Tree - rpms/xorg-x11-server - src.fedoraproject.org

rpms / xorg-x11-server

Blame 0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch

Blob History Raw

Peter Hutterer	75e6f92	`From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001`
Peter Hutterer	75e6f92	`From: Peter Hutterer <peter.hutterer@who-t.net>`
Peter Hutterer	75e6f92	`Date: Tue, 29 Nov 2022 13:26:57 +1000`
Peter Hutterer	75e6f92	`Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of`
Peter Hutterer	75e6f92	`ProcXIChangeProperty`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`This fixes an OOB read and the resulting information disclosure.`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`Length calculation for the request was clipped to a 32-bit integer. With`
Peter Hutterer	75e6f92	`the correct stuff->num_items value the expected request size was`
Peter Hutterer	75e6f92	`truncated, passing the REQUEST_FIXED_SIZE check.`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`The server then proceeded with reading at least stuff->num_items bytes`
Peter Hutterer	75e6f92	`(depending on stuff->format) from the request and stuffing whatever it`
Peter Hutterer	75e6f92	`finds into the property. In the process it would also allocate at least`
Peter Hutterer	75e6f92	`stuff->num_items bytes, i.e. 4GB.`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,`
Peter Hutterer	75e6f92	`so let's fix that too.`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`CVE-2022-46344, ZDI-CAN 19405`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`This vulnerability was discovered by:`
Peter Hutterer	75e6f92	`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>`
Peter Hutterer	75e6f92	`Acked-by: Olivier Fourdan <ofourdan@redhat.com>`
Peter Hutterer	75e6f92	`---`
Peter Hutterer	75e6f92	`Xi/xiproperty.c \| 4 ++--`
Peter Hutterer	75e6f92	`dix/property.c \| 3 ++-`
Peter Hutterer	75e6f92	`2 files changed, 4 insertions(+), 3 deletions(-)`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c`
Peter Hutterer	75e6f92	`index 68c362c628..066ba21fba 100644`
Peter Hutterer	75e6f92	`--- a/Xi/xiproperty.c`
Peter Hutterer	75e6f92	`+++ b/Xi/xiproperty.c`
Peter Hutterer	75e6f92	`@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)`
Peter Hutterer	75e6f92	`REQUEST(xChangeDevicePropertyReq);`
Peter Hutterer	75e6f92	`DeviceIntPtr dev;`
Peter Hutterer	75e6f92	`unsigned long len;`
Peter Hutterer	75e6f92	`- int totalSize;`
Peter Hutterer	75e6f92	`+ uint64_t totalSize;`
Peter Hutterer	75e6f92	`int rc;`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);`
Peter Hutterer	75e6f92	`@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)`
Peter Hutterer	75e6f92	`{`
Peter Hutterer	75e6f92	`int rc;`
Peter Hutterer	75e6f92	`DeviceIntPtr dev;`
Peter Hutterer	75e6f92	`- int totalSize;`
Peter Hutterer	75e6f92	`+ uint64_t totalSize;`
Peter Hutterer	75e6f92	`unsigned long len;`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`REQUEST(xXIChangePropertyReq);`
Peter Hutterer	75e6f92	`diff --git a/dix/property.c b/dix/property.c`
Peter Hutterer	75e6f92	`index 94ef5a0ec0..acce94b2c6 100644`
Peter Hutterer	75e6f92	`--- a/dix/property.c`
Peter Hutterer	75e6f92	`+++ b/dix/property.c`
Peter Hutterer	75e6f92	`@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)`
Peter Hutterer	75e6f92	`WindowPtr pWin;`
Peter Hutterer	75e6f92	`char format, mode;`
Peter Hutterer	75e6f92	`unsigned long len;`
Peter Hutterer	75e6f92	`- int sizeInBytes, totalSize, err;`
Peter Hutterer	75e6f92	`+ int sizeInBytes, err;`
Peter Hutterer	75e6f92	`+ uint64_t totalSize;`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`REQUEST(xChangePropertyReq);`
Peter Hutterer	75e6f92
Peter Hutterer	75e6f92	`--`
Peter Hutterer	75e6f92	`2.38.1`
Peter Hutterer	75e6f92

rpms / xorg-x11-server

Source Code

Blame 0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch