Module Name: xsrc
Committed By: mrg
Date: Fri Jul 7 04:46:50 UTC 2017
Modified Files:
xsrc/external/mit/xorg-server/dist/Xi: sendexev.c
xsrc/external/mit/xorg-server/dist/dix: events.c swapreq.c
Log Message:
CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from
https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455
https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d
https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c
https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced
XXX: pullup-[678] (6/7 also need xfree port.)
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.9 -r1.2 xsrc/external/mit/xorg-server/dist/dix/events.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/xorg-server/dist/dix/swapreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.4
--- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.3 Thu Aug 11 00:04:26 2016
+++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c Fri Jul 7 04:46:50 2017
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr clien
{
CARD32 *p;
int i;
- xEvent eventT;
+ xEvent eventT = { .u.u.type = 0 };
xEvent *eventP;
EventSwapPtr proc;
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien
eventP = (xEvent *) &stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
+ if (eventP->u.u.type == GenericEvent) {
+ client->errorValue = eventP->u.u.type;
+ return BadValue;
+ }
+
proc = EventSwapVector[eventP->u.u.type & 0177];
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
+ /* no swapping proc; invalid event type? */
+ if (proc == NotImplemented) {
+ client->errorValue = eventP->u.u.type;
return BadValue;
+ }
(*proc) (eventP, &eventT);
*eventP = eventT;
}
@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien
int
ProcXSendExtensionEvent(ClientPtr client)
{
- int ret;
+ int ret, i;
DeviceIntPtr dev;
xEvent *first;
XEventClass *list;
@@ -144,10 +152,12 @@ ProcXSendExtensionEvent(ClientPtr client
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
- (first->u.u.type < lastEvent))) {
- client->errorValue = first->u.u.type;
- return BadValue;
+ for (i = 0; i < stuff->num_events; i++) {
+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+ (first[i].u.u.type < lastEvent))) {
+ client->errorValue = first[i].u.u.type;
+ return BadValue;
+ }
}
list = (XEventClass *) (first + stuff->num_events);
Index: xsrc/external/mit/xorg-server/dist/dix/events.c
diff -u xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.9 xsrc/external/mit/xorg-server/dist/dix/events.c:1.2
--- xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.9 Wed Aug 10 07:44:32 2016
+++ xsrc/external/mit/xorg-server/dist/dix/events.c Fri Jul 7 04:46:50 2017
@@ -5355,6 +5355,12 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
if (stuff->event.u.u.type == ClientMessage &&
stuff->event.u.u.detail != 8 &&
stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
Index: xsrc/external/mit/xorg-server/dist/dix/swapreq.c
diff -u xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.2
--- xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.3 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/dix/swapreq.c Fri Jul 7 04:46:50 2017
@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
swapl(&stuff->destination);
swapl(&stuff->eventMask);
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
+
/* Swap event */
proc = EventSwapVector[stuff->event.u.u.type & 0177];
if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
