dist

matthew green Thu, 06 Jul 2017 23:09:06 -0700

Module Name:    xsrc
Committed By:   mrg
Date:           Fri Jul  7 06:08:45 UTC 2017


Modified Files:
        xsrc/external/mit/xorg-server.old/dist/Xi: sendexev.c
        xsrc/external/mit/xorg-server.old/dist/dix: events.c swapreq.c

Log Message:
CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from

   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced

XXX: pullup-[678] (6/7 also need xfree port.)


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
    xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
    xsrc/external/mit/xorg-server.old/dist/dix/events.c \
    xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c	Fri Jul  7 06:08:45 2017
@@ -79,7 +79,7 @@ SProcXSendExtensionEvent(ClientPtr clien
     char n;
     CARD32 *p;
     int i;
-    xEvent eventT;
+    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
 
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien
 
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
+        if (eventP->u.u.type == GenericEvent) {
+            client->errorValue = eventP->u.u.type;
+            return BadValue;
+        }
+
 	proc = EventSwapVector[eventP->u.u.type & 0177];
-	if (proc == NotImplemented)	/* no swapping proc; invalid event type? */
+        /* no swapping proc; invalid event type? */
+        if (proc == NotImplemented) {
+            client->errorValue = eventP->u.u.type;
 	    return BadValue;
+        }
 	(*proc) (eventP, &eventT);
 	*eventP = eventT;
     }
@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien
 int
 ProcXSendExtensionEvent(ClientPtr client)
 {
-    int ret;
+    int ret, i;
     DeviceIntPtr dev;
     xEvent *first;
     XEventClass *list;
@@ -140,11 +148,12 @@ ProcXSendExtensionEvent(ClientPtr client
     /* The client's event type must be one defined by an extension. */
 
     first = ((xEvent *) & stuff[1]);
-    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
-	  (first->u.u.type < lastEvent))) {
-	client->errorValue = first->u.u.type;
-	return BadValue;
-    }
+    for (i = 0; i < stuff->num_events; i++) {
+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+            (first[i].u.u.type < lastEvent))) {
+            client->errorValue = first[i].u.u.type;
+            return BadValue;
+        }
 
     list = (XEventClass *) (first + stuff->num_events);
     if ((ret = CreateMaskFromList(client, list, stuff->count, tmp, dev,

Index: xsrc/external/mit/xorg-server.old/dist/dix/events.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/events.c	Fri Jul  7 06:08:45 2017
@@ -5021,6 +5021,12 @@ ProcSendEvent(ClientPtr client)
 	client->errorValue = stuff->event.u.u.type;
 	return BadValue;
     }
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
     if (stuff->event.u.u.type == ClientMessage &&
 	stuff->event.u.u.detail != 8 &&
 	stuff->event.u.u.detail != 16 &&
Index: xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c	Fri Jul  7 06:08:45 2017
@@ -315,6 +315,13 @@ SProcSendEvent(ClientPtr client)
     swapl(&stuff->destination, n);
     swapl(&stuff->eventMask, n);
 
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
+
     /* Swap event */
     proc = EventSwapVector[stuff->event.u.u.type & 0177];
     if (!proc ||  proc == NotImplemented)    /* no swapping proc; invalid event type? */

CVS commit: xsrc/external/mit/xorg-server.old/dist

Reply via email to