After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 768441 - wrong calculation of space allocated for new_argv in require_dbus_session() leads to heap overflow
wrong calculation of space allocated for new_argv in require_dbus_session() l...
Status: RESOLVED FIXED
Product: gnome-session
Classification: Core
Component: gnome-session
git master
Other Linux
: Normal normal
: ---
Assigned To: Session Maintainers
Session Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-07-05 12:29 UTC by Hanno Böck
Modified: 2016-07-11 14:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
patch to fix heap overflow (483 bytes, patch)
2016-07-05 12:29 UTC, Hanno Böck 		committed Details | Review

Description Hanno Böck 2016-07-05 12:29:41 UTC 
Created attachment 330900 [details] [review]
patch to fix heap overflow

I have discovered a heap overflow in gnome-session with the help of address sanitizer.

This is the code (main.c, function require_dbus_session):
        new_argv = g_malloc (argc + 3 * sizeof (*argv));

The intention is to allocate space for (argc + 3) pointers. However obviously a bracket is missing, therefore only argc bytes + 3 * pointer size gets allocated, which will be to small. Later on this leads to invalid memory writes.

The fix is trivial: Bracket around argc + 3. See attached patch. Affects current git code.
Comment 1 Ray Strode [halfline] 2016-07-11 14:40:55 UTC 
Thanks pushed attachment 330900 [details] [review] as commit e430239df