forked from pool/xorg-x11-server
Stefan Dirsch
37722e6dc6
* XkbGetKbdByName use-after-free (ZDI-CAN-19530, CVE-2022-4283, bsc#1206017) - U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch * Server XTestSwapFakeInput stack overflow (ZDI-CAN 19265, CVE-2022-46340, bsc#1205874) - U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch * Xi: return an error from XI property changes if verification failed (no ZDI-CAN id, no CVE id, bsc#1205875) - U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch * Server XIChangeProperty out-of-bounds access (ZDI-CAN 19405, CVE-2022-46344, bsc#1205876) - U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch * Server XIPassiveUngrabDevice out-of-bounds access (ZDI-CAN 19381, CVE-2022-46341, bsc#1205877) - U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch * Server ScreenSaverSetAttributes use-after-free (ZDI-CAN 19404, CVE-2022-46343, bsc#1205878) - U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch * Server XvdiSelectVideoNotify use-after-free (ZDI-CAN 19400, CVE-2022-46342, bsc#1205879) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=843
71 lines
2.1 KiB
Diff
71 lines
2.1 KiB
Diff
From 6f01a643c90724f32c19985e39de3bee9b14a310 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
|
Subject: [PATCH xserver 3/6] Xi: avoid integer truncation in length check of
|
|
ProcXIChangeProperty
|
|
|
|
This fixes an OOB read and the resulting information disclosure.
|
|
|
|
Length calculation for the request was clipped to a 32-bit integer. With
|
|
the correct stuff->num_items value the expected request size was
|
|
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
|
The server then proceeded with reading at least stuff->num_items bytes
|
|
(depending on stuff->format) from the request and stuffing whatever it
|
|
finds into the property. In the process it would also allocate at least
|
|
stuff->num_items bytes, i.e. 4GB.
|
|
|
|
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
|
so let's fix that too.
|
|
|
|
ZDI-CAN 19405
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xi/xiproperty.c | 4 ++--
|
|
dix/property.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
index 68c362c628..066ba21fba 100644
|
|
--- a/Xi/xiproperty.c
|
|
+++ b/Xi/xiproperty.c
|
|
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
REQUEST(xChangeDevicePropertyReq);
|
|
DeviceIntPtr dev;
|
|
unsigned long len;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
int rc;
|
|
|
|
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
|
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
|
{
|
|
int rc;
|
|
DeviceIntPtr dev;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
unsigned long len;
|
|
|
|
REQUEST(xXIChangePropertyReq);
|
|
diff --git a/dix/property.c b/dix/property.c
|
|
index 94ef5a0ec0..acce94b2c6 100644
|
|
--- a/dix/property.c
|
|
+++ b/dix/property.c
|
|
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
|
WindowPtr pWin;
|
|
char format, mode;
|
|
unsigned long len;
|
|
- int sizeInBytes, totalSize, err;
|
|
+ int sizeInBytes, err;
|
|
+ uint64_t totalSize;
|
|
|
|
REQUEST(xChangePropertyReq);
|
|
|
|
--
|
|
2.38.1
|
|
|