xhost double free or corruption
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
x11-xserver-utils (Ubuntu) |
In Progress
|
Undecided
|
Kees Cook |
Bug Description
Binary package hint: x11-xserver-utils
/usr/bin/xhost crash with very long hostname parameter .
test case :
emanuel@
*** glibc detected *** xhost: double free or corruption (out): 0x089a8f60 ***
======= Backtrace: =========
/lib/i386-
/lib/i386-
/lib/i386-
xhost[0x80491a9]
xhost[0x8049af9]
/lib/i386-
xhost[0x8048ca1]
======= Memory map: ========
00110000-0026a000 r-xp 00000000 08:01 260940 /lib/i386-
0026a000-0026b000 ---p 0015a000 08:01 260940 /lib/i386-
0026b000-0026d000 r--p 0015a000 08:01 260940 /lib/i386-
0026d000-0026e000 rw-p 0015c000 08:01 260940 /lib/i386-
0026e000-00271000 rw-p 00000000 00:00 0
00271000-0028b000 r-xp 00000000 08:01 260968 /lib/i386-
0028b000-0028c000 r--p 00019000 08:01 260968 /lib/i386-
0028c000-0028d000 rw-p 0001a000 08:01 260968 /lib/i386-
00311000-00312000 r-xp 00000000 00:00 0 [vdso]
00444000-0055a000 r-xp 00000000 08:01 7110 /usr/lib/
0055a000-0055b000 ---p 00116000 08:01 7110 /usr/lib/
0055b000-0055c000 r--p 00116000 08:01 7110 /usr/lib/
0055c000-0055e000 rw-p 00117000 08:01 7110 /usr/lib/
0055e000-0055f000 rw-p 00000000 00:00 0
006dd000-006e0000 r-xp 00000000 08:01 4397 /usr/lib/
006e0000-006e1000 r--p 00002000 08:01 4397 /usr/lib/
006e1000-006e2000 rw-p 00003000 08:01 4397 /usr/lib/
008a8000-008ac000 r-xp 00000000 08:01 7120 /usr/lib/
008ac000-008ad000 r--p 00003000 08:01 7120 /usr/lib/
008ad000-008ae000 rw-p 00004000 08:01 7120 /usr/lib/
00a68000-00a6a000 r-xp 00000000 08:01 7112 /usr/lib/
00a6a000-00a6b000 r--p 00001000 08:01 7112 /usr/lib/
00a6b000-00a6c000 rw-p 00002000 08:01 7112 /usr/lib/
00c79000-00c90000 r-xp 00000000 08:01 7260 /usr/lib/
00c90000-00c91000 r--p 00016000 08:01 7260 /usr/lib/
00c91000-00c92000 rw-p 00017000 08:01 7260 /usr/lib/
00e38000-00e54000 r-xp 00000000 08:01 260927 /lib/i386-
00e54000-00e55000 r--p 0001b000 08:01 260927 /lib/i386-
00e55000-00e56000 rw-p 0001c000 08:01 260927 /lib/i386-
00f90000-00f92000 r-xp 00000000 08:01 260950 /lib/i386-
00f92000-00f93000 r--p 00001000 08:01 260950 /lib/i386-
00f93000-00f94000 rw-p 00002000 08:01 260950 /lib/i386-
08048000-0804b000 r-xp 00000000 08:01 2091 /usr/bin/xhost
0804b000-0804c000 r--p 00002000 08:01 2091 /usr/bin/xhost
0804c000-0804d000 rw-p 00003000 08:01 2091 /usr/bin/xhost
0899e000-089bf000 rw-p 00000000 00:00 0 [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b788c000-b788f000 rw-p 00000000 00:00 0
b78a6000-b78a8000 rw-p 00000000 00:00 0
bfb05000-bfb2b000 rw-p 00000000 00:00 0 [stack]
Aborted
tested on :
Ubuntu 11.04 , x11-xserver-utils package version : 7.6+2
Thanks for the report. I've sent a possible patch upstream now:
http:// lists.x. org/archives/ xorg-devel/ 2011-July/ 023841. html
It looks like a client-side bug only; the server will reject overly-large requests.