xserver: Branch 'server-1.20-branch' - 4 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Aug 25 15:20:44 UTC 2020
Xi/xichangehierarchy.c | 2 +-
record/record.c | 10 +++++-----
xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
xkb/xkbSwap.c | 2 +-
4 files changed, 55 insertions(+), 7 deletions(-)
New commits:
commit 705d7213935820d9f56563ee9e17aa9beb365c1e
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Tue Aug 18 14:55:01 2020 +0200
Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
diff --git a/record/record.c b/record/record.c
index f0b739b0c..05d751ac2 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
commit 5b384e7678c5a155dd8752f018c8292153c1295e
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Tue Aug 18 14:52:29 2020 +0200
Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5ff4..50cabb90e 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
commit eff3f6cdd398bfac040351e99e64baf3bf64fa2e
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Tue Aug 18 14:49:04 2020 +0200
Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd91258..504defe56 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
commit 1d3a1092c30af660b1366fcd344af745590aa29f
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Tue Aug 18 14:46:32 2020 +0200
Correct bounds checking in XkbSetNames()
CVE-2020-14345 / ZDI 11428
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 3162574a4..2139da7ee 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
#define CHK_REQ_KEY_RANGE(err,first,num,r) \
CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+ char *cstuff = (char *)stuff;
+ char *cfrom = (char *)from;
+ char *cto = (char *)to;
+
+ return cfrom < cto &&
+ cfrom >= cstuff &&
+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
+ cto >= cstuff &&
+ cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
/***====================================================================***/
int
@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
return BadAccess;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+ return BadLength;
old = tmp;
tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
if (!tmp) {
@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
}
width = (CARD8 *) tmp;
tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+ return BadLength;
type = &xkb->map->types[stuff->firstKTLevel];
for (i = 0; i < stuff->nKTLevels; i++, type++) {
if (width[i] == 0)
@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
type->num_levels, width[i]);
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x08;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->indicators)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
client->swapped, &bad);
if (!tmp) {
@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x09;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->virtualMods)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
(CARD32) stuff->virtualMods,
client->swapped, &bad);
@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x0a;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->groupNames)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
(CARD32) stuff->groupNames,
client->swapped, &bad);
@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
stuff->nKeys);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+ return BadLength;
tmp += stuff->nKeys;
}
if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + (stuff->nKeyAliases * 2)))
+ return BadLength;
tmp += stuff->nKeyAliases * 2;
}
if (stuff->which & XkbRGNamesMask) {
@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + stuff->nRadioGroups))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
/* check device-independent stuff */
tmp = (CARD32 *) &stuff[1];
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbKeycodesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbGeometryNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbPhysSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbTypesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbCompatNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
More information about the xorg-commit
mailing list