Bug 1099113 - Heap overflow in X server compiled using GCC8 with LTO
Heap overflow in X server compiled using GCC8 with LTO
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: X.Org
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Michal Srb
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2018-06-26 07:45 UTC by Michal Srb
Modified: 2018-11-22 14:05 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

xkb: Fix heap overflow caused by optimized away min. (2.46 KB, patch)
2018-06-26 07:48 UTC, Michal Srb
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Srb 2018-06-26 07:45:21 UTC
This problem was already reported publicly on xorg-devel@x.lists.org:

Since commit 83913de2 (xorg-server- X server causes undefined behavior in XKBGAlloc.c by calling strlen on char[4] which does not need to contain '\0'. Strlen would read into memory behind the array and (if it did not crash) return some bogus huge number. That was later clamped back to 4 and used to memcpy data around.

GCC8 with LTO can prove that the strlen is called on char[4] and as such must not return number bigger than 3 or cause undefined behavior. The clamping to 4 is optimized away. In practice it means that the memcpy is called with bigger buffer than the destination.
Comment 1 Michal Srb 2018-06-26 07:48:29 UTC
Created attachment 775265 [details]
xkb: Fix heap overflow caused by optimized away min.
Comment 2 Michal Srb 2018-06-26 09:01:53 UTC
Submitted to Factory, nothing else is affected, closing the bug.
Comment 3 Swamp Workflow Management 2018-07-19 14:20:13 UTC
This is an autogenerated message for OBS integration:
This bug (1099113) was mentioned in
https://build.opensuse.org/request/show/624084 Factory / xorg-x11-server