Xorg flaw

Posted Aug 19, 2010 3:21 UTC (Thu) by xtifr (guest, #143)
In reply to: Xorg flaw by avik
Parent article: An ancient kernel hole is closed

Fair enough, but it still says that Xorg tried and failed to find an adequate fix. If the kernel fix prevents privilege escalation, then what we're left with is merely a potentially annoying bug. Sure, it would be nice to have the bug fixed, but until someone comes up with a fix that works, it's going to be hard to fix it! (The first rule of Tautology Club is the first rule of Tautology Club.)

In any case, runaway memory use already puts your processes in the whimsical hands of the OOM-killer.

Xorg flaw

Posted Aug 19, 2010 17:32 UTC (Thu) by iabervon (subscriber, #722) [Link]

I think that there are actually three things the client has to do: get the server to allocate enough server-side, non-shared resources to use up most of the address space and force the remainder somewhere useful; get a shared memory segment so that the client will be able to change an area of the server's address space; and get the server to overflow the stack into the shared memory segment.

The shared memory aspect is not really a flaw to avoid; the flaws to be fixed on the userspace side are really that the server will go overboard allocating resources for clients, rather than applying some limits to protect itself, and that the server's stack can grow into the heap. At some point, the server should refuse to do what the clients are asking in order to protect itself from overloading (which is hard); the kernel should do better at preventing overloading from leading to unexpected aliasing (which they did). The MIT-SHM aspect just makes the exploit comprehensible.

I don't doubt that a sufficiently clever request could get the server to overflow the stack into the area where the response to the request will be written and write a chosen response into a spot that aliases a return address on the stack, causing the server to return to effectively calling system() on a chunk of an image provided by the client.