85 lines
3.3 KiB
Diff
85 lines
3.3 KiB
Diff
|
From d725dfd9455ab1e5393ec46f1cd725e3a784b9cc Mon Sep 17 00:00:00 2001
|
||
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||
|
|
Date: Mon, 7 Apr 2025 16:13:34 +0200
|
||
|
|
Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
The BigRequest extension allows request larger than the 16-bit length
|
||
|
|
limit.
|
||
|
|
|
||
|
|
It uses integers for the request length and checks for the size not to
|
||
|
|
exceed the maxBigRequestSize limit, but does so after translating the
|
||
|
|
length to integer by multiplying the given size in bytes by 4.
|
||
|
|
|
||
|
|
In doing so, it might overflow the integer size limit before actually
|
||
|
|
checking for the overflow, defeating the purpose of the test.
|
||
|
|
|
||
|
|
To avoid the issue, make sure to check that the request size does not
|
||
|
|
overflow the maxBigRequestSize limit prior to any conversion.
|
||
|
|
|
||
|
|
The caller Dispatch() function however expects the return value to be in
|
||
|
|
bytes, so we cannot just return the converted value in case of error, as
|
||
|
|
that would also overflow the integer size.
|
||
|
|
|
||
|
|
To preserve the existing API, we use a negative value for the X11 error
|
||
|
|
code BadLength as the function only return positive values, 0 or -1 and
|
||
|
|
update the caller Dispatch() function to take that case into account to
|
||
|
|
return the error code to the offending client.
|
||
|
|
|
||
|
|
CVE-2025-49176
|
||
|
|
|
||
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||
|
|
|
||
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||
|
|
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
||
|
|
---
|
||
|
|
dix/dispatch.c | 9 +++++----
|
||
|
|
os/io.c | 4 ++++
|
||
|
|
2 files changed, 9 insertions(+), 4 deletions(-)
|
||
|
|
|
||
|
|
Index: xwayland-24.1.6/dix/dispatch.c
|
||
|
|
===================================================================
|
||
|
|
--- xwayland-24.1.6.orig/dix/dispatch.c
|
||
|
|
+++ xwayland-24.1.6/dix/dispatch.c
|
||
|
|
@@ -517,9 +517,10 @@ Dispatch(void)
|
||
|
|
|
||
|
|
/* now, finally, deal with client requests */
|
||
|
|
result = ReadRequestFromClient(client);
|
||
|
|
- if (result <= 0) {
|
||
|
|
- if (result < 0)
|
||
|
|
- CloseDownClient(client);
|
||
|
|
+ if (result == 0)
|
||
|
|
+ break;
|
||
|
|
+ else if (result == -1) {
|
||
|
|
+ CloseDownClient(client);
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -540,7 +541,7 @@ Dispatch(void)
|
||
|
|
client->index,
|
||
|
|
client->requestBuffer);
|
||
|
|
#endif
|
||
|
|
- if (result > (maxBigRequestSize << 2))
|
||
|
|
+ if (result < 0 || result > (maxBigRequestSize << 2))
|
||
|
|
result = BadLength;
|
||
|
|
else {
|
||
|
|
result = XaceHookDispatch(client, client->majorOp);
|
||
|
|
Index: xwayland-24.1.6/os/io.c
|
||
|
|
===================================================================
|
||
|
|
--- xwayland-24.1.6.orig/os/io.c
|
||
|
|
+++ xwayland-24.1.6/os/io.c
|
||
|
|
@@ -299,6 +299,10 @@ ReadRequestFromClient(ClientPtr client)
|
||
|
|
needed = get_big_req_len(request, client);
|
||
|
|
}
|
||
|
|
client->req_len = needed;
|
||
|
|
+ if (needed > MAXINT >> 2) {
|
||
|
|
+ /* Check for potential integer overflow */
|
||
|
|
+ return -(BadLength);
|
||
|
|
+ }
|
||
|
|
needed <<= 2; /* needed is in bytes now */
|
||
|
|
}
|
||
|
|
if (gotnow < needed) {
|