Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017 Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
<== Date ==> <== Thread ==>

Subject: Buffer overflows in MEDM
From: Shuei YAMADA <shuei.yamada@gmail.com>
To: tech-talk@aps.anl.gov
Date: Mon, 19 Jun 2017 13:23:06 +0900
Dear all,

I found (and presumably fixed) 2 buffer overflow problems in MEDM
(3.1.11) on 64bit Ubuntu 16.04.

1) Stack smashing protection is enabled in Ubuntu 16.04. Therefore
MEDM crashes as following when I manupilate pull down menus in
"Resource Palette" window:

====
$ medm
...
*** stack smashing detected ***: medm terminated
Aborted
====

A call to XtVaGetValues() in optionMenuSimpleCallback() (in
medm/resourcePalette.c) seems to be the cause of the problem. An "int"
variable is passed to the 3rd argument of XtVaGetValues() as
following:

XtVaGetValues(XtParent(w),XmNuserData,&rcType,NULL);

but it should be 64bit-wide on 64bit system. Attached is a patch
(medm-resourcePallette-bof.patch) which will fix the problem.

2) There is another buffer overflow in related display. When I use 5
or more entries in a related display with row (or column) of buttons,
an array overflows. The array in question is defined in line 471 of
medm/medmRelatedDispolay.c as following:

====
Arg wargs[20];
====

There are only 4 remaining elements for push buttons because 16 out of
20 elements are already used. Its number of elements should be 32
instead of 20, so that all the 16 entries in "Related Display Data"
are available without any problems.

best regards,
Shuei YAMADA
-- 
                 ----------------------------------------------------
                 Shuei Yamada,
                 High Energy Accelerator Research Organization (KEK)
                 mailto:shuei@post.kek.jp
                 ----------------------------------------------------
*** medm-MEDM3_1_11.orig/medm/resourcePalette.c	2016-11-23 05:17:05.000000000 +0900
--- medm-MEDM3_1_11/medm/resourcePalette.c	2017-06-19 10:54:31.705472877 +0900
*************** static void optionMenuSimpleCallback(Wid
*** 189,195 ****
  {
      DisplayInfo *cdi = currentDisplayInfo;
      int buttonId = (intptr_t)cd;
!     int rcType;
      DlElement *elementPtr;
  
      UNREFERENCED(cbs);
--- 189,195 ----
  {
      DisplayInfo *cdi = currentDisplayInfo;
      int buttonId = (intptr_t)cd;
!     long rcType;
      DlElement *elementPtr;
  
      UNREFERENCED(cbs);
*** medm-MEDM3_1_11.orig/medm/medmRelatedDisplay.c	2016-11-23 05:17:05.000000000 +0900
--- medm-MEDM3_1_11/medm/medmRelatedDisplay.c	2017-06-19 11:16:57.907736044 +0900
*************** void executeDlRelatedDisplay(DisplayInfo
*** 468,474 ****
        dlRelatedDisplay->visual == RD_COL_OF_BTN) {
        /* Case 3 of 4 */
        /* Rows or columns of buttons */
! 	Arg wargs[20];
  	int i = 0, maxChars = 0, usedWidth = 0, usedHeight = 0;
  	XmFontList fontList;
  	Pixel fg, bg;
--- 468,474 ----
        dlRelatedDisplay->visual == RD_COL_OF_BTN) {
        /* Case 3 of 4 */
        /* Rows or columns of buttons */
! 	Arg wargs[MAX_RELATED_DISPLAYS+16];
  	int i = 0, maxChars = 0, usedWidth = 0, usedHeight = 0;
  	XmFontList fontList;
  	Pixel fg, bg;

Navigate by Date:
Prev: Re: Any issues with Base-3.16.1-rc1? Lang, Keenan C.
Next: Open Position at APS Arnold, Ned D.
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
Navigate by Thread:
Prev: Re: MEDM to EDM Conversion Script Mark Rivers
Next: Open Position at APS Arnold, Ned D.
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
ANJ, 19 Jun 2017 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·