Skip to content

xf86pciBus: replace on thread-safe strtok_r in xf86ParsePciBusString() #1415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

xf86pciBus: replace on thread-safe strtok_r in xf86ParsePciBusString() #1415

wants to merge 1 commit into from

Conversation

@GermanAizek
Copy link
Contributor

@GermanAizek GermanAizek commented Nov 16, 2025
edited
Loading

Related to issue: #1398

  • Thread A calls xf86ParsePciBusString("PCI:1@0:2:3 "). Execution of strtok_r (in the patched version) or strtok (in the vulnerable version) is suspended after the first call, when the internal pointer is set to the rest of the string ":2:3".
  • Thread B (the attacker's thread) calls another function in the X server that also uses strtok (for example, to parse another configuration string). This call overwrites the internal static state of strtok.
  • Thread A resumes and calls strtok(NULL, ":") again. Instead of getting the token "2" from the source string, it will receive data from the string processed by Thread B, or NULL, which will lead to incorrect BusID parsing, potential failure, or other unpredictable behavior.

Applying patch with strtok_r completely eliminates this category of vulnerabilities in multithreaded scenarios.

@GermanAizek
xf86pciBus: replace on thread-safe strtok_r in xf86ParsePciBusString()
c2700b2 
- Thread A calls xf86ParsePciBusString("PCI:1@0:2:3 "). Execution of strtok_r (in the patched version) or strtok (in the vulnerable version) is suspended after the first call, when the internal pointer is set to the rest of the string ":2:3".
- Thread B (the attacker's thread) calls another function in the X server that also uses strtok (for example, to parse another configuration string). This call overwrites the internal static state of strtok.
- Thread A resumes and calls strtok(NULL, ":") again. Instead of getting the token "2" from the source string, it will receive data from the string processed by Thread B, or NULL, which will lead to incorrect BusID parsing, potential failure, or other unpredictable behavior.

Applying patch with strtok_r completely eliminates this category of vulnerabilities in multithreaded scenarios.
@GermanAizek GermanAizek mentioned this pull request Nov 16, 2025
Open
@callmetango callmetango linked an issue Nov 16, 2025 that may be closed by this pull request
Race condition in xf86ParsePciBusString #1398
Open
@metux metux requested a review from a team November 17, 2025 17:54
algrid
algrid reviewed Nov 17, 2025
View reviewed changes
hw/xfree86/common/xf86pciBus.c
s = Xstrdup(id);
p = strtok(s, ":");
s = last = Xstrdup(id);
p = strtok_r(last, ":", &last);
Copy link

@algrid algrid Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a particular reason to use last for both the first and the last argument?
I thought the typical usage would be something like

char *last;
p = strtok_r(s, ":", &last);

@metux metux requested a review from a team November 22, 2025 12:28
@GermanAizek
Copy link
Contributor Author

GermanAizek commented Nov 22, 2025

@metux, in XOrg was created SECURITY.md

https://gitlab.freedesktop.org/xorg/xserver/-/commit/a5047d4a6576630d0e15b8f145a44ff6ebe55369

XLibre as a separate fork, would you like to consider creating an isolated environment from the drivers as well? It is possible that someone will write vendor new drivers for the x server in the future, as well as protection against malicious xf86 drivers like viruses.

I can help you create a more secure runtime environment in X process and send PRs.

image

@GermanAizek
Copy link
Contributor Author

GermanAizek commented Nov 22, 2025

@metux, As Alan said in SECURITY.md, the Xorg project fully trusts vendors' code and custom modules and eliminates possible errors when writing them that could exploit xorg server vulnerabilities.

@stefan11111
Copy link
Contributor

stefan11111 commented Nov 22, 2025

@GermanAizek I agree with Alanc here.

We want code from modules to be just as fast as code in the X server.
As Alanc told you in the discussion on the Xorg gitlab, we simply dlopen() the modules and execute functions from it.

You can prevent modules doing stuff like *(char*)0 = 0; from bringing down the system by forking and running the code under a different process (though I don't want to think about the many ways this can break).

However, you can't prevent stuff like system ("rm -rf /*"); without some heavy, browser-like sandboxing.

On a properly configured system, X server modules can't be installed without privileges, so this isn't a security vulnerability.

If you think I'm wrong here, try patching a module to create a file somewhere on your system where the X server has enough privileges to do so (do it in driver PreInit or something).
Try then, just by patching the X server, to load the module and make it unable to create that file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@algrid algrid algrid left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Race condition in xf86ParsePciBusString

3 participants

@GermanAizek @stefan11111 @algrid