1
0
xorg-x11-server/U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
Stefan Dirsch 37722e6dc6 - U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
* XkbGetKbdByName use-after-free (ZDI-CAN-19530, CVE-2022-4283,
    bsc#1206017)

- U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
  * Server XTestSwapFakeInput stack overflow (ZDI-CAN 19265,
    CVE-2022-46340, bsc#1205874)
- U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
  * Xi: return an error from XI property changes if verification
    failed (no ZDI-CAN id, no CVE id, bsc#1205875)
- U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
  * Server XIChangeProperty out-of-bounds access (ZDI-CAN 19405,
    CVE-2022-46344, bsc#1205876)
- U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
  * Server XIPassiveUngrabDevice out-of-bounds access (ZDI-CAN 19381,
    CVE-2022-46341, bsc#1205877)
- U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
  * Server ScreenSaverSetAttributes use-after-free (ZDI-CAN 19404,
    CVE-2022-46343, bsc#1205878)
- U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
  * Server XvdiSelectVideoNotify use-after-free (ZDI-CAN 19400,
    CVE-2022-46342, bsc#1205879)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=843
2022-12-14 10:48:59 +00:00

71 lines
2.1 KiB
Diff

From 6f01a643c90724f32c19985e39de3bee9b14a310 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:26:57 +1000
Subject: [PATCH xserver 3/6] Xi: avoid integer truncation in length check of
ProcXIChangeProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.
ZDI-CAN 19405
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
Xi/xiproperty.c | 4 ++--
dix/property.c | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 68c362c628..066ba21fba 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
REQUEST(xChangeDevicePropertyReq);
DeviceIntPtr dev;
unsigned long len;
- int totalSize;
+ uint64_t totalSize;
int rc;
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
{
int rc;
DeviceIntPtr dev;
- int totalSize;
+ uint64_t totalSize;
unsigned long len;
REQUEST(xXIChangePropertyReq);
diff --git a/dix/property.c b/dix/property.c
index 94ef5a0ec0..acce94b2c6 100644
--- a/dix/property.c
+++ b/dix/property.c
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
WindowPtr pWin;
char format, mode;
unsigned long len;
- int sizeInBytes, totalSize, err;
+ int sizeInBytes, err;
+ uint64_t totalSize;
REQUEST(xChangePropertyReq);
--
2.38.1