113 lines
3.5 KiB
Diff
113 lines
3.5 KiB
Diff
From b8a84cb0f2807b07ab70ca9915fcdee21301b8ca Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 13:24:00 +1000
|
|
Subject: [PATCH 5/7] Xi: return an error from XI property changes if
|
|
verification failed
|
|
|
|
Both ProcXChangeDeviceProperty and ProcXIChangeProperty checked the
|
|
property for validity but didn't actually return the potential error.
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xi/xiproperty.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
index a36f7d61d..68c362c62 100644
|
|
--- a/Xi/xiproperty.c
|
|
+++ b/Xi/xiproperty.c
|
|
@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
|
|
rc = check_change_property(client, stuff->property, stuff->type,
|
|
stuff->format, stuff->mode, stuff->nUnits);
|
|
+ if (rc != Success)
|
|
+ return rc;
|
|
|
|
len = stuff->nUnits;
|
|
if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq))))
|
|
@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client)
|
|
|
|
rc = check_change_property(client, stuff->property, stuff->type,
|
|
stuff->format, stuff->mode, stuff->num_items);
|
|
+ if (rc != Success)
|
|
+ return rc;
|
|
+
|
|
len = stuff->num_items;
|
|
if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq)))
|
|
return BadLength;
|
|
--
|
|
2.38.0
|
|
|
|
From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
|
Subject: [PATCH 6/7] Xi: avoid integer truncation in length check of
|
|
ProcXIChangeProperty
|
|
|
|
This fixes an OOB read and the resulting information disclosure.
|
|
|
|
Length calculation for the request was clipped to a 32-bit integer. With
|
|
the correct stuff->num_items value the expected request size was
|
|
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
|
The server then proceeded with reading at least stuff->num_items bytes
|
|
(depending on stuff->format) from the request and stuffing whatever it
|
|
finds into the property. In the process it would also allocate at least
|
|
stuff->num_items bytes, i.e. 4GB.
|
|
|
|
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
|
so let's fix that too.
|
|
|
|
CVE-2022-46344, ZDI-CAN 19405
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xi/xiproperty.c | 4 ++--
|
|
dix/property.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
index 68c362c62..066ba21fb 100644
|
|
--- a/Xi/xiproperty.c
|
|
+++ b/Xi/xiproperty.c
|
|
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
REQUEST(xChangeDevicePropertyReq);
|
|
DeviceIntPtr dev;
|
|
unsigned long len;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
int rc;
|
|
|
|
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
|
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
|
{
|
|
int rc;
|
|
DeviceIntPtr dev;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
unsigned long len;
|
|
|
|
REQUEST(xXIChangePropertyReq);
|
|
diff --git a/dix/property.c b/dix/property.c
|
|
index 94ef5a0ec..acce94b2c 100644
|
|
--- a/dix/property.c
|
|
+++ b/dix/property.c
|
|
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
|
WindowPtr pWin;
|
|
char format, mode;
|
|
unsigned long len;
|
|
- int sizeInBytes, totalSize, err;
|
|
+ int sizeInBytes, err;
|
|
+ uint64_t totalSize;
|
|
|
|
REQUEST(xChangePropertyReq);
|
|
|
|
--
|
|
2.38.0
|
|
|