xhost double free or corruption

Bug #792628 reported by Emanuel Bronshtein on 2011-06-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
x11-xserver-utils (Ubuntu)
Undecided
Kees Cook

Bug Description

Binary package hint: x11-xserver-utils

/usr/bin/xhost crash with very long hostname parameter .

test case :
emanuel@emanuel-desktop:/tmp$ xhost SI:`python -c "print 'A'*10000"`:`python -c "print 'A'*10000"`
*** glibc detected *** xhost: double free or corruption (out): 0x089a8f60 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6b961)[0x17b961]
/lib/i386-linux-gnu/libc.so.6(+0x6d28b)[0x17d28b]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18041d]
xhost[0x80491a9]
xhost[0x8049af9]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x126e37]
xhost[0x8048ca1]
======= Memory map: ========
00110000-0026a000 r-xp 00000000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026a000-0026b000 ---p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026b000-0026d000 r--p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026d000-0026e000 rw-p 0015c000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
0026e000-00271000 rw-p 00000000 00:00 0
00271000-0028b000 r-xp 00000000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
0028b000-0028c000 r--p 00019000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
0028c000-0028d000 rw-p 0001a000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
00311000-00312000 r-xp 00000000 00:00 0 [vdso]
00444000-0055a000 r-xp 00000000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055a000-0055b000 ---p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055b000-0055c000 r--p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055c000-0055e000 rw-p 00117000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0055e000-0055f000 rw-p 00000000 00:00 0
006dd000-006e0000 r-xp 00000000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
006e0000-006e1000 r--p 00002000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
006e1000-006e2000 rw-p 00003000 08:01 4397 /usr/lib/libXmuu.so.1.0.0
008a8000-008ac000 r-xp 00000000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
008ac000-008ad000 r--p 00003000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
008ad000-008ae000 rw-p 00004000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
00a68000-00a6a000 r-xp 00000000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00a6a000-00a6b000 r--p 00001000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00a6b000-00a6c000 rw-p 00002000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00c79000-00c90000 r-xp 00000000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00c90000-00c91000 r--p 00016000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00c91000-00c92000 rw-p 00017000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
00e38000-00e54000 r-xp 00000000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00e54000-00e55000 r--p 0001b000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00e55000-00e56000 rw-p 0001c000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00f90000-00f92000 r-xp 00000000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00f92000-00f93000 r--p 00001000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00f93000-00f94000 rw-p 00002000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
08048000-0804b000 r-xp 00000000 08:01 2091 /usr/bin/xhost
0804b000-0804c000 r--p 00002000 08:01 2091 /usr/bin/xhost
0804c000-0804d000 rw-p 00003000 08:01 2091 /usr/bin/xhost
0899e000-089bf000 rw-p 00000000 00:00 0 [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b788c000-b788f000 rw-p 00000000 00:00 0
b78a6000-b78a8000 rw-p 00000000 00:00 0
bfb05000-bfb2b000 rw-p 00000000 00:00 0 [stack]
Aborted

tested on :
Ubuntu 11.04 , x11-xserver-utils package version : 7.6+2

Kees Cook (kees) wrote :

Thanks for the report. I've sent a possible patch upstream now:

http://lists.x.org/archives/xorg-devel/2011-July/023841.html

It looks like a client-side bug only; the server will reject overly-large requests.

Changed in x11-xserver-utils (Ubuntu):
status: New → In Progress
assignee: nobody → Kees Cook (kees)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers