/[packages]/updates/8/x11-server/current/SOURCES/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
ViewVC logotype

Contents of /updates/8/x11-server/current/SOURCES/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1932107 - (show annotations) (download)
Tue Jan 10 14:26:35 2023 UTC (14 months, 2 weeks ago) by ns80
File size: 2187 byte(s)
- add patches from Fedora for CVE-2022-4634[0-4] and CVE-2022-4283 (mga#31281)

1 From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Tue, 29 Nov 2022 13:26:57 +1000
4 Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
5 ProcXIChangeProperty
6
7 This fixes an OOB read and the resulting information disclosure.
8
9 Length calculation for the request was clipped to a 32-bit integer. With
10 the correct stuff->num_items value the expected request size was
11 truncated, passing the REQUEST_FIXED_SIZE check.
12
13 The server then proceeded with reading at least stuff->num_items bytes
14 (depending on stuff->format) from the request and stuffing whatever it
15 finds into the property. In the process it would also allocate at least
16 stuff->num_items bytes, i.e. 4GB.
17
18 The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
19 so let's fix that too.
20
21 CVE-2022-46344, ZDI-CAN 19405
22
23 This vulnerability was discovered by:
24 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
25
26 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
27 Acked-by: Olivier Fourdan <ofourdan@redhat.com>
28 ---
29 Xi/xiproperty.c | 4 ++--
30 dix/property.c | 3 ++-
31 2 files changed, 4 insertions(+), 3 deletions(-)
32
33 diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
34 index 68c362c628..066ba21fba 100644
35 --- a/Xi/xiproperty.c
36 +++ b/Xi/xiproperty.c
37 @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
38 REQUEST(xChangeDevicePropertyReq);
39 DeviceIntPtr dev;
40 unsigned long len;
41 - int totalSize;
42 + uint64_t totalSize;
43 int rc;
44
45 REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
46 @@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
47 {
48 int rc;
49 DeviceIntPtr dev;
50 - int totalSize;
51 + uint64_t totalSize;
52 unsigned long len;
53
54 REQUEST(xXIChangePropertyReq);
55 diff --git a/dix/property.c b/dix/property.c
56 index 94ef5a0ec0..acce94b2c6 100644
57 --- a/dix/property.c
58 +++ b/dix/property.c
59 @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
60 WindowPtr pWin;
61 char format, mode;
62 unsigned long len;
63 - int sizeInBytes, totalSize, err;
64 + int sizeInBytes, err;
65 + uint64_t totalSize;
66
67 REQUEST(xChangePropertyReq);
68
69 --
70 2.38.1
71

  ViewVC Help
Powered by ViewVC 1.1.30