|
|
290b8e |
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001
|
|
|
290b8e |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
290b8e |
Date: Tue, 29 Nov 2022 12:55:45 +1000
|
|
|
290b8e |
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in
|
|
|
290b8e |
XTestSwapFakeInput
|
|
|
290b8e |
|
|
|
290b8e |
XTestSwapFakeInput assumes all events in this request are
|
|
|
290b8e |
sizeof(xEvent) and iterates through these in 32-byte increments.
|
|
|
290b8e |
However, a GenericEvent may be of arbitrary length longer than 32 bytes,
|
|
|
290b8e |
so any GenericEvent in this list would result in subsequent events to be
|
|
|
290b8e |
misparsed.
|
|
|
290b8e |
|
|
|
290b8e |
Additional, the swapped event is written into a stack-allocated struct
|
|
|
290b8e |
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
|
|
|
290b8e |
swapping the event may thus smash the stack like an avocado on toast.
|
|
|
290b8e |
|
|
|
290b8e |
Catch this case early and return BadValue for any GenericEvent.
|
|
|
290b8e |
Which is what would happen in unswapped setups anyway since XTest
|
|
|
290b8e |
doesn't support GenericEvent.
|
|
|
290b8e |
|
|
|
290b8e |
CVE-2022-46340, ZDI-CAN 19265
|
|
|
290b8e |
|
|
|
290b8e |
This vulnerability was discovered by:
|
|
|
290b8e |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
290b8e |
|
|
|
290b8e |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
290b8e |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
290b8e |
---
|
|
|
290b8e |
Xext/xtest.c | 5 +++--
|
|
|
290b8e |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
290b8e |
|
|
|
290b8e |
diff --git a/Xext/xtest.c b/Xext/xtest.c
|
|
|
290b8e |
index bf27eb590b..2985a4ce6e 100644
|
|
|
290b8e |
--- a/Xext/xtest.c
|
|
|
290b8e |
+++ b/Xext/xtest.c
|
|
|
290b8e |
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
|
|
|
290b8e |
|
|
|
290b8e |
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
|
|
290b8e |
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
|
|
290b8e |
+ int evtype = ev->u.u.type & 0x177;
|
|
|
290b8e |
/* Swap event */
|
|
|
290b8e |
- proc = EventSwapVector[ev->u.u.type & 0177];
|
|
|
290b8e |
+ proc = EventSwapVector[evtype];
|
|
|
290b8e |
/* no swapping proc; invalid event type? */
|
|
|
290b8e |
- if (!proc || proc == NotImplemented) {
|
|
|
290b8e |
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
|
|
|
290b8e |
client->errorValue = ev->u.u.type;
|
|
|
290b8e |
return BadValue;
|
|
|
290b8e |
}
|
|
|
290b8e |
--
|
|
|
290b8e |
2.38.1
|