11-xserver-utils package version : 7.6+2

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report. I've sent a possible patch upstream now:

http://lists.x.org/archives/xorg-devel/2011-July/023841.html

It looks like a client-side bug only; the server will reject overly-large requests.

Changed in x11-xserver-utils (Ubuntu):
status: New → In Progress
assignee: nobody → Kees Cook (kees)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.