xserver: Branch 'server-1.19-branch' - 8 commits
Adam Jackson
ajax at kemper.freedesktop.org
Thu Oct 12 16:31:58 UTC 2017
Xext/panoramiX.c | 3 -
Xext/saver.c | 2
Xext/vidmode.c | 129 +++++++++++++++++++++++---------------------
Xext/xres.c | 4 +
Xext/xvdisp.c | 4 +
Xi/xibarriers.c | 5 +
Xi/xichangehierarchy.c | 2
dbe/dbe.c | 5 +
dix/dispatch.c | 7 ++
hw/dmx/dmxpict.c | 2
hw/xfree86/common/xf86DGA.c | 81 +++++++++++++++------------
hw/xfree86/dri/xf86dri.c | 1
os/io.c | 5 +
pseudoramiX/pseudoramiX.c | 3 -
render/render.c | 3 +
xfixes/cursor.c | 5 +
xfixes/region.c | 3 -
xfixes/saveset.c | 1
xfixes/xfixes.c | 1
19 files changed, 163 insertions(+), 103 deletions(-)
New commits:
commit 95f605b42d8bbb6bea2834a1abfc205981c5b803
Author: Nathan Kidd <nkidd at opentext.com>
Date: Fri Jan 9 10:15:46 2015 -0500
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 0da431bf9..0fdfe117e 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
commit cc41e5b581d287c56f8d7113a97a4882dcfdd696
Author: Nathan Kidd <nkidd at opentext.com>
Date: Fri Jan 9 10:09:14 2015 -0500
dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 23f7e164d..f31766f31 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
XdbeScreenVisualInfo *pScrVisInfo;
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
commit 6c15122163a2d2615db7e998e8d436815a08dec6
Author: Nathan Kidd <nkidd at opentext.com>
Date: Wed Dec 24 16:22:18 2014 -0500
Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index f2b7785ad..7286eff55 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
commit c77cd08efcf386bcc5d8dfbd0427134b2b2d0888
Author: Nathan Kidd <nkidd at opentext.com>
Date: Fri Jan 9 10:04:41 2015 -0500
Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index 0bc5761f3..b0a4a92a1 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
commit d264da92f7f8129b8aad4f0114a6467fc38fc896
Author: Nathan Kidd <nkidd at opentext.com>
Date: Sun Dec 21 01:10:03 2014 -0500
hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index ea3ad1320..76055c89a 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
DEBUG_P("XF86VidModeAddModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
stuff->after_vsyncend, stuff->after_vtotal,
(unsigned long) stuff->after_flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
DEBUG_P("XF86VidModeDeleteModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
- }
if (len != stuff->privsize) {
DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
"len = %d, length = %d\n",
@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
DEBUG_P("XF86VidModeModModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
stuff->vtotal, (unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
DEBUG_P("XF86VidModeValidateModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+ len = client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
- len = client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
DEBUG_P("XF86VidModeSwitchToMode");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
VidModePtr pVidMode;
REQUEST(xXF86VidModeSetGammaRampReq);
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
index c689dcb73..039f38dfa 100644
--- a/hw/xfree86/common/xf86DGA.c
+++ b/hw/xfree86/common/xf86DGA.c
@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
char *deviceName;
int nameSize;
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if (DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty))
@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty, stuff->key))
@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
REQUEST(xXDGAGetViewportStatusReq);
xXDGAGetViewportStatusReply rep;
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
REQUEST(xXDGASyncReq);
xXDGASyncReply rep;
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if (!stuff->mode)
return BadValue;
@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
REQUEST(xXF86DGAQueryDirectVideoReq);
xXF86DGAQueryDirectVideoReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
index 68f8b7e72..65f368efd 100644
--- a/hw/xfree86/dri/xf86dri.c
+++ b/hw/xfree86/dri/xf86dri.c
@@ -570,6 +570,7 @@ static int
SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
{
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length);
swapl(&stuff->screen);
return ProcXF86DRIQueryDirectRenderingCapable(client);
commit 61502107a30d64f991784648c3228ebc6694a032
Author: Nathan Kidd <nkidd at opentext.com>
Date: Fri Jan 9 11:43:05 2015 -0500
xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index f009a78b9..6e84d71f1 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -281,6 +281,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
int i;
CARD16 *in_devices = (CARD16 *) &stuff[1];
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
diff --git a/xfixes/region.c b/xfixes/region.c
index dd74d7f7e..f300d2b6e 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index eb3f6589e..aa365cfe5 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index 8d1bd4cc6..8b45c5349 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -160,6 +160,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
commit c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5
Author: Nathan Kidd <nkidd at opentext.com>
Date: Fri Jan 9 09:57:23 2015 -0500
Unvalidated lengths
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Nathan Kidd <nkidd at opentext.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 209df292c..844ea49ce 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
xPanoramiXGetScreenSizeReply rep;
int rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
diff --git a/Xext/saver.c b/Xext/saver.c
index 750b8b965..45ac4d2c9 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
diff --git a/Xext/xres.c b/Xext/xres.c
index ae779dfe8..bc54133d2 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
ConstructResourceBytesCtx ctx;
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
+ return BadLength;
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(ctx.specs[0]));
@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
int c;
xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
- swapl(&stuff->numSpecs);
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ swapl(&stuff->numSpecs);
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(specs[0]));
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 8a35b7b4e..4d412b857 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
index 1f1022ee6..63caec94e 100644
--- a/hw/dmx/dmxpict.c
+++ b/hw/dmx/dmxpict.c
@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
filter = (char *) (stuff + 1);
params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict, filter, params, nparams);
diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
index d8b259341..95f6e10c8 100644
--- a/pseudoramiX/pseudoramiX.c
+++ b/pseudoramiX/pseudoramiX.c
@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
TRACE;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= pseudoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
diff --git a/render/render.c b/render/render.c
index bfacaa0d0..3a41e331e 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
return result;
}
commit e751722a7b0c5b595794e60b054ade0b3f6cdb4d
Author: Michal Srb <msrb at suse.com>
Date: Fri Jul 7 17:04:03 2017 +0200
os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric at anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
diff --git a/os/io.c b/os/io.c
index f80580cfc..70f07f3be 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;
More information about the xorg-commit
mailing list