Blame SOURCES/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch

290b8e
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001
290b8e
From: Peter Hutterer <peter.hutterer@who-t.net>
290b8e
Date: Tue, 29 Nov 2022 12:55:45 +1000
290b8e
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in
290b8e
 XTestSwapFakeInput
290b8e
290b8e
XTestSwapFakeInput assumes all events in this request are
290b8e
sizeof(xEvent) and iterates through these in 32-byte increments.
290b8e
However, a GenericEvent may be of arbitrary length longer than 32 bytes,
290b8e
so any GenericEvent in this list would result in subsequent events to be
290b8e
misparsed.
290b8e
290b8e
Additional, the swapped event is written into a stack-allocated struct
290b8e
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
290b8e
swapping the event may thus smash the stack like an avocado on toast.
290b8e
290b8e
Catch this case early and return BadValue for any GenericEvent.
290b8e
Which is what would happen in unswapped setups anyway since XTest
290b8e
doesn't support GenericEvent.
290b8e
290b8e
CVE-2022-46340, ZDI-CAN 19265
290b8e
290b8e
This vulnerability was discovered by:
290b8e
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
290b8e
290b8e
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
290b8e
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
290b8e
---
290b8e
 Xext/xtest.c | 5 +++--
290b8e
 1 file changed, 3 insertions(+), 2 deletions(-)
290b8e
290b8e
diff --git a/Xext/xtest.c b/Xext/xtest.c
290b8e
index bf27eb590b..2985a4ce6e 100644
290b8e
--- a/Xext/xtest.c
290b8e
+++ b/Xext/xtest.c
290b8e
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
290b8e
290b8e
     nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
290b8e
     for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
290b8e
+        int evtype = ev->u.u.type & 0x177;
290b8e
         /* Swap event */
290b8e
-        proc = EventSwapVector[ev->u.u.type & 0177];
290b8e
+        proc = EventSwapVector[evtype];
290b8e
         /* no swapping proc; invalid event type? */
290b8e
-        if (!proc || proc == NotImplemented) {
290b8e
+        if (!proc || proc == NotImplemented || evtype == GenericEvent) {
290b8e
             client->errorValue = ev->u.u.type;
290b8e
             return BadValue;
290b8e
         }
290b8e
--
290b8e
2.38.1