|
 |
279a87 |
From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
|
|
|
279a87 |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
|
|
279a87 |
Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
|
|
|
279a87 |
ProcXIChangeProperty
|
|
|
279a87 |
|
|
|
279a87 |
This fixes an OOB read and the resulting information disclosure.
|
|
|
279a87 |
|
|
|
279a87 |
Length calculation for the request was clipped to a 32-bit integer. With
|
|
|
279a87 |
the correct stuff->num_items value the expected request size was
|
|
|
279a87 |
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
279a87 |
|
|
|
279a87 |
The server then proceeded with reading at least stuff->num_items bytes
|
|
|
279a87 |
(depending on stuff->format) from the request and stuffing whatever it
|
|
|
279a87 |
finds into the property. In the process it would also allocate at least
|
|
|
279a87 |
stuff->num_items bytes, i.e. 4GB.
|
|
|
279a87 |
|
|
|
279a87 |
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
|
|
279a87 |
so let's fix that too.
|
|
|
279a87 |
|
|
|
279a87 |
CVE-2022-46344, ZDI-CAN 19405
|
|
|
279a87 |
|
|
|
279a87 |
This vulnerability was discovered by:
|
|
|
279a87 |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
279a87 |
|
|
|
279a87 |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
279a87 |
---
|
|
|
279a87 |
Xi/xiproperty.c | 4 ++--
|
|
|
279a87 |
dix/property.c | 3 ++-
|
|
|
279a87 |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
279a87 |
|
|
|
279a87 |
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
|
279a87 |
index 68c362c628..066ba21fba 100644
|
|
|
279a87 |
--- a/Xi/xiproperty.c
|
|
|
279a87 |
+++ b/Xi/xiproperty.c
|
|
|
279a87 |
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
|
279a87 |
REQUEST(xChangeDevicePropertyReq);
|
|
|
279a87 |
DeviceIntPtr dev;
|
|
|
279a87 |
unsigned long len;
|
|
|
279a87 |
- int totalSize;
|
|
|
279a87 |
+ uint64_t totalSize;
|
|
|
279a87 |
int rc;
|
|
|
279a87 |
|
|
|
279a87 |
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
|
|
279a87 |
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
|
|
279a87 |
{
|
|
|
279a87 |
int rc;
|
|
|
279a87 |
DeviceIntPtr dev;
|
|
|
279a87 |
- int totalSize;
|
|
|
279a87 |
+ uint64_t totalSize;
|
|
|
279a87 |
unsigned long len;
|
|
|
279a87 |
|
|
|
279a87 |
REQUEST(xXIChangePropertyReq);
|
|
|
279a87 |
diff --git a/dix/property.c b/dix/property.c
|
|
|
279a87 |
index 94ef5a0ec0..acce94b2c6 100644
|
|
|
279a87 |
--- a/dix/property.c
|
|
|
279a87 |
+++ b/dix/property.c
|
|
|
279a87 |
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
|
|
279a87 |
WindowPtr pWin;
|
|
|
279a87 |
char format, mode;
|
|
|
279a87 |
unsigned long len;
|
|
|
279a87 |
- int sizeInBytes, totalSize, err;
|
|
|
279a87 |
+ int sizeInBytes, err;
|
|
|
279a87 |
+ uint64_t totalSize;
|
|
|
279a87 |
|
|
|
279a87 |
REQUEST(xChangePropertyReq);
|
|
|
279a87 |
|
|
|
279a87 |
--
|
|
|
279a87 |
2.38.1
|
|
|
279a87 |
|