|
 |
320a4d |
From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
|
|
|
320a4d |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
320a4d |
Date: Tue, 29 Nov 2022 12:55:45 +1000
|
|
|
320a4d |
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in
|
|
|
320a4d |
XTestSwapFakeInput
|
|
|
320a4d |
|
|
|
320a4d |
XTestSwapFakeInput assumes all events in this request are
|
|
|
320a4d |
sizeof(xEvent) and iterates through these in 32-byte increments.
|
|
|
320a4d |
However, a GenericEvent may be of arbitrary length longer than 32 bytes,
|
|
|
320a4d |
so any GenericEvent in this list would result in subsequent events to be
|
|
|
320a4d |
misparsed.
|
|
|
320a4d |
|
|
|
320a4d |
Additional, the swapped event is written into a stack-allocated struct
|
|
|
320a4d |
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
|
|
|
320a4d |
swapping the event may thus smash the stack like an avocado on toast.
|
|
|
320a4d |
|
|
|
320a4d |
Catch this case early and return BadValue for any GenericEvent.
|
|
|
320a4d |
Which is what would happen in unswapped setups anyway since XTest
|
|
|
320a4d |
doesn't support GenericEvent.
|
|
|
320a4d |
|
|
|
320a4d |
CVE-2022-46340, ZDI-CAN 19265
|
|
|
320a4d |
|
|
|
320a4d |
This vulnerability was discovered by:
|
|
|
320a4d |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
320a4d |
|
|
|
320a4d |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
320a4d |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
320a4d |
---
|
|
|
320a4d |
Xext/xtest.c | 5 +++--
|
|
|
320a4d |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
320a4d |
|
|
|
320a4d |
diff --git a/Xext/xtest.c b/Xext/xtest.c
|
|
|
320a4d |
index bf27eb590b..2985a4ce6e 100644
|
|
|
320a4d |
--- a/Xext/xtest.c
|
|
|
320a4d |
+++ b/Xext/xtest.c
|
|
|
320a4d |
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
|
|
|
320a4d |
|
|
|
320a4d |
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
|
|
320a4d |
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
|
|
320a4d |
+ int evtype = ev->u.u.type & 0x177;
|
|
|
320a4d |
/* Swap event */
|
|
|
320a4d |
- proc = EventSwapVector[ev->u.u.type & 0177];
|
|
|
320a4d |
+ proc = EventSwapVector[evtype];
|
|
|
320a4d |
/* no swapping proc; invalid event type? */
|
|
|
320a4d |
- if (!proc || proc == NotImplemented) {
|
|
|
320a4d |
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
|
|
|
320a4d |
client->errorValue = ev->u.u.type;
|
|
|
320a4d |
return BadValue;
|
|
|
320a4d |
}
|
|
|
320a4d |
--
|
|
|
320a4d |
2.38.1
|
|
|
320a4d |
|