diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2022-11-29 13:26:57 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2022-12-14 12:43:41 +1000 |
commit | 3ccee821acc34514d9c7cf972c0efae157c6fc5c (patch) | |
tree | c639bc979ed0d045cd6da229ed82b0ce86d56062 | |
parent | 78355727852ef105b6551098a29c06ac839b44ff (diff) | |
download | xserver-3ccee821acc34514d9c7cf972c0efae157c6fc5c.tar.gz |
Xi: avoid integer truncation in length check of ProcXIChangeProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.
CVE-2022-46344, ZDI-CAN 19405
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 8f454b793e1f13c99872c15f0eed1d7f3b823fe8)
-rw-r--r-- | Xi/xiproperty.c | 4 | ||||
-rw-r--r-- | dix/property.c | 3 |
2 files changed, 4 insertions, 3 deletions
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c index 68c362c62..066ba21fb 100644 --- a/Xi/xiproperty.c +++ b/Xi/xiproperty.c @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); diff --git a/dix/property.c b/dix/property.c index 94ef5a0ec..acce94b2c 100644 --- a/dix/property.c +++ b/dix/property.c @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) WindowPtr pWin; char format, mode; unsigned long len; - int sizeInBytes, totalSize, err; + int sizeInBytes, err; + uint64_t totalSize; REQUEST(xChangePropertyReq); |