xorg-x11-server/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch

Author: Michal Srb <msrb@suse.com>
Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced
Patch-mainline: Upstream
References: bnc#1035283 CVE-2017-10972

Make sure that the xEvent eventT is initialized with zeros, the same way as
in SProcSendEvent.

Some event swapping functions do not overwrite all 32 bytes of xEvent
structure, for example XSecurityAuthorizationRevoked. Two cooperating
clients, one swapped and the other not, can send
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
from X server. This can be potentialy misused to go around ASLR or
stack-protector.

Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 Xi/sendexev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 11d82029f..1cf118ab6 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 {
     CARD32 *p;
     int i;
-    xEvent eventT;
+    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
 
-- 
2.12.0
Accepting request 508727 from home:michalsrb:branches:X11:XOrg - u_Xi-Do-not-try-to-swap-GenericEvent.patch, u_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, u_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, u_dix-Disallow-GenericEvent-in-SendEvent-request.patch * Fix security issues in event handling. (bnc#1035283, CVE-2017-10971, CVE-2017-10972) OBS-URL: https://build.opensuse.org/request/show/508727 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=668 2017-07-07 09:24:38 +00:00			`Author: Michal Srb <msrb@suse.com>`
			`Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.`
			`Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced`
			`Patch-mainline: Upstream`
			`References: bnc#1035283 CVE-2017-10972`

			`Make sure that the xEvent eventT is initialized with zeros, the same way as`
			`in SProcSendEvent.`

			`Some event swapping functions do not overwrite all 32 bytes of xEvent`
			`structure, for example XSecurityAuthorizationRevoked. Two cooperating`
			`clients, one swapped and the other not, can send`
			`XSecurityAuthorizationRevoked event to each other to retrieve old stack data`
			`from X server. This can be potentialy misused to go around ASLR or`
			`stack-protector.`

			`Signed-off-by: Michal Srb <msrb@suse.com>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`---`
			`Xi/sendexev.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/Xi/sendexev.c b/Xi/sendexev.c`
			`index 11d82029f..1cf118ab6 100644`
			`--- a/Xi/sendexev.c`
			`+++ b/Xi/sendexev.c`
			`@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)`
			`{`
			`CARD32 *p;`
			`int i;`
			`- xEvent eventT;`
			`+ xEvent eventT = { .u.u.type = 0 };`
			`xEvent *eventP;`
			`EventSwapPtr proc;`

			`--`
			`2.12.0`