Age | Commit message (Collapse) | Author | Files | Lines |
|
Tests for Xlib CVE-2023-3138 by returning out-of-range values for
the extension's first_event and first_error codes.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Oracle no longer includes this term in our copyright & license notices.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
==88383==ERROR: AddressSanitizer: stack-use-after-scope on address 0x00016f431d70 at pc 0x000100e08d14 bp 0x00016f429670 sp 0x00016f428e28
READ of size 32 at 0x00016f431d70 thread T0
#0 0x100e08d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
#1 0x1009e2660 in HandleClientResponses server.c:372
#2 0x1009e2214 in HandleClientRequest server.c:685
#3 0x1009df314 in XhivRunServer server.c:715
#4 0x1009ded40 in XhivOpenServer server.c:822
#5 0x1009cfb3c in XhivOpenDisplay xlib_client.c:55
#6 0x1009cf614 in testOverflowFields XQueryFont.c:101
#7 0x1009ce2b0 in main XQueryFont.c:133
#8 0x197de3e4c (<unknown module>)
Address 0x00016f431d70 is located in stack of thread T0 at offset 560 in frame
#0 0x1009dfd44 in HandleClientRequest server.c:461
This frame has 11 object(s):
[32, 36) 'req' (line 483)
[48, 52) 'length' (line 485)
[64, 96) 'extension' (line 534)
[128, 184) 'default_qext_response' (line 551)
[224, 256) 'getp_reply' (line 597)
[288, 344) 'getp_response' (line 605)
[384, 416) 'getif_reply' (line 619)
[448, 504) 'getif_response' (line 625)
[544, 548) 'newseq' (line 638)
[560, 592) 'bigreq_reply' (line 653) <== Memory access at offset 560 is inside this variable
[624, 680) 'bigreq_response' (line 658)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10) in __asan_memcpy+0x1a4
Fixes: https://gitlab.freedesktop.org/xorg/test/xhiv/-/issues/1
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Test to make sure that the data returned by the X server over the wire
is put into the arrays passed back to the client correctly.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Make sure the data is still valid when its time to send to client
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Successfully gets error return from new code, but tends to get
IOErrors, not overflow, from old code.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Since xcb doesn't actually shut down the socket when an error occurs,
we'd hang until our SIGALRM goes off if we did create an xcb connection
error in our test, so we make sure the server exits when desired.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Allows them to provide their own psuedo-implementations of Extensions.
If the sequence in a response is set to XHIV_SEQ_MATCHDATA, then the new
match_data field has a pointer to additional matching constraints. So far
only X_QueryExtension will check those, and it expects a null terminated
extension name string to match against the queried extension.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Allows debugging the core file to see what went wrong
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|