X.Org Security Advisory: July 12, 2022

Povilas Kanapickas povilas at radix.lt
Tue Jul 12 12:55:05 UTC 2022 

X.Org Security Advisory: July 12, 2022

Multiple input validation failures in X server extensions
=========================================================

All theses issues can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds
Access

The handler for the ProcXkbSetGeometry request of the Xkb extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds
Access

The handler for the ProcXkbSetDeviceInfo request of the Xkb extension
does not properly validate the request length leading to out of bounds
memory write.

Patches
-------

Patches for this issues have been committed to the xorg server git
repository. xorg-server 21.1.4 will be released shortly and will
include these patches.

commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42

     xkb: add request length validation for XkbSetGeometry
     
     No validation of the various fields on that report were done, so a
     malicious client could send a short request that claims it had N
     sections, or rows, or keys, and the server would process the request
     for N sections, running out of bounds of the actual request data.
     
     Fix this by adding size checks to ensure our data is valid.
     
     Fixes ZDI-CAN 16062, CVE-2022-2319.
     
     This vulnerability was discovered by:
     Jan-Niklas Sohn working with Trend Micro Zero Day Initiative


commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc

     xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
     
     XKB often uses a FooCheck and Foo function pair, the former is
     supposed to check all values in the request and error out on
     BadLength, BadValue, etc. The latter is then called once we're
     confident the values are good (they may still fail on an individual
     device, but that's a different topic).
     
     In the case of XkbSetDeviceInfo, those functions were incorrectly
     named, with XkbSetDeviceInfo ending up as the checker function and
     XkbSetDeviceInfoCheck as the setter function. As a result, the setter
     function was called before the checker function, accessing request
     data and modifying device state before we ensured that the data is
     valid.
     
     In particular, the setter function relied on values being already
     byte-swapped. This in turn could lead to potential OOB memory access.
     
     Fix this by correctly naming the functions and moving the length checks
     over to the checker function. These were added in 87c64fc5b0 to the
     wrong function, probably due to the incorrect naming.
     
     Fixes ZDI-CAN 16070, CVE-2022-2320.
     
     This vulnerability was discovered by:
     Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
     
     Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132

Backporting of the security fixes also needs this commit:
f1070c01d616c5f21f939d5ebc533738779451ac.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative and fixed by Peter Hutterer.

--
Povilas Kanapickas

More information about the xorg mailing list