Blame SOURCES/0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch

b1c97a
From bd134231e282d9eb126b6fdaa40bb383180fa72b Mon Sep 17 00:00:00 2001
b1c97a
From: Peter Hutterer <peter.hutterer@who-t.net>
b1c97a
Date: Tue, 5 Jul 2022 11:11:06 +1000
b1c97a
Subject: [PATCH xserver 3/3] xkb: add request length validation for
b1c97a
 XkbSetGeometry
b1c97a
b1c97a
No validation of the various fields on that report were done, so a
b1c97a
malicious client could send a short request that claims it had N
b1c97a
sections, or rows, or keys, and the server would process the request for
b1c97a
N sections, running out of bounds of the actual request data.
b1c97a
b1c97a
Fix this by adding size checks to ensure our data is valid.
b1c97a
b1c97a
ZDI-CAN 16062, CVE-2022-2319.
b1c97a
b1c97a
This vulnerability was discovered by:
b1c97a
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
b1c97a
b1c97a
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
b1c97a
(cherry picked from commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42)
b1c97a
---
b1c97a
 xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
b1c97a
 1 file changed, 38 insertions(+), 5 deletions(-)
b1c97a
b1c97a
diff --git a/xkb/xkb.c b/xkb/xkb.c
b1c97a
index 36464a770..27d19793e 100644
b1c97a
--- a/xkb/xkb.c
b1c97a
+++ b/xkb/xkb.c
b1c97a
@@ -5160,7 +5160,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
b1c97a
 }
b1c97a
 
b1c97a
 static Status
b1c97a
-_CheckSetDoodad(char **wire_inout,
b1c97a
+_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req,
b1c97a
                 XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
b1c97a
 {
b1c97a
     char *wire;
b1c97a
@@ -5171,6 +5171,9 @@ _CheckSetDoodad(char **wire_inout,
b1c97a
     Status status;
b1c97a
 
b1c97a
     dWire = (xkbDoodadWireDesc *) (*wire_inout);
b1c97a
+    if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1))
b1c97a
+        return BadLength;
b1c97a
+
b1c97a
     any = dWire->any;
b1c97a
     wire = (char *) &dWire[1];
b1c97a
     if (client->swapped) {
b1c97a
@@ -5273,7 +5276,7 @@ _CheckSetDoodad(char **wire_inout,
b1c97a
 }
b1c97a
 
b1c97a
 static Status
b1c97a
-_CheckSetOverlay(char **wire_inout,
b1c97a
+_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
b1c97a
                  XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
b1c97a
 {
b1c97a
     register int r;
b1c97a
@@ -5284,6 +5287,9 @@ _CheckSetOverlay(char **wire_inout,
b1c97a
 
b1c97a
     wire = *wire_inout;
b1c97a
     olWire = (xkbOverlayWireDesc *) wire;
b1c97a
+    if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
b1c97a
+        return BadLength;
b1c97a
+
b1c97a
     if (client->swapped) {
b1c97a
         swapl(&olWire->name);
b1c97a
     }
b1c97a
@@ -5295,6 +5301,9 @@ _CheckSetOverlay(char **wire_inout,
b1c97a
         xkbOverlayKeyWireDesc *kWire;
b1c97a
         XkbOverlayRowPtr row;
b1c97a
 
b1c97a
+        if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
b1c97a
+            return BadLength;
b1c97a
+
b1c97a
         if (rWire->rowUnder > section->num_rows) {
b1c97a
             client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
b1c97a
                                               rWire->rowUnder);
b1c97a
@@ -5303,6 +5312,9 @@ _CheckSetOverlay(char **wire_inout,
b1c97a
         row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
b1c97a
         kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
b1c97a
         for (k = 0; k < rWire->nKeys; k++, kWire++) {
b1c97a
+            if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
b1c97a
+                return BadLength;
b1c97a
+
b1c97a
             if (XkbAddGeomOverlayKey(ol, row,
b1c97a
                                      (char *) kWire->over,
b1c97a
                                      (char *) kWire->under) == NULL) {
b1c97a
@@ -5336,6 +5348,9 @@ _CheckSetSections(XkbGeometryPtr geom,
b1c97a
         register int r;
b1c97a
         xkbRowWireDesc *rWire;
b1c97a
 
b1c97a
+        if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1))
b1c97a
+            return BadLength;
b1c97a
+
b1c97a
         if (client->swapped) {
b1c97a
             swapl(&sWire->name);
b1c97a
             swaps(&sWire->top);
b1c97a
@@ -5361,6 +5376,9 @@ _CheckSetSections(XkbGeometryPtr geom,
b1c97a
             XkbRowPtr row;
b1c97a
             xkbKeyWireDesc *kWire;
b1c97a
 
b1c97a
+            if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
b1c97a
+                return BadLength;
b1c97a
+
b1c97a
             if (client->swapped) {
b1c97a
                 swaps(&rWire->top);
b1c97a
                 swaps(&rWire->left);
b1c97a
@@ -5375,6 +5393,9 @@ _CheckSetSections(XkbGeometryPtr geom,
b1c97a
             for (k = 0; k < rWire->nKeys; k++, kWire++) {
b1c97a
                 XkbKeyPtr key;
b1c97a
 
b1c97a
+                if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
b1c97a
+                    return BadLength;
b1c97a
+
b1c97a
                 key = XkbAddGeomKey(row);
b1c97a
                 if (!key)
b1c97a
                     return BadAlloc;
b1c97a
@@ -5400,7 +5421,7 @@ _CheckSetSections(XkbGeometryPtr geom,
b1c97a
             register int d;
b1c97a
 
b1c97a
             for (d = 0; d < sWire->nDoodads; d++) {
b1c97a
-                status = _CheckSetDoodad(&wire, geom, section, client);
b1c97a
+                status = _CheckSetDoodad(&wire, req, geom, section, client);
b1c97a
                 if (status != Success)
b1c97a
                     return status;
b1c97a
             }
b1c97a
@@ -5409,7 +5430,7 @@ _CheckSetSections(XkbGeometryPtr geom,
b1c97a
             register int o;
b1c97a
 
b1c97a
             for (o = 0; o < sWire->nOverlays; o++) {
b1c97a
-                status = _CheckSetOverlay(&wire, geom, section, client);
b1c97a
+                status = _CheckSetOverlay(&wire, req, geom, section, client);
b1c97a
                 if (status != Success)
b1c97a
                     return status;
b1c97a
             }
b1c97a
@@ -5443,6 +5464,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
b1c97a
             xkbOutlineWireDesc *olWire;
b1c97a
             XkbOutlinePtr ol;
b1c97a
 
b1c97a
+            if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1))
b1c97a
+                return BadLength;
b1c97a
+
b1c97a
             shape =
b1c97a
                 XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
b1c97a
             if (!shape)
b1c97a
@@ -5453,12 +5477,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
b1c97a
                 XkbPointPtr pt;
b1c97a
                 xkbPointWireDesc *ptWire;
b1c97a
 
b1c97a
+                if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
b1c97a
+                    return BadLength;
b1c97a
+
b1c97a
                 ol = XkbAddGeomOutline(shape, olWire->nPoints);
b1c97a
                 if (!ol)
b1c97a
                     return BadAlloc;
b1c97a
                 ol->corner_radius = olWire->cornerRadius;
b1c97a
                 ptWire = (xkbPointWireDesc *) &olWire[1];
b1c97a
                 for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) {
b1c97a
+                    if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1))
b1c97a
+                        return BadLength;
b1c97a
+
b1c97a
                     pt->x = ptWire->x;
b1c97a
                     pt->y = ptWire->y;
b1c97a
                     if (client->swapped) {
b1c97a
@@ -5564,12 +5594,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
b1c97a
         return status;
b1c97a
 
b1c97a
     for (i = 0; i < req->nDoodads; i++) {
b1c97a
-        status = _CheckSetDoodad(&wire, geom, NULL, client);
b1c97a
+        status = _CheckSetDoodad(&wire, req, geom, NULL, client);
b1c97a
         if (status != Success)
b1c97a
             return status;
b1c97a
     }
b1c97a
 
b1c97a
     for (i = 0; i < req->nKeyAliases; i++) {
b1c97a
+        if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
b1c97a
+                return BadLength;
b1c97a
+
b1c97a
         if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
b1c97a
             return BadAlloc;
b1c97a
         wire += 2 * XkbKeyNameLength;
b1c97a
-- 
b1c97a
2.36.1
b1c97a