7637414 2001-12-07 21:26 +0000 /44 rader/ scott <smackenz@sdf.lonestar.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-08 00:27 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: smackenz@brad.ac.uk
Mottagare: Bugtraq (import) <20063>
Ärende: Crashing X
------------------------------------------------------------
From: scott <smackenz@sdf.lonestar.org>
To: bugtraq@securityfocus.com
Message-ID: <01120720451400.04541@mainframe>
I have discovered a little bug in K Desktop 2.1.2 that crashes your X
Server.
By using the konqueror web browser and inputting around 9000+ A's (or
whatever) into a search box (for instance www.yahoo.com's web search
box) - this will crash your X environment.
I have successfully done it using 9000 A's on one search box
(crashing X instantly), then I used 90'000 and it also worked - but
without immediate effect (took a few seconds).
It also sometimes seems to work by just pasting 900000 A's into a
search box and before it even displays the A's X crashes. (note: If
you want it to display the A's before X crashes paste 9000, then as
soon as you click to start the search - its bye bye X).
Sorry but I can only test it on KDE 2.1.2, because I have no other
systems available right now.
By the way:
[smackenz@mainframe smackenz]$ uname -a
Linux mainframe 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
(Rehat 7.1)
(KDE 2.1.2)
(this works in Gnome and KDE using with the konqueror web browser)
To test simply use a shell and type:
perl -e 'print "A" x 9000'
Then copy these, and paste them into a search form.
Also I tried this in netscape and it didn't work so it suggests its a
konqueror error somewhere or other.
Cheers
Scott Mackenzie
(7637414) /scott <smackenz@sdf.lonestar.org>/(Ombruten)
Kommentar i text 7638185 av John Scimone <jscimone@cc.gatech.edu>
Kommentar i text 7638298 av Seth Arnold <sarnold@wirex.com>
Kommentar i text 7638321 av munehiro <munehiro@ferrara.linux.it>
7638185 2001-12-07 18:49 -0500 /60 rader/ John Scimone <jscimone@cc.gatech.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-08 09:30 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20072>
Kommentar till text 7637414 av scott <smackenz@sdf.lonestar.org>
Ärende: Re: Crashing X
------------------------------------------------------------
From: John Scimone <jscimone@cc.gatech.edu>
To: bugtraq@securityfocus.com
Message-ID: <01120718493001.14355@ks40.eastnet.gatech.edu>
If this is true couldn't a malicious website simply set the initial
value of the form then use javascript to submit it upon loading the
page causing the clients X to crash?
ie.
<input type="text" value="(9000 A's)">
and have a body onload=document.forms[0].submit()?
John Scimone
CS Major @ Ga Tech
On Friday 07 December 2001 04:26 pm, you wrote:
> I have discovered a little bug in K Desktop 2.1.2 that crashes your X
> Server.
>
> By using the konqueror web browser and inputting around 9000+ A's (or
> whatever) into a search box (for instance www.yahoo.com's web search box) -
> this will crash your X environment.
>
> I have successfully done it using 9000 A's on one search box (crashing X
> instantly), then I used 90'000 and it also worked - but without immediate
> effect (took a few seconds).
>
> It also sometimes seems to work by just pasting 900000 A's into a search
> box and before it even displays the A's X crashes. (note: If you want it
> to display the A's before X crashes paste 9000, then as soon as you click
> to start the search - its bye bye X).
>
> Sorry but I can only test it on KDE 2.1.2, because I have no other systems
> available right now.
>
> By the way:
>
> [smackenz@mainframe smackenz]$ uname -a
> Linux mainframe 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
> (Rehat 7.1)
> (KDE 2.1.2)
> (this works in Gnome and KDE using with the konqueror web browser)
>
> To test simply use a shell and type:
>
> perl -e 'print "A" x 9000'
>
> Then copy these, and paste them into a search form.
>
> Also I tried this in netscape and it didn't work so it suggests its a
> konqueror error somewhere or other.
>
> Cheers
>
> Scott Mackenzie
(7638185) /John Scimone <jscimone@cc.gatech.edu>/(Ombruten)
7638298 2001-12-07 16:55 -0800 /30 rader/ Seth Arnold <sarnold@wirex.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-08 10:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20075>
Kommentar till text 7637414 av scott <smackenz@sdf.lonestar.org>
Ärende: Re: Crashing X
------------------------------------------------------------
From: Seth Arnold <sarnold@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20011207165533.M7800@wirex.com>
On Fri, Dec 07, 2001 at 09:26:53PM +0000, scott wrote:
> I have discovered a little bug in K Desktop 2.1.2 that crashes your X Server.
[...]
> Also I tried this in netscape and it didn't work so it suggests its a
> konqueror error somewhere or other.
Absolutely not. No X client should ever be able to cause the X server
to crash. (Same deal with compilers and input files .. no input file,
no matter how maliciously written, should ever cause a compiler to
segfault.) This is a bug in XFree86, and, luckily, a known
bug. Sadly, I don't recognize the fix on XFree86's security page.[1]
The vuln-dev Message-ID is <3B822F5F.99227A5F@snosoft.com>. I saw a
fix for it on September 16th, so I'm rather hoping XFree86 releases
newer than that have the fix integrated.
Cheers!
[1]: http://www.xfree86.org/security/
--
"In God we trust, all others we monitor."
-- NSA, Intercept Operators's motto, 1970
(7638298) /Seth Arnold <sarnold@wirex.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 7638299
Kommentar i text 7640147 av Matthieu Herrb <matthieu.herrb@laas.fr>
7638299 2001-12-07 16:55 -0800 /10 rader/ Seth Arnold <sarnold@wirex.com>
Importerad: 2001-12-08 10:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20076>
Bilaga (text/plain) till text 7638298
Ärende: Bilaga till: Re: Crashing X
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8EWUF1XMg6PgdEDQRAq/dAJ9p9re0mxhBLcRbvH2gbBiIoSrfzACgy023
Ff4eKBND9cT7Lf6bajkQMhs=
=AUtw
-----END PGP SIGNATURE-----
(7638299) /Seth Arnold <sarnold@wirex.com>/---------
7640147 2001-12-08 21:13 +0100 /83 rader/ Matthieu Herrb <matthieu.herrb@laas.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-08 21:44 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: herrb@xfree86.org
Mottagare: Bugtraq (import) <20085>
Kommentar till text 7638298 av Seth Arnold <sarnold@wirex.com>
Ärende: Re: Crashing X
------------------------------------------------------------
From: Matthieu Herrb <matthieu.herrb@laas.fr>
To: bugtraq@securityfocus.com
Message-ID: <15378.29792.674348.267895@laas.fr>
You wrote (in your message from Friday 7)
>
> The vuln-dev Message-ID is <3B822F5F.99227A5F@snosoft.com>. I saw a fix
> for it on September 16th, so I'm rather hoping XFree86 releases newer
> than that have the fix integrated.
>
This has indeed been reported several time to XFree86 since last
september.
The patch that is in current XFree86 and in the 4_1_0 branch is
appended below. I have reports that it does not fix all possible cases
of crashes, but I can not reproduce any crashes with this patch.
May be someone can provide more details here (stack trace,...) ?
Matthieu Herrb
Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c 2001/05/29 04:54:09 1.11
+++ fbglyph.c 2001/09/07 15:16:00 1.12
@@ -34,9 +34,19 @@
int height)
{
BoxRec box;
+ BoxPtr pExtents = REGION_EXTENTS (0, pRegion);
- if (x + width < 0) return FALSE;
- if (y + height < 0) return FALSE;
+ /*
+ * Check extents by hand to avoid 16 bit overflows
+ */
+ if (x < (int) pExtents->x1)
+ return FALSE;
+ if ((int) pExtents->x2 < x + width)
+ return FALSE;
+ if (y < (int) pExtents->y1)
+ return FALSE;
+ if ((int) pExtents->y2 < y + height)
+ return FALSE;
box.x1 = x;
box.x2 = x + width;
box.y1 = y;
@@ -261,10 +271,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pPriv->and == 0)
(7640147) /Matthieu Herrb <matthieu.herrb@laas.fr>/-
7638321 2001-12-08 01:41 +0100 /29 rader/ munehiro <munehiro@ferrara.linux.it>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-08 10:54 av Brevbäraren
Extern mottagare: smackenz@brad.ac.uk
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20081>
Kommentar till text 7637414 av scott <smackenz@sdf.lonestar.org>
Ärende: Re: Crashing X
------------------------------------------------------------
From: munehiro <munehiro@ferrara.linux.it>
To: smackenz@brad.ac.uk
Cc: bugtraq@securityfocus.com
Message-ID: <20011208014109.A31864@ferrara.linux.it>
On Fri, Dec 07, 2001 at 09:26:53PM +0000, scott wrote:
> I have discovered a little bug in K Desktop 2.1.2 that crashes your X Server.
>
> By using the konqueror web browser and inputting around 9000+ A's (or
> whatever) into a search box (for instance www.yahoo.com's web search box) -
> this will crash your X environment.
>
i reported this problem some month ago to the kde team. They
suggested me to report the issue to the XFree development team. I did
it but i never obtained a reply. Probably the problem was fixed in
the while.
--
------------------------------------------------------------
<munehiro> yeah... got a working sshd on an ipaq
<munehiro> wearable security
<munehiro> like a condom
------------------------------------------------------------
(7638321) /munehiro <munehiro@ferrara.linux.it>/(Ombruten)
7649650 1903-12-31 19:18 -0459 /155 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-10 21:13 av Brevbäraren
Extern mottagare: John Scimone <jscimone@cc.gatech.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20086>
Kommentar till text 7638185 av John Scimone <jscimone@cc.gatech.edu>
Ärende: Re: Crashing X
------------------------------------------------------------
From: KF <dotslash@snosoft.com>
To: John Scimone <jscimone@cc.gatech.edu>
Cc: bugtraq@securityfocus.com
Message-ID: <83DA53CF.90102@snosoft.com>
I reported a similar issue several months ago... I was seeing X crash
via xterm -title `perl -e 'print "A" x 9000'`
and also with html web pages with long title tags... Heres some strace
snippits. I am on a ppc linux box Mandrake 8.0
root 1927 1389 3 12:17 ? 00:00:03 /etc/X11/X -deferglyphs 16 -auth
[root@ibook root]# strace -o Xdebug.txt -ivfp 1715
1715 [0fea59dc] writev(11,
[{"\26\0)T\0@\2(\0@\2(\0\0\0\0\0\0\0\0\0\205\0\26\0\0\0\f"..., 224},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 6000}], 2)
= 6224
1715 [0fe987d8] read(11,
"8\17\0\5\0@\1\222\0\10\0\10\0\0\177\377\0\0\0\0008@\0\4"..., 6624) = 6624
1715 [0fe9e980] brk(0x10617000) = 0x10617000
1715 [0fe987d8] read(11,
"\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A\0A"..., 9988) = 9988
1715 [1031f26c] --- SIGSEGV (Segmentation fault) ---
1715 [0fe091b0] rt_sigaction(SIGSEGV, {SIG_IGN}, {0x1003d664, [SEGV],
SA_RESTART}, 8) = 0
1715 [0fea577c] ipc_subcall(0, 0, 0, 0x30848000) = 0
1715 [0fe987e8] write(2, "\nFatal server error:\n", 21) = 21
This was a bit earlier on in the strace
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0017\0\0\1\'\0\0\0\0\0\0\10\0", 6624) = 24
1715 [0fea59dc] writev(11, [{"\1\10)\26\0\0\10\0\0\0\1\'\0\0\3(\0\0
\0\0\0\0\0\177\377"..., 32}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,
8192}], 2) = 8224
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\1;\0\0\0\4\0\0\0\0\0\0\10\0", 6624) = 24
And before that
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0\'\0\0\0\37\0\0\0\0\0\0 \0", 6624) = 24
1715 [0fea59dc] writev(11,
[{"\1\10)\v\0\0\10\312\0\0\0\37\0\0\0\0\0\0#(\0\0\0\0\177"..., 32},
{"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 9000}], 2) = 9032
1715 [0fea59dc] --- SIGALRM (Alarm clock) ---
and before that
1715 [0fe987d8] read(11,
"\24\0\0\6\2\0\0\16\0\0\0017\0\0\1\'\0\0\0\0\0\0\10\0", 6624) = 24
1715 [0fea59dc] writev(11, [{"\1\10)\6\0\0\10\0\0\0\1\'\0\0\3(\0\0
\0\0\0\0\0\177\377"..., 32}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,
8192}], 2) = 8224
Then this is mme running xterm in the VERY begining.
1715 [0fe987d8] read(16,
"\24\0\0\6\2\0\0\16\0\0\0\"\0\0\0\37\0\0\0\0\0\0\'\20", 4096) = 24
1715 [0fea59dc] writev(16,
[{"\1\10\20\315\0\0\10\316\0\0\0\37\0\0\0\0\0\0#6\0\0\0\0"..., 32},
{"xterm\0-title\0AAAAAAAAAAAAAAAAAAA"..., 9014}, {"\0\0", 2}], 3) = 9048
BBBBBB
these are the X processes running root 1389 1 0 12:13 ? 00:00:00 kdm
root 1927 1389 1 12:17 ? 00:00:08 /etc/X11/X -deferglyphs 16 -auth
/var/lib/kdm/authfiles/A:0-KE8CBg root 1928 1389 0 12:17 ? 00:00:00
-:0 root 1945 1928 0 12:17 ? 00:00:00 /bin/sh /usr/bin/startkde root
2027 1 0 12:17 ? 00:00:00 kdeinit: dcopserver --nosid root 2030 1 0
12:17 ? 00:00:00 kdeinit: klauncher root 2032 1 0 12:17 ? 00:00:00
kdeinit: kded root 2038 1 0 12:17 ? 00:00:00 kdeinit: kxmlrpcd root
2041 1 0 12:17 ? 00:00:00 /usr/bin/artsd -F 5 -S 4096 -b 8 -s 1 -m
artsmessage -l 3 -f root 2046 1 0 12:18 ? 00:00:00 kdeinit:
Running... root 2056 1 0 12:18 ? 00:00:00 knotify root 2057 1945 0
12:18 ? 00:00:00 ksmserver --restore root 2058 2046 0 12:18 ?
00:00:00 kdeinit: kwin root 2060 1 0 12:18 ? 00:00:01 kdeinit:
kdesktop root 2062 1 0 12:18 ? 00:00:01 kdeinit: kicker root 2066 1 0
12:18 ? 00:00:00 kdeinit: klipper -icon klipper -miniicon klipper
root 2069 1 0 12:18 ? 00:00:00 kdeinit: khotkeys root 2070 1 0 12:18
? 00:00:00 kdeinit: kwrited root 2071 2046 1 12:18 ? 00:00:04
kdeinit: konsole -icon konsole.png -miniicon konsole.png
root 2072 1 0 12:18 ? 00:00:00 alarmd
root 2073 2070 0 12:18 pts/0 00:00:00 /bin/cat
-KF
John Scimone wrote:
> If this is true couldn't a malicious website simply set the initial value of
> the form then use javascript to submit it upon loading the page causing the
> clients X to crash?
>
> ie.
>
> <input type="text" value="(9000 A's)">
>
> and have a body onload=document.forms[0].submit()?
>
> John Scimone
> CS Major @ Ga Tech
>
>
> On Friday 07 December 2001 04:26 pm, you wrote:
>
>> I have discovered a little bug in K Desktop 2.1.2 that crashes your X
>> Server.
>>
>> By using the konqueror web browser and inputting around 9000+ A's (or
>> whatever) into a search box (for instance www.yahoo.com's web search box) -
>> this will crash your X environment.
>>
>> I have successfully done it using 9000 A's on one search box (crashing X
>> instantly), then I used 90'000 and it also worked - but without immediate
>> effect (took a few seconds).
>>
>> It also sometimes seems to work by just pasting 900000 A's into a search
>> box and before it even displays the A's X crashes. (note: If you want it
>> to display the A's before X crashes paste 9000, then as soon as you click
>> to start the search - its bye bye X).
>>
>> Sorry but I can only test it on KDE 2.1.2, because I have no other systems
>> available right now.
>>
>> By the way:
>>
>> [smackenz@mainframe smackenz]$ uname -a
>> Linux mainframe 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
>> (Rehat 7.1)
>> (KDE 2.1.2)
>> (this works in Gnome and KDE using with the konqueror web browser)
>>
>> To test simply use a shell and type:
>>
>> perl -e 'print "A" x 9000'
>>
>> Then copy these, and paste them into a search form.
>>
>> Also I tried this in netscape and it didn't work so it suggests its a
>> konqueror error somewhere or other.
>>
>> Cheers
>>
>> Scott Mackenzie
>
(7649650) /KF <dotslash@snosoft.com>/-----(Ombruten)