|
 |
279a87 |
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001
|
|
|
279a87 |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Date: Tue, 29 Nov 2022 12:55:45 +1000
|
|
|
279a87 |
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in
|
|
|
279a87 |
XTestSwapFakeInput
|
|
|
279a87 |
|
|
|
279a87 |
XTestSwapFakeInput assumes all events in this request are
|
|
|
279a87 |
sizeof(xEvent) and iterates through these in 32-byte increments.
|
|
|
279a87 |
However, a GenericEvent may be of arbitrary length longer than 32 bytes,
|
|
|
279a87 |
so any GenericEvent in this list would result in subsequent events to be
|
|
|
279a87 |
misparsed.
|
|
|
279a87 |
|
|
|
279a87 |
Additional, the swapped event is written into a stack-allocated struct
|
|
|
279a87 |
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
|
|
|
279a87 |
swapping the event may thus smash the stack like an avocado on toast.
|
|
|
279a87 |
|
|
|
279a87 |
Catch this case early and return BadValue for any GenericEvent.
|
|
|
279a87 |
Which is what would happen in unswapped setups anyway since XTest
|
|
|
279a87 |
doesn't support GenericEvent.
|
|
|
279a87 |
|
|
|
279a87 |
CVE-2022-46340, ZDI-CAN 19265
|
|
|
279a87 |
|
|
|
279a87 |
This vulnerability was discovered by:
|
|
|
279a87 |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
279a87 |
|
|
|
279a87 |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
279a87 |
---
|
|
|
279a87 |
Xext/xtest.c | 5 +++--
|
|
|
279a87 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
279a87 |
|
|
|
279a87 |
diff --git a/Xext/xtest.c b/Xext/xtest.c
|
|
|
279a87 |
index bf27eb590b..2985a4ce6e 100644
|
|
|
279a87 |
--- a/Xext/xtest.c
|
|
|
279a87 |
+++ b/Xext/xtest.c
|
|
|
279a87 |
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
|
|
|
279a87 |
|
|
|
279a87 |
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
|
|
279a87 |
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
|
|
279a87 |
+ int evtype = ev->u.u.type & 0x177;
|
|
|
279a87 |
/* Swap event */
|
|
|
279a87 |
- proc = EventSwapVector[ev->u.u.type & 0177];
|
|
|
279a87 |
+ proc = EventSwapVector[evtype];
|
|
|
279a87 |
/* no swapping proc; invalid event type? */
|
|
|
279a87 |
- if (!proc || proc == NotImplemented) {
|
|
|
279a87 |
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
|
|
|
279a87 |
client->errorValue = ev->u.u.type;
|
|
|
279a87 |
return BadValue;
|
|
|
279a87 |
}
|
|
|
279a87 |
--
|
|
|
279a87 |
2.38.1
|
|
|
279a87 |
|