1 |
ns80 |
1932107 |
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Peter Hutterer <peter.hutterer@who-t.net> |
3 |
|
|
Date: Tue, 29 Nov 2022 12:55:45 +1000 |
4 |
|
|
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in |
5 |
|
|
XTestSwapFakeInput |
6 |
|
|
|
7 |
|
|
XTestSwapFakeInput assumes all events in this request are |
8 |
|
|
sizeof(xEvent) and iterates through these in 32-byte increments. |
9 |
|
|
However, a GenericEvent may be of arbitrary length longer than 32 bytes, |
10 |
|
|
so any GenericEvent in this list would result in subsequent events to be |
11 |
|
|
misparsed. |
12 |
|
|
|
13 |
|
|
Additional, the swapped event is written into a stack-allocated struct |
14 |
|
|
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, |
15 |
|
|
swapping the event may thus smash the stack like an avocado on toast. |
16 |
|
|
|
17 |
|
|
Catch this case early and return BadValue for any GenericEvent. |
18 |
|
|
Which is what would happen in unswapped setups anyway since XTest |
19 |
|
|
doesn't support GenericEvent. |
20 |
|
|
|
21 |
|
|
CVE-2022-46340, ZDI-CAN 19265 |
22 |
|
|
|
23 |
|
|
This vulnerability was discovered by: |
24 |
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
25 |
|
|
|
26 |
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
27 |
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
28 |
|
|
--- |
29 |
|
|
Xext/xtest.c | 5 +++-- |
30 |
|
|
1 file changed, 3 insertions(+), 2 deletions(-) |
31 |
|
|
|
32 |
|
|
diff --git a/Xext/xtest.c b/Xext/xtest.c |
33 |
|
|
index bf27eb590b..2985a4ce6e 100644 |
34 |
|
|
--- a/Xext/xtest.c |
35 |
|
|
+++ b/Xext/xtest.c |
36 |
|
|
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) |
37 |
|
|
|
38 |
|
|
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); |
39 |
|
|
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { |
40 |
|
|
+ int evtype = ev->u.u.type & 0x177; |
41 |
|
|
/* Swap event */ |
42 |
|
|
- proc = EventSwapVector[ev->u.u.type & 0177]; |
43 |
|
|
+ proc = EventSwapVector[evtype]; |
44 |
|
|
/* no swapping proc; invalid event type? */ |
45 |
|
|
- if (!proc || proc == NotImplemented) { |
46 |
|
|
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) { |
47 |
|
|
client->errorValue = ev->u.u.type; |
48 |
|
|
return BadValue; |
49 |
|
|
} |
50 |
|
|
-- |
51 |
|
|
2.38.1 |
52 |
|
|
|