1
0
xorg-x11-server/U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
Stefan Dirsch 37722e6dc6 - U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
* XkbGetKbdByName use-after-free (ZDI-CAN-19530, CVE-2022-4283,
    bsc#1206017)

- U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
  * Server XTestSwapFakeInput stack overflow (ZDI-CAN 19265,
    CVE-2022-46340, bsc#1205874)
- U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
  * Xi: return an error from XI property changes if verification
    failed (no ZDI-CAN id, no CVE id, bsc#1205875)
- U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
  * Server XIChangeProperty out-of-bounds access (ZDI-CAN 19405,
    CVE-2022-46344, bsc#1205876)
- U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
  * Server XIPassiveUngrabDevice out-of-bounds access (ZDI-CAN 19381,
    CVE-2022-46341, bsc#1205877)
- U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
  * Server ScreenSaverSetAttributes use-after-free (ZDI-CAN 19404,
    CVE-2022-46343, bsc#1205878)
- U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
  * Server XvdiSelectVideoNotify use-after-free (ZDI-CAN 19400,
    CVE-2022-46342, bsc#1205879)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=843
2022-12-14 10:48:59 +00:00

82 lines
3.0 KiB
Diff

From 9dc018a5a1a183e0a2cb945572454779b499430c Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:55:32 +1000
Subject: [PATCH xserver 4/6] Xi: disallow passive grabs with a detail > 255
The XKB protocol effectively prevents us from ever using keycodes above
255. For buttons it's theoretically possible but realistically too niche
to worry about. For all other passive grabs, the detail must be zero
anyway.
This fixes an OOB write:
ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
For matching existing grabs, DeleteDetailFromMask is called with the
stuff->detail value. This function creates a new mask with the one bit
representing stuff->detail cleared.
However, the array size for the new mask is 8 * sizeof(CARD32) bits,
thus any detail above 255 results in an OOB array write.
ZDI-CAN 19381
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
Xi/xipassivegrab.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 2769fb7c94..c9ac2f8553 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
return BadValue;
}
+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+ * implement this. Just return an error for all keycodes that
+ * cannot work anyway, same for buttons > 255. */
+ if (stuff->detail > 255)
+ return XIAlreadyGrabbed;
+
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
stuff->mask_len * 4) != Success)
return BadValue;
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
&param, XI2, &mask);
break;
case XIGrabtypeKeycode:
- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
- * implement this. Just return an error for all keycodes that
- * cannot work anyway */
- if (stuff->detail > 255)
- status = XIAlreadyGrabbed;
- else
- status = GrabKey(client, dev, mod_dev, stuff->detail,
- &param, XI2, &mask);
+ status = GrabKey(client, dev, mod_dev, stuff->detail,
+ &param, XI2, &mask);
break;
case XIGrabtypeEnter:
case XIGrabtypeFocusIn:
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
return BadValue;
}
+ /* We don't allow passive grabs for details > 255 anyway */
+ if (stuff->detail > 255) {
+ client->errorValue = stuff->detail;
+ return BadValue;
+ }
+
rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
if (rc != Success)
return rc;
--
2.38.1