Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
I have found an integer overflow and a double free vulnerability in the way LibX11 handles locales.
The integer overflow is a necessary precursor to the double free.
The integer overflow occurs in this for loop, as length can be incremented to a negative value with sufficiently large font set names.
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2010
Because length is a signed int, it wraps, which then causes the call to malloc() to fail here:
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2025
Which leads to Xfree(required_list)
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2027
Note that required_list and om->core.required_charset.charset_list are equivalent.
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2018
Now because init_om returned false, we "goto err" here:
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2071
Then in close_om() we call Xfree for a second time on the same region of memory:
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L1678
So now the same object is freed twice, once as required_list, and a second time as om->core.required_charset.charset_list.
To generate the locale here is a small shell script (which requires plenty of RAM and a bit of patience,
so don't run it unless you absolutely need to verify the realisability of the vulnerability).
https://github.com/Ruia-ruia/Exploits/blob/master/x11doublefree.sh
The PoC generates enough fontsets, with large enough names, to increment the length variable in init_om to a negative value.
I have tested on Ubuntu 20.04, with Glibc 2.31 installed.
To trigger the vulnerability, simply run the script and call XOpenOM() in your own application.
Incomplete list of otentially vulnerable packages which use X11:
aalib
aeolus
albert
ambix
ardour
artyfx
at-spi2-atk
avldrums.lv2
barrier-headless
bchoppr
blackbox
bsequencer
bshapr
bslizr
byuu
carla
clipnotify
clxclient
code
dolphin-emu
dragonfly-reverb
drumgizmo
dzen2
element
emptyepsilon
ffmpeg
fillets-ng
finch
fltk
fltk-examples
freerdp
freetype2-demos
freewheeling
fs-uae
gala
gdk-pixbuf2
geonkick
giada
gifsicle
glew1.10
golang-deepin-lib
gst-plugins-bad-libs
guitarix
gxplugins.lv2
haskell-x11
haskell-x11 (staging)
helm-synth
higan
iempluginsuite
java11-openjfx
java11-openjfx (testing)
java8-openjfx
java-openjfx
jgmenu
juce
jwm
kitty
kvantum-qt5
lib32-libx11
libretro-dolphin
libspnav
libva
libva1
libva-mesa-driver
libva-vdpau-driver
libvdpau-va-gl
libwmf
libxext
libxfixes
libxkbfile
libxrender
libxt
lightdm
light-locker
lirc
lmms
lmms (testing)
lsp-plugins
lsw
lxqt-session
maim
megaglest
mephisto.lv2
mesa-vdpau
midi_matrix.lv2
mixxx
moony.lv2
mplayer
mumble
ninjas2
non-sequencer
ntk
pantheon-videos
pari
pasystray
patchmatrix
plank
profanity-gtk
qtcurve-utils
screengrab
screenkey
sdl
sdl2
setbfree
sfizz
sfml
sherlock.lv2
simplescreenrecorder
slop
smplayer
snes9x
snes9x-gtk
sonic-visualiser
spectmorph
spring
stalonetray
startup-notification
supercollider
surge
tilix
ucblogo
unclutter
vdpauinfo
virtualbox
virtualbox-guest-utils
vulkan-intel
vulkan-radeon
vulkan-validation-layers
wallutils
weston
wmname
x42-plugins
xbindkeys
xloadimage
xmonk.lv2
xorg-oclock
xorg-x11perf
xorg-xclipboard
xorg-xclock
xorg-xcmsdb
xorg-xconsole
xorg-xcursorgen
xorg-xdpyinfo
xorg-xdriinfo
xorg-xedit
xorg-xev
xorg-xeyes
xorg-xfontsel
xorg-xgamma
xorg-xhost
xorg-xinit
xorg-xinput
xorg-xkbutils
xorg-xkill
xorg-xload
xorg-xlogo
xorg-xlsfonts
xorg-xmag
xorg-xmodmap
xorg-xpr
xorg-xprop
xorg-xrandr
xorg-xrdb
xorg-xrefresh
xorg-xsetroot
xorg-xvidtune
xorg-xvinfo
xorg-xwud
xplot
xsel
xsettings-client
xsettingsd
xtrlock
zam-plugins
zvbi
csound (optional)
csound (testing) (optional)
deadbeef (optional)
libquicktime (optional)
links (optional)
mtools (optional)
suil (optional)
deadbeef (make)
displaycal (make)
fltk (make)
freetype2 (make)
i810-dri (make)
intel-media-sdk (make)
java11-openjfx (make)
java11-openjfx (testing) (make)
java11-openjfx-doc (make)
java11-openjfx-doc (testing) (make)
java11-openjfx-src (make)
java11-openjfx-src (testing) (make)
java8-openjfx (make)
java-openjfx (make)
jdk11-openjdk (make)
jdk-openjdk (make)
java11-openjdk (make)
java-openjdk (make)
libglvnd (make)
liblightdm-qt5 (make)
libmfx (make)
libopenshot-audio (make)
libquicktime (make)
libstroke (make)
libva-mesa-driver (make)
lightdm (make)
lirc (make)
mach64-dri (make)
mc (make)
mencoder (make)
mesa (make)
mga-dri (make)
mplayer (make)
mtools (make)
opencl-mesa (make)
java11-openjdk (make)
java-openjdk (make)
osmid (make)
profanity (make)
r128-dri (make)
raylib (make)
retroarch (make)
mesa-dri1 (make)
snes9x (make)
mesa-dri1 (make)
vulkan-extra-layers (make)
vulkan-icd-loader (make)
mesa (make)
vulkan-tools (make)
vulkan-trace (make)
vulkan-validation-layers (make)
xcb-util-xrm (make)
xf86-input-libinput (make)
xf86-input-synaptics (make)
xf86-video-intel (make)
xorg-server (make)
xorg-xwininfo (make)
networkmanager (check)
openscad (check)
vala (check)