dist

matthew green Sat, 02 Nov 2024 01:13:08 -0700

Module Name:    xsrc
Committed By:   mrg
Date:           Sat Nov  2 08:12:57 UTC 2024


Modified Files:
        xsrc/external/mit/xorg-server.old/dist/Xi: xiproperty.c
        xsrc/external/mit/xorg-server.old/dist/dix: property.c

Log Message:
merge upstream change 8f454b793e1f13c99872c15f0eed1d7f3b823fe8:

Subject: [PATCH] Xi: avoid integer truncation in length check of
 ProcXIChangeProperty

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.

The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.

CVE-2022-46344, ZDI-CAN 19405


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
    xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
    xsrc/external/mit/xorg-server.old/dist/dix/property.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.2 xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.3
--- xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.2	Sat Oct 28 18:44:37 2023
+++ xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c	Sat Nov  2 08:12:57 2024
@@ -915,7 +915,7 @@ ProcXChangeDeviceProperty (ClientPtr cli
     REQUEST(xChangeDevicePropertyReq);
     DeviceIntPtr        dev;
     unsigned long       len;
-    int                 totalSize;
+    uint64_t            totalSize;
     int                 rc;
 
     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
@@ -1157,7 +1157,7 @@ ProcXIChangeProperty(ClientPtr client)
 {
     int                 rc;
     DeviceIntPtr        dev;
-    int                 totalSize;
+    uint64_t            totalSize;
     unsigned long       len;
 
     REQUEST(xXIChangePropertyReq);

Index: xsrc/external/mit/xorg-server.old/dist/dix/property.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/property.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/property.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/dix/property.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/property.c	Sat Nov  2 08:12:57 2024
@@ -199,7 +199,8 @@ ProcChangeProperty(ClientPtr client)
     WindowPtr pWin;
     char format, mode;
     unsigned long len;
-    int sizeInBytes, totalSize, err;
+    int sizeInBytes, err;
+    uint64_t totalSize;
     REQUEST(xChangePropertyReq);
 
     REQUEST_AT_LEAST_SIZE(xChangePropertyReq);

CVS commit: xsrc/external/mit/xorg-server.old/dist

Reply via email to