279d9e
From 3e0222fcae552685d423914a683c1709dc5f6d6b Mon Sep 17 00:00:00 2001
279d9e
From: Peter Hutterer <peter.hutterer@who-t.net>
279d9e
Date: Mon, 27 Nov 2023 16:27:49 +1000
279d9e
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
279d9e
 ProcRRChange*Property
279d9e
279d9e
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
279d9e
See also xserver@8f454b79 where this same bug was fixed for the core
279d9e
protocol and XI.
279d9e
279d9e
This fixes an OOB read and the resulting information disclosure.
279d9e
279d9e
Length calculation for the request was clipped to a 32-bit integer. With
279d9e
the correct stuff->nUnits value the expected request size was
279d9e
truncated, passing the REQUEST_FIXED_SIZE check.
279d9e
279d9e
The server then proceeded with reading at least stuff->num_items bytes
279d9e
(depending on stuff->format) from the request and stuffing whatever it
279d9e
finds into the property. In the process it would also allocate at least
279d9e
stuff->nUnits bytes, i.e. 4GB.
279d9e
279d9e
CVE-2023-XXXXX, ZDI-CAN-22561
279d9e
279d9e
This vulnerability was discovered by:
279d9e
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
279d9e
---
279d9e
 randr/rrproperty.c         | 2 +-
279d9e
 randr/rrproviderproperty.c | 2 +-
279d9e
 2 files changed, 2 insertions(+), 2 deletions(-)
279d9e
279d9e
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
279d9e
index 25469f57b2..c4fef8a1f6 100644
279d9e
--- a/randr/rrproperty.c
279d9e
+++ b/randr/rrproperty.c
279d9e
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
279d9e
     char format, mode;
279d9e
     unsigned long len;
279d9e
     int sizeInBytes;
279d9e
-    int totalSize;
279d9e
+    uint64_t totalSize;
279d9e
     int err;
279d9e
 
279d9e
     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
279d9e
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
279d9e
index b79c17f9bf..90c5a9a933 100644
279d9e
--- a/randr/rrproviderproperty.c
279d9e
+++ b/randr/rrproviderproperty.c
279d9e
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
279d9e
     char format, mode;
279d9e
     unsigned long len;
279d9e
     int sizeInBytes;
279d9e
-    int totalSize;
279d9e
+    uint64_t totalSize;
279d9e
     int err;
279d9e
 
279d9e
     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
279d9e
-- 
279d9e
2.43.0
279d9e