| 1 |
ns80 |
1932107 |
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001 |
| 2 |
|
|
From: Peter Hutterer <peter.hutterer@who-t.net> |
| 3 |
|
|
Date: Tue, 29 Nov 2022 12:55:45 +1000 |
| 4 |
|
|
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in |
| 5 |
|
|
XTestSwapFakeInput |
| 6 |
|
|
|
| 7 |
|
|
XTestSwapFakeInput assumes all events in this request are |
| 8 |
|
|
sizeof(xEvent) and iterates through these in 32-byte increments. |
| 9 |
|
|
However, a GenericEvent may be of arbitrary length longer than 32 bytes, |
| 10 |
|
|
so any GenericEvent in this list would result in subsequent events to be |
| 11 |
|
|
misparsed. |
| 12 |
|
|
|
| 13 |
|
|
Additional, the swapped event is written into a stack-allocated struct |
| 14 |
|
|
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, |
| 15 |
|
|
swapping the event may thus smash the stack like an avocado on toast. |
| 16 |
|
|
|
| 17 |
|
|
Catch this case early and return BadValue for any GenericEvent. |
| 18 |
|
|
Which is what would happen in unswapped setups anyway since XTest |
| 19 |
|
|
doesn't support GenericEvent. |
| 20 |
|
|
|
| 21 |
|
|
CVE-2022-46340, ZDI-CAN 19265 |
| 22 |
|
|
|
| 23 |
|
|
This vulnerability was discovered by: |
| 24 |
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| 25 |
|
|
|
| 26 |
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 27 |
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
| 28 |
|
|
--- |
| 29 |
|
|
Xext/xtest.c | 5 +++-- |
| 30 |
|
|
1 file changed, 3 insertions(+), 2 deletions(-) |
| 31 |
|
|
|
| 32 |
|
|
diff --git a/Xext/xtest.c b/Xext/xtest.c |
| 33 |
|
|
index bf27eb590b..2985a4ce6e 100644 |
| 34 |
|
|
--- a/Xext/xtest.c |
| 35 |
|
|
+++ b/Xext/xtest.c |
| 36 |
|
|
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) |
| 37 |
|
|
|
| 38 |
|
|
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); |
| 39 |
|
|
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { |
| 40 |
|
|
+ int evtype = ev->u.u.type & 0x177; |
| 41 |
|
|
/* Swap event */ |
| 42 |
|
|
- proc = EventSwapVector[ev->u.u.type & 0177]; |
| 43 |
|
|
+ proc = EventSwapVector[evtype]; |
| 44 |
|
|
/* no swapping proc; invalid event type? */ |
| 45 |
|
|
- if (!proc || proc == NotImplemented) { |
| 46 |
|
|
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) { |
| 47 |
|
|
client->errorValue = ev->u.u.type; |
| 48 |
|
|
return BadValue; |
| 49 |
|
|
} |
| 50 |
|
|
-- |
| 51 |
|
|
2.38.1 |
| 52 |
|
|
|
Parent Directory
| 
Revision Log