rpms / xorg-x11-server

Clone
Source Code
GIT

Blame 0004-Xi-disallow-passive-grabs-with-a-detail-255.patch

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch rawhide
  1.   f40
  2.   0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
Blob History Raw
Peter Hutterer 75e6f92 
From 0dab0b527ac5c4fe0272ea679522bd87238a733b Mon Sep 17 00:00:00 2001
Peter Hutterer 75e6f92 
From: Peter Hutterer <peter.hutterer@who-t.net>
Peter Hutterer 75e6f92 
Date: Tue, 29 Nov 2022 13:55:32 +1000
Peter Hutterer 75e6f92 
Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
The XKB protocol effectively prevents us from ever using keycodes above
Peter Hutterer 75e6f92 
255. For buttons it's theoretically possible but realistically too niche
Peter Hutterer 75e6f92 
to worry about. For all other passive grabs, the detail must be zero
Peter Hutterer 75e6f92 
anyway.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
This fixes an OOB write:
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
Peter Hutterer 75e6f92 
temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
Peter Hutterer 75e6f92 
For matching existing grabs, DeleteDetailFromMask is called with the
Peter Hutterer 75e6f92 
stuff->detail value. This function creates a new mask with the one bit
Peter Hutterer 75e6f92 
representing stuff->detail cleared.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
However, the array size for the new mask is 8 * sizeof(CARD32) bits,
Peter Hutterer 75e6f92 
thus any detail above 255 results in an OOB array write.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
CVE-2022-46341, ZDI-CAN 19381
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
This vulnerability was discovered by:
Peter Hutterer 75e6f92 
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Peter Hutterer 75e6f92 
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Peter Hutterer 75e6f92 
---
Peter Hutterer 75e6f92 
 Xi/xipassivegrab.c | 22 ++++++++++++++--------
Peter Hutterer 75e6f92 
 1 file changed, 14 insertions(+), 8 deletions(-)
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
Peter Hutterer 75e6f92 
index 2769fb7c94..c9ac2f8553 100644
Peter Hutterer 75e6f92 
--- a/Xi/xipassivegrab.c
Peter Hutterer 75e6f92 
+++ b/Xi/xipassivegrab.c
Peter Hutterer 75e6f92 
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
Peter Hutterer 75e6f92 
         return BadValue;
Peter Hutterer 75e6f92 
     }
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
+    /* XI2 allows 32-bit keycodes but thanks to XKB we can never
Peter Hutterer 75e6f92 
+     * implement this. Just return an error for all keycodes that
Peter Hutterer 75e6f92 
+     * cannot work anyway, same for buttons > 255. */
Peter Hutterer 75e6f92 
+    if (stuff->detail > 255)
Peter Hutterer 75e6f92 
+        return XIAlreadyGrabbed;
Peter Hutterer 75e6f92 
+
Peter Hutterer 75e6f92 
     if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
Peter Hutterer 75e6f92 
                                stuff->mask_len * 4) != Success)
Peter Hutterer 75e6f92 
         return BadValue;
Peter Hutterer 75e6f92 
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
Peter Hutterer 75e6f92 
                                 &param, XI2, &mask);
Peter Hutterer 75e6f92 
             break;
Peter Hutterer 75e6f92 
         case XIGrabtypeKeycode:
Peter Hutterer 75e6f92 
-            /* XI2 allows 32-bit keycodes but thanks to XKB we can never
Peter Hutterer 75e6f92 
-             * implement this. Just return an error for all keycodes that
Peter Hutterer 75e6f92 
-             * cannot work anyway */
Peter Hutterer 75e6f92 
-            if (stuff->detail > 255)
Peter Hutterer 75e6f92 
-                status = XIAlreadyGrabbed;
Peter Hutterer 75e6f92 
-            else
Peter Hutterer 75e6f92 
-                status = GrabKey(client, dev, mod_dev, stuff->detail,
Peter Hutterer 75e6f92 
-                                 &param, XI2, &mask);
Peter Hutterer 75e6f92 
+            status = GrabKey(client, dev, mod_dev, stuff->detail,
Peter Hutterer 75e6f92 
+                             &param, XI2, &mask);
Peter Hutterer 75e6f92 
             break;
Peter Hutterer 75e6f92 
         case XIGrabtypeEnter:
Peter Hutterer 75e6f92 
         case XIGrabtypeFocusIn:
Peter Hutterer 75e6f92 
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
Peter Hutterer 75e6f92 
         return BadValue;
Peter Hutterer 75e6f92 
     }
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
+    /* We don't allow passive grabs for details > 255 anyway */
Peter Hutterer 75e6f92 
+    if (stuff->detail > 255) {
Peter Hutterer 75e6f92 
+        client->errorValue = stuff->detail;
Peter Hutterer 75e6f92 
+        return BadValue;
Peter Hutterer 75e6f92 
+    }
Peter Hutterer 75e6f92 
+
Peter Hutterer 75e6f92 
     rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
Peter Hutterer 75e6f92 
     if (rc != Success)
Peter Hutterer 75e6f92 
         return rc;
Peter Hutterer 75e6f92 
--
Peter Hutterer 75e6f92 
2.38.1
Peter Hutterer 75e6f92
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.