|
 |
26c1df |
From a16f2b9693d248b81703821fd22fba8b5ba83e1a Mon Sep 17 00:00:00 2001
|
|
|
26c1df |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
26c1df |
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
|
|
26c1df |
Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
|
|
|
26c1df |
ProcXIChangeProperty
|
|
|
26c1df |
|
|
|
26c1df |
This fixes an OOB read and the resulting information disclosure.
|
|
|
26c1df |
|
|
|
26c1df |
Length calculation for the request was clipped to a 32-bit integer. With
|
|
|
26c1df |
the correct stuff->num_items value the expected request size was
|
|
|
26c1df |
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
26c1df |
|
|
|
26c1df |
The server then proceeded with reading at least stuff->num_items bytes
|
|
|
26c1df |
(depending on stuff->format) from the request and stuffing whatever it
|
|
|
26c1df |
finds into the property. In the process it would also allocate at least
|
|
|
26c1df |
stuff->num_items bytes, i.e. 4GB.
|
|
|
26c1df |
|
|
|
26c1df |
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
|
|
26c1df |
so let's fix that too.
|
|
|
26c1df |
|
|
|
26c1df |
CVE-2022-46344, ZDI-CAN 19405
|
|
|
26c1df |
|
|
|
26c1df |
This vulnerability was discovered by:
|
|
|
26c1df |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
26c1df |
|
|
|
26c1df |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
26c1df |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
26c1df |
---
|
|
|
26c1df |
Xi/xiproperty.c | 4 ++--
|
|
|
26c1df |
dix/property.c | 3 ++-
|
|
|
26c1df |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
26c1df |
|
|
|
26c1df |
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
|
26c1df |
index 68c362c628..066ba21fba 100644
|
|
|
26c1df |
--- a/Xi/xiproperty.c
|
|
|
26c1df |
+++ b/Xi/xiproperty.c
|
|
|
26c1df |
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
|
26c1df |
REQUEST(xChangeDevicePropertyReq);
|
|
|
26c1df |
DeviceIntPtr dev;
|
|
|
26c1df |
unsigned long len;
|
|
|
26c1df |
- int totalSize;
|
|
|
26c1df |
+ uint64_t totalSize;
|
|
|
26c1df |
int rc;
|
|
|
26c1df |
|
|
|
26c1df |
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
|
|
26c1df |
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
|
|
26c1df |
{
|
|
|
26c1df |
int rc;
|
|
|
26c1df |
DeviceIntPtr dev;
|
|
|
26c1df |
- int totalSize;
|
|
|
26c1df |
+ uint64_t totalSize;
|
|
|
26c1df |
unsigned long len;
|
|
|
26c1df |
|
|
|
26c1df |
REQUEST(xXIChangePropertyReq);
|
|
|
26c1df |
diff --git a/dix/property.c b/dix/property.c
|
|
|
26c1df |
index 94ef5a0ec0..acce94b2c6 100644
|
|
|
26c1df |
--- a/dix/property.c
|
|
|
26c1df |
+++ b/dix/property.c
|
|
|
26c1df |
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
|
|
26c1df |
WindowPtr pWin;
|
|
|
26c1df |
char format, mode;
|
|
|
26c1df |
unsigned long len;
|
|
|
26c1df |
- int sizeInBytes, totalSize, err;
|
|
|
26c1df |
+ int sizeInBytes, err;
|
|
|
26c1df |
+ uint64_t totalSize;
|
|
|
26c1df |
|
|
|
26c1df |
REQUEST(xChangePropertyReq);
|
|
|
26c1df |
|
|
|
26c1df |
--
|
|
|
26c1df |
2.38.1
|
|
|
26c1df |
|