[PATCH libXi 1/3] Fix potential corruption in mask_len handling

walter harms wharms at bfs.de
Tue May 28 00:22:11 PDT 2013 


Am 28.05.2013 07:52, schrieb Peter Hutterer:
> First: check for allocation failure on the mask.
> XI2 requires that the mask is zeroed, so we can't just Data() the mask
> provided by the client (it will pad) - we need a tmp buffer. Make sure that
> doesn't fail.
> 
> Second:
> req->mask_len is a uint16_t, so check against malicious mask_lens that would
> cause us to corrupt memory on copy, as the code always allocates
> req->mask_len * 4, but copies mask->mask_len bytes.
> 
> Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
> ---
>  src/XIGrabDevice.c  | 18 ++++++++++++------
>  src/XIPassiveGrab.c |  9 ++++++++-
>  src/XISelEv.c       | 30 +++++++++++++++++++++++++-----
>  3 files changed, 45 insertions(+), 12 deletions(-)
> 
> diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c
> index dd1bd10..2bff3d8 100644
> --- a/src/XIGrabDevice.c
> +++ b/src/XIGrabDevice.c
> @@ -50,6 +50,17 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
>      if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1)
>  	return (NoSuchExtension);
>  
> +    if (mask->mask_len > INT_MAX - 3 ||
> +        (mask->mask_len + 3)/4 >= 0xffff)
> +        return BadValue;
> +

Is the INT_MAX needed here ? running X on 16bit machines seems very odd
(is that possible ?)
That makes the following possible
 (mask->mask_len + 3)/4 >= 0xffff
 mask->mask_len + 3 >= 0xffff * 4
 mask->mask_len >=  0xffff00 -3



just my two cents,
re
 wh

> +    /* mask->mask_len is in bytes, but we need 4-byte units on the wire,
> +     * and they need to be padded with 0 */
> +    len = (mask->mask_len + 3)/4;
> +    buff = calloc(4, len);
> +    if (!buff)
> +        return BadAlloc;
> +
>      GetReq(XIGrabDevice, req);
>      req->reqType  = extinfo->codes->major_opcode;
>      req->ReqType  = X_XIGrabDevice;
> @@ -59,14 +70,9 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
>      req->grab_mode = grab_mode;
>      req->paired_device_mode = paired_device_mode;
>      req->owner_events = owner_events;
> -    req->mask_len = (mask->mask_len + 3)/4;
> +    req->mask_len = len;
>      req->cursor = cursor;
>  
> -
> -    /* mask->mask_len is in bytes, but we need 4-byte units on the wire,
> -     * and they need to be padded with 0 */
> -    len = req->mask_len;
> -    buff = calloc(1, len * 4);
>      memcpy(buff, mask->mask, mask->mask_len);
>  
>      SetReqLen(req, len, len);
> diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
> index 53b4084..4ed2f09 100644
> --- a/src/XIPassiveGrab.c
> +++ b/src/XIPassiveGrab.c
> @@ -51,6 +51,14 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
>      if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1)
>  	return -1;
>  
> +    if (mask->mask_len > INT_MAX - 3 ||
> +        (mask->mask_len + 3)/4 >= 0xffff)
> +        return -1;
> +
> +    buff = calloc(4, (mask->mask_len + 3)/4);
> +    if (!buff)
> +        return -1;
> +
>      GetReq(XIPassiveGrabDevice, req);
>      req->reqType = extinfo->codes->major_opcode;
>      req->ReqType = X_XIPassiveGrabDevice;
> @@ -68,7 +76,6 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
>      len = req->mask_len + num_modifiers;
>      SetReqLen(req, len, len);
>  
> -    buff = calloc(4, req->mask_len);
>      memcpy(buff, mask->mask, mask->mask_len);
>      Data(dpy, buff, req->mask_len * 4);
>      for (i = 0; i < num_modifiers; i++)
> diff --git a/src/XISelEv.c b/src/XISelEv.c
> index 0471bef..55c0a6a 100644
> --- a/src/XISelEv.c
> +++ b/src/XISelEv.c
> @@ -53,6 +53,8 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
>      int i;
>      int len = 0;
>      int r = Success;
> +    int max_mask_len = 0;
> +    char *buff;
>  
>      XExtDisplayInfo *info = XInput_find_display(dpy);
>      LockDisplay(dpy);
> @@ -60,6 +62,26 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
>          r = NoSuchExtension;
>          goto out;
>      }
> +
> +    for (i = 0; i < num_masks; i++) {
> +        current = &masks[i];
> +        if (current->mask_len > INT_MAX - 3 ||
> +            (current->mask_len + 3)/4 >= 0xffff) {
> +            r = -1;
> +            goto out;
> +        }
> +        if (current->mask_len > max_mask_len)
> +            max_mask_len = current->mask_len;
> +    }
> +
> +    /* max_mask_len is in bytes, but we need 4-byte units on the wire,
> +     * and they need to be padded with 0 */
> +    buff = calloc(4, ((max_mask_len + 3)/4));
> +    if (!buff) {
> +        r = -1;
> +        goto out;
> +    }
> +
>      GetReq(XISelectEvents, req);
>  
>      req->reqType = info->codes->major_opcode;
> @@ -79,19 +101,17 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
>  
>      for (i = 0; i < num_masks; i++)
>      {
> -        char *buff;
>          current = &masks[i];
>          mask.deviceid = current->deviceid;
>          mask.mask_len = (current->mask_len + 3)/4;
> -        /* masks.mask_len is in bytes, but we need 4-byte units on the wire,
> -         * and they need to be padded with 0 */
> -        buff = calloc(1, mask.mask_len * 4);
> +
> +        memset(buff, 0, max_mask_len);
>          memcpy(buff, current->mask, current->mask_len);
>          Data(dpy, (char*)&mask, sizeof(xXIEventMask));
>          Data(dpy, buff, mask.mask_len * 4);
> -        free(buff);
>      }
>  
> +    free(buff);
>  out:
>      UnlockDisplay(dpy);
>      SyncHandle();

More information about the xorg-devel mailing list