73 lines
2.5 KiB
Diff
73 lines
2.5 KiB
Diff
From 244101ac9d4c6963416cfc74f2174d440f1cb4b6 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 11:47:15 +0200
|
|
Subject: [PATCH xserver] record: Check for overflow in
|
|
RecordSanityCheckRegisterClients()
|
|
|
|
The RecordSanityCheckRegisterClients() checks for the request length,
|
|
but does not check for integer overflow.
|
|
|
|
A client might send a very large value for either the number of clients
|
|
or the number of protocol ranges that will cause an integer overflow in
|
|
the request length computation, defeating the check for request length.
|
|
|
|
To avoid the issue, explicitly check the number of clients against the
|
|
limit of clients (which is much lower than an maximum integer value) and
|
|
the number of protocol ranges (multiplied by the record length) do not
|
|
exceed the maximum integer value.
|
|
|
|
This way, we ensure that the final computation for the request length
|
|
will not overflow the maximum integer limit.
|
|
|
|
CVE-2025-49179
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
record/record.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
Index: xorg-server-21.1.15/record/record.c
|
|
===================================================================
|
|
--- xorg-server-21.1.15.orig/record/record.c
|
|
+++ xorg-server-21.1.15/record/record.c
|
|
@@ -36,6 +36,9 @@ and Jim Haggerty of Metheus.
|
|
#include <dix-config.h>
|
|
#endif
|
|
|
|
+#include <X11/Xdefs.h>
|
|
+#include "os/osdep.h"
|
|
+
|
|
#include "dixstruct.h"
|
|
#include "extnsionst.h"
|
|
#include "extinit.h"
|
|
@@ -1298,6 +1301,13 @@ RecordSanityCheckRegisterClients(RecordC
|
|
int i;
|
|
XID recordingClient;
|
|
|
|
+ /* LIMITCLIENTS is 2048 at max, way less that MAXINT */
|
|
+ if (stuff->nClients > LIMITCLIENTS)
|
|
+ return BadValue;
|
|
+
|
|
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
|
|
+ return BadValue;
|
|
+
|
|
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
|
|
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
|
|
return BadLength;
|
|
Index: xorg-server-21.1.15/record/Makefile.am
|
|
===================================================================
|
|
--- xorg-server-21.1.15.orig/record/Makefile.am
|
|
+++ xorg-server-21.1.15/record/Makefile.am
|
|
@@ -1,6 +1,6 @@
|
|
noinst_LTLIBRARIES = librecord.la
|
|
|
|
-AM_CFLAGS = $(DIX_CFLAGS)
|
|
+AM_CFLAGS = $(DIX_CFLAGS) -I..
|
|
|
|
librecord_la_SOURCES = record.c set.c
|
|
|