Ubuntu
libxkbfile package

buffer overflow when executing 'xkbcomp -C :0'

Bug #309013 reported by Felix Triebel
2
Affects Status Importance Assigned to Milestone
X.Org X server
Fix Released
Medium
libxkbfile (Ubuntu)
Fix Released
Critical
Bryce Harrington

Bug Description

Binary package hint: x11-xkb-utils

I'm using the NEO keyboard layout (from https://svn.neo-layout.org/linux/X/de) in Ubuntu 8.10.
This is a non-standard keyboard layout, I wanted to create a keymap for rdesktop.
A file is generated, but xkbcomp seems to have a problem, this is the error message I see:

------------------------------
$ xkbcomp -C :0
*** buffer overflow detected ***: xkbcomp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e1c558]
/lib/tls/i686/cmov/libc.so.6[0xb7e1a680]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7e19944]
/usr/lib/libxkbfile.so.1[0xb7e86c8f]
/usr/lib/libxkbfile.so.1[0xb7e883ab]
/usr/lib/libxkbfile.so.1(XkbWriteCFile+0x2ee)[0xb7e8431e]
xkbcomp[0x8065d53]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7d38685]
xkbcomp[0x8049d41]
======= Memory map: ========
08048000-08073000 r-xp 00000000 08:07 17196718 /usr/bin/xkbcomp
08073000-08075000 rw-p 0002b000 08:07 17196718 /usr/bin/xkbcomp
0996e000-0998f000 rw-p 0996e000 00:00 0 [heap]
b7cda000-b7ce7000 r-xp 00000000 08:07 50332952 /lib/libgcc_s.so.1
b7ce7000-b7ce8000 r--p 0000c000 08:07 50332952 /lib/libgcc_s.so.1
b7ce8000-b7ce9000 rw-p 0000d000 08:07 50332952 /lib/libgcc_s.so.1
b7cf8000-b7cf9000 rw-p b7cf8000 00:00 0
b7cf9000-b7cfd000 r-xp 00000000 08:07 172681 /usr/lib/libXdmcp.so.6.0.0
b7cfd000-b7cfe000 rw-p 00003000 08:07 172681 /usr/lib/libXdmcp.so.6.0.0
b7cfe000-b7cff000 rw-p b7cfe000 00:00 0
b7cff000-b7d01000 r-xp 00000000 08:07 172670 /usr/lib/libXau.so.6.0.0
b7d01000-b7d02000 rw-p 00001000 08:07 172670 /usr/lib/libXau.so.6.0.0
b7d02000-b7d04000 r-xp 00000000 08:07 16857011 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d04000-b7d05000 r--p 00001000 08:07 16857011 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d05000-b7d06000 rw-p 00002000 08:07 16857011 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d06000-b7d1d000 r-xp 00000000 08:07 736558 /usr/lib/libxcb.so.1.0.0
b7d1d000-b7d1e000 r--p 00016000 08:07 736558 /usr/lib/libxcb.so.1.0.0
b7d1e000-b7d1f000 rw-p 00017000 08:07 736558 /usr/lib/libxcb.so.1.0.0
b7d1f000-b7d20000 r-xp 00000000 08:07 736556 /usr/lib/libxcb-xlib.so.0.0.0
b7d20000-b7d21000 r--p 00000000 08:07 736556 /usr/lib/libxcb-xlib.so.0.0.0
b7d21000-b7d22000 rw-p 00001000 08:07 736556 /usr/lib/libxcb-xlib.so.0.0.0
b7d22000-b7e7a000 r-xp 00000000 08:07 16857005 /lib/tls/i686/cmov/libc-2.8.90.so
b7e7a000-b7e7c000 r--p 00158000 08:07 16857005 /lib/tls/i686/cmov/libc-2.8.90.so
b7e7c000-b7e7d000 rw-p 0015a000 08:07 16857005 /lib/tls/i686/cmov/libc-2.8.90.so
b7e7d000-b7e81000 rw-p b7e7d000 00:00 0
b7e81000-b7ea3000 r-xp 00000000 08:07 736560 /usr/lib/libxkbfile.so.1.0.2
b7ea3000-b7ea5000 rw-p 00021000 08:07 736560 /usr/lib/libxkbfile.so.1.0.2
b7ea5000-b7f90000 r-xp 00000000 08:07 421439 /usr/lib/libX11.so.6.2.0
b7f90000-b7f91000 r--p 000ea000 08:07 421439 /usr/lib/libX11.so.6.2.0
b7f91000-b7f93000 rw-p 000eb000 08:07 421439 /usr/lib/libX11.so.6.2.0
b7f93000-b7f94000 rw-p b7f93000 00:00 0
b7fa2000-b7fa5000 rw-p b7fa2000 00:00 0
b7fa5000-b7fbf000 r-xp 00000000 08:07 50332845 /lib/ld-2.8.90.so
b7fbf000-b7fc0000 r-xp b7fbf000 00:00 0 [vdso]
b7fc0000-b7fc1000 r--p 0001a000 08:07 50332845 /lib/ld-2.8.90.so
b7fc1000-b7fc2000 rw-p 0001b000 08:07 50332845 /lib/ld-2.8.90.so
bfdad000-bfdc2000 rw-p bffeb000 00:00 0 [stack]
Aborted
------------------------------

// package version of x11-xkb-utils
$ apt-cache policy x11-xkb-utils
x11-xkb-utils:
  Installed: 7.4+1

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 8.10
NonfreeKernelModules: fglrx
Package: x11-xkb-utils 7.4+1
ProcEnviron:
 LC_PAPER=en_GB.UTF-8
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
SourcePackage: x11-xkb-utils
Uname: Linux 2.6.27-9-generic i686
[lspci]
00:00.0 Host bridge [0600]: Intel Corporation Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller [8086:2590] (rev 03)
     Subsystem: Dell Device [1028:01b5]
00:02.0 VGA compatible controller [0300]: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller [8086:2592] (rev 03)
     Subsystem: Dell Device [1028:01b5]

See original description
Tags: apport-bug
Revision history for this message
Felix Triebel (felix-triebel) wrote :
Revision history for this message
Bryce Harrington (bryce) wrote :

[This is an automated message]

Hi felix-triebel,

Please attach the output of `lspci -vvnn` too.

Changed in x11-xkb-utils:
status: New → Incomplete
Revision history for this message
Felix Triebel (felix-triebel) wrote :

I reported this bug from another system, but seems to have the same problem, no matter what hardware...

Revision history for this message
In , Bryce Harrington (bryce) wrote :
Download full text (11.3 KiB)

Created an attachment (id=21847)
Proposed method for fixing overflow situation

Forwarding this bug report from a Ubuntu user:
https://bugs.edge.launchpad.net/ubuntu/+source/x11-xkb-utils/+bug/309013

[Problem]
Ubuntu is now using the fortify-source gcc compilation options to help find potential buffer overflows, and found the following in the xkbcomp code.

#0 0x00007f6c4a726f85 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00007f6c4a728af3 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00007f6c4a766218 in ?? () from /lib/libc.so.6
No symbol table info available.
#3 0x00007f6c4a7f3307 in __fortify_fail () from /lib/libc.so.6
No symbol table info available.
#4 0x00007f6c4a7f11b0 in __chk_fail () from /lib/libc.so.6
No symbol table info available.
#5 0x00007f6c4aa6cad5 in WriteCHdrKeyTypes (file=0x19f1410, dpy=0x0, xkb=0x19e58d0) at /usr/include/bits/string3.h:106
 i = 22
 n = 3
 type = (XkbKeyTypePtr) 0x19e5d70
 prefix = "SEPARATE_CAPS_AND_SHIFT_ALPHABET"
#6 0x00007f6c4aa6dbe2 in WriteCHdrKeymap (file=0x19f1410, result=<value optimized out>) at ../../src/cout.c:335
 ok = <value optimized out>
 xkb = (XkbDescPtr) 0x19e58d0
#7 0x00007f6c4aa6ab9e in XkbWriteCFile (out=0x19f1410, name=0x19f165a "", result=0x7fff531b15d0) at ../../src/cout.c:1027
 tmp = 0x19f165a ""
 hdrdef = <value optimized out>
 ok = <value optimized out>
 xkb = (XkbDescPtr) 0x19e58d0
 func = (int (*)(FILE *, XkbFileInfo *)) 0x7f6c4aa6db30 <WriteCHdrKeymap>

Warning: Could not load keyboard geometry for :0
                  BadAlloc (insufficient resources for operation)
                  Resulting keymap file will not describe geometry
*** buffer overflow detected ***: xkbcomp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f3bd4803307]
/lib/libc.so.6[0x7f3bd48011b0]
/usr/lib/libxkbfile.so.1[0x7f3bd4a7cad5]
/usr/lib/libxkbfile.so.1[0x7f3bd4a7dbe2]
/usr/lib/libxkbfile.so.1(XkbWriteCFile+0x26e)[0x7f3bd4a7ab9e]
xkbcomp[0x41d566]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3bd4722586]
xkbcomp[0x4027f9]
======= Memory map: ========
00400000-0042e000 r-xp 00000000 08:01 8233554 /usr/bin/xkbcomp
0062e000-00630000 rw-p 0002e000 08:01 8233554 /usr/bin/xkbcomp
00630000-00631000 rw-p 00630000 00:00 0
00a54000-00a9b000 rw-p 00a54000 00:00 0 [heap]
7f3bd3ac2000-7f3bd3ad8000 r-xp 00000000 08:01 4907635 /lib/libgcc_s.so.1
7f3bd3ad8000-7f3bd3cd8000 ---p 00016000 08:01 4907635 /lib/libgcc_s.so.1
7f3bd3cd8000-7f3bd3cd9000 r--p 00016000 08:01 4907635 /lib/libgcc_s.so.1
7f3bd3cd9000-7f3bd3cda000 rw-p 00017000 08:01 4907635 /lib/libgcc_s.so.1
7f3bd3cda000-7f3bd3cdf000 r-xp 00000000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7f3bd3cdf000-7f3bd3ede000 ---p 00005000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7f3bd3ede000-7f3bd3edf000 rw-p 00004000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7f3bd3edf000-7f3bd3ee1000 r-xp 00000000 08:01 8233819 /usr/lib/libXau.so.6.0.0
7f3bd3ee1000...

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=21848)
handles other crashing strcpy's

Revision history for this message
Bryce Harrington (bryce) wrote :

Whoa, yeah I can definitely reproduce this one myself. Thanks for reporting it!

Changed in x11-xkb-utils:
importance: Undecided → Critical
status: Incomplete → Triaged
Revision history for this message
Bryce Harrington (bryce) wrote :

Tracked down the line that's overflowing.
Kees supplied the attached patch as a fix.
There appears to be other strcpy()'s that look risky to me in the code, but this patch should solve the immediate issue, and should provide an example of how to properly fix this in the other places.

Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Felix,

I've forwarded the bug and patch upstream to https://bugs.freedesktop.org/show_bug.cgi?id=19490. Feel free to subscribe to that bug if you'd like to follow its progress there. Meanwhile we'll try getting this fix rolled out to Ubuntu.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

patch looks good in principle, minus the problem that asprintf isn't available on at least Solaris. Can you re-do the patch avoiding the use of asprintf please? (and while you're at it, a git-formatted patch would be nice :)

Revision history for this message
In , Kees Cook (kees) wrote :

I used asprintf because I have no idea what the maximum length of the returned string from XkbAtomText is. I assume you could fix this issue using a corrected maximum size to the local stack buffer. How long can the result string be expected to be?

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

> I used asprintf because I have no idea what the maximum length of the returned
> string from XkbAtomText is. I assume you could fix this issue using a
> corrected maximum size to the local stack buffer. How long can the result
> string be expected to be?

shouldn't something like
--
char* foo = XkbAtomText(..);
char* bar = malloc(strlen(foo));
strcpy(bar, foo);
--
do the same job as asprintf?

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=21912)
use strdup

Argh. Sorry, I've been debugging sprintf issues in other code for so long that I forgot about strdup. Duh. This should be portable.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

getting there. instead of perror it's probably better to use _XkbLibError. and exit(1) in a library is a big no-no. Just return 0.
(yes, I know, I should have caught that in the first review)

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=21913)
use XkbLibError, don't exit

How about this? Looks like WriteTypeInitFunc is void, so there's nothing to do but return after the error report.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

> How about this? Looks like WriteTypeInitFunc is void, so there's nothing to do
> but return after the error report.

I think it' be better to just break out of the loop, since otherwise we leave
a dangling { in the output. The same with the rest of it, leaving unclosed {
around is probably bad. (I'm not sure how much that'll affect it though since
the output will be mostly empty anyway.)

Other than that, fine with me. Please attach a git-formatted patch so I can
push it easily.

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=21956)
break from loop after writing out an #error

In an effort to put errors somewhere when the alloc fails, we can just write out an error to the C file, and continue the loop. Attach as a git patch.

Revision history for this message
In , Peter Hutterer (peter-hutterer) wrote :

Pushed as dd9514fe714d81b881a1bd6bd88d4287adc5fc7e. Thanks.

(Now, if you have the time to figure out why the geometry still has BadAllocs in some cases, that'd be much appreciated :)

Bryce Harrington (bryce)
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Unknown → Fix Released
Bryce Harrington (bryce)
Changed in x11-xkb-utils:
assignee: nobody → bryceharrington
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package x11-xkb-utils - 7.4+1ubuntu1

---------------
x11-xkb-utils (7.4+1ubuntu1) jaunty; urgency=low

  * Add 100_fix_buf_overflow.patch: Use dynamically allocated strings
    instead of the fixed-length buffers to avoid stack overflows.
    Patch is already in upstream git tree.
    (LP: #309013)

 -- Bryce Harrington <email address hidden> Tue, 03 Mar 2009 19:29:14 -0800

Changed in x11-xkb-utils:
status: Triaged → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

Hrm, patched the wrong package... needs to go to libxkbfile1 actually.

Changed in libxkbfile (Ubuntu):
status: Fix Released → In Progress
Revision history for this message
Bryce Harrington (bryce) wrote :

Verified fixed in libxkbfile version 1:1.0.5-1ubuntu1

Changed in libxkbfile (Ubuntu):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → Medium
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Medium → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.