|
 |
e3716b |
From 58e83c683950ac9e253ab05dd7a13a8368b70a3c Mon Sep 17 00:00:00 2001
|
|
|
e3716b |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
e3716b |
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
|
|
e3716b |
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
|
|
|
e3716b |
ProcRRChange*Property
|
|
|
e3716b |
|
|
|
e3716b |
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
|
|
e3716b |
See also xserver@8f454b79 where this same bug was fixed for the core
|
|
|
e3716b |
protocol and XI.
|
|
|
e3716b |
|
|
|
e3716b |
This fixes an OOB read and the resulting information disclosure.
|
|
|
e3716b |
|
|
|
e3716b |
Length calculation for the request was clipped to a 32-bit integer. With
|
|
|
e3716b |
the correct stuff->nUnits value the expected request size was
|
|
|
e3716b |
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
e3716b |
|
|
|
e3716b |
The server then proceeded with reading at least stuff->num_items bytes
|
|
|
e3716b |
(depending on stuff->format) from the request and stuffing whatever it
|
|
|
e3716b |
finds into the property. In the process it would also allocate at least
|
|
|
e3716b |
stuff->nUnits bytes, i.e. 4GB.
|
|
|
e3716b |
|
|
|
e3716b |
CVE-2023-6478, ZDI-CAN-22561
|
|
|
e3716b |
|
|
|
e3716b |
This vulnerability was discovered by:
|
|
|
e3716b |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
e3716b |
|
|
|
e3716b |
(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
|
|
|
e3716b |
---
|
|
|
e3716b |
randr/rrproperty.c | 2 +-
|
|
|
e3716b |
randr/rrproviderproperty.c | 2 +-
|
|
|
e3716b |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
e3716b |
|
|
|
e3716b |
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
|
|
e3716b |
index 25469f57b2..c4fef8a1f6 100644
|
|
|
e3716b |
--- a/randr/rrproperty.c
|
|
|
e3716b |
+++ b/randr/rrproperty.c
|
|
|
e3716b |
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
|
|
e3716b |
char format, mode;
|
|
|
e3716b |
unsigned long len;
|
|
|
e3716b |
int sizeInBytes;
|
|
|
e3716b |
- int totalSize;
|
|
|
e3716b |
+ uint64_t totalSize;
|
|
|
e3716b |
int err;
|
|
|
e3716b |
|
|
|
e3716b |
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
|
|
e3716b |
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
|
|
e3716b |
index b79c17f9bf..90c5a9a933 100644
|
|
|
e3716b |
--- a/randr/rrproviderproperty.c
|
|
|
e3716b |
+++ b/randr/rrproviderproperty.c
|
|
|
e3716b |
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
|
|
e3716b |
char format, mode;
|
|
|
e3716b |
unsigned long len;
|
|
|
e3716b |
int sizeInBytes;
|
|
|
e3716b |
- int totalSize;
|
|
|
e3716b |
+ uint64_t totalSize;
|
|
|
e3716b |
int err;
|
|
|
e3716b |
|
|
|
e3716b |
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
|
|
e3716b |
--
|
|
|
e3716b |
2.43.0
|
|
|
e3716b |
|