|
|
b1c97a |
From bd134231e282d9eb126b6fdaa40bb383180fa72b Mon Sep 17 00:00:00 2001
|
|
|
b1c97a |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
b1c97a |
Date: Tue, 5 Jul 2022 11:11:06 +1000
|
|
|
b1c97a |
Subject: [PATCH xserver 3/3] xkb: add request length validation for
|
|
|
b1c97a |
XkbSetGeometry
|
|
|
b1c97a |
|
|
|
b1c97a |
No validation of the various fields on that report were done, so a
|
|
|
b1c97a |
malicious client could send a short request that claims it had N
|
|
|
b1c97a |
sections, or rows, or keys, and the server would process the request for
|
|
|
b1c97a |
N sections, running out of bounds of the actual request data.
|
|
|
b1c97a |
|
|
|
b1c97a |
Fix this by adding size checks to ensure our data is valid.
|
|
|
b1c97a |
|
|
|
b1c97a |
ZDI-CAN 16062, CVE-2022-2319.
|
|
|
b1c97a |
|
|
|
b1c97a |
This vulnerability was discovered by:
|
|
|
b1c97a |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
b1c97a |
|
|
|
b1c97a |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
b1c97a |
(cherry picked from commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42)
|
|
|
b1c97a |
---
|
|
|
b1c97a |
xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
|
|
|
b1c97a |
1 file changed, 38 insertions(+), 5 deletions(-)
|
|
|
b1c97a |
|
|
|
b1c97a |
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
|
b1c97a |
index 36464a770..27d19793e 100644
|
|
|
b1c97a |
--- a/xkb/xkb.c
|
|
|
b1c97a |
+++ b/xkb/xkb.c
|
|
|
b1c97a |
@@ -5160,7 +5160,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
|
|
|
b1c97a |
}
|
|
|
b1c97a |
|
|
|
b1c97a |
static Status
|
|
|
b1c97a |
-_CheckSetDoodad(char **wire_inout,
|
|
|
b1c97a |
+_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req,
|
|
|
b1c97a |
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
|
|
|
b1c97a |
{
|
|
|
b1c97a |
char *wire;
|
|
|
b1c97a |
@@ -5171,6 +5171,9 @@ _CheckSetDoodad(char **wire_inout,
|
|
|
b1c97a |
Status status;
|
|
|
b1c97a |
|
|
|
b1c97a |
dWire = (xkbDoodadWireDesc *) (*wire_inout);
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
any = dWire->any;
|
|
|
b1c97a |
wire = (char *) &dWire[1];
|
|
|
b1c97a |
if (client->swapped) {
|
|
|
b1c97a |
@@ -5273,7 +5276,7 @@ _CheckSetDoodad(char **wire_inout,
|
|
|
b1c97a |
}
|
|
|
b1c97a |
|
|
|
b1c97a |
static Status
|
|
|
b1c97a |
-_CheckSetOverlay(char **wire_inout,
|
|
|
b1c97a |
+_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
|
|
|
b1c97a |
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
|
|
|
b1c97a |
{
|
|
|
b1c97a |
register int r;
|
|
|
b1c97a |
@@ -5284,6 +5287,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
|
b1c97a |
|
|
|
b1c97a |
wire = *wire_inout;
|
|
|
b1c97a |
olWire = (xkbOverlayWireDesc *) wire;
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (client->swapped) {
|
|
|
b1c97a |
swapl(&olWire->name);
|
|
|
b1c97a |
}
|
|
|
b1c97a |
@@ -5295,6 +5301,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
|
b1c97a |
xkbOverlayKeyWireDesc *kWire;
|
|
|
b1c97a |
XkbOverlayRowPtr row;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (rWire->rowUnder > section->num_rows) {
|
|
|
b1c97a |
client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
|
|
|
b1c97a |
rWire->rowUnder);
|
|
|
b1c97a |
@@ -5303,6 +5312,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
|
b1c97a |
row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
|
|
|
b1c97a |
kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
|
|
|
b1c97a |
for (k = 0; k < rWire->nKeys; k++, kWire++) {
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (XkbAddGeomOverlayKey(ol, row,
|
|
|
b1c97a |
(char *) kWire->over,
|
|
|
b1c97a |
(char *) kWire->under) == NULL) {
|
|
|
b1c97a |
@@ -5336,6 +5348,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
|
b1c97a |
register int r;
|
|
|
b1c97a |
xkbRowWireDesc *rWire;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (client->swapped) {
|
|
|
b1c97a |
swapl(&sWire->name);
|
|
|
b1c97a |
swaps(&sWire->top);
|
|
|
b1c97a |
@@ -5361,6 +5376,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
|
b1c97a |
XkbRowPtr row;
|
|
|
b1c97a |
xkbKeyWireDesc *kWire;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (client->swapped) {
|
|
|
b1c97a |
swaps(&rWire->top);
|
|
|
b1c97a |
swaps(&rWire->left);
|
|
|
b1c97a |
@@ -5375,6 +5393,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
|
b1c97a |
for (k = 0; k < rWire->nKeys; k++, kWire++) {
|
|
|
b1c97a |
XkbKeyPtr key;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
key = XkbAddGeomKey(row);
|
|
|
b1c97a |
if (!key)
|
|
|
b1c97a |
return BadAlloc;
|
|
|
b1c97a |
@@ -5400,7 +5421,7 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
|
b1c97a |
register int d;
|
|
|
b1c97a |
|
|
|
b1c97a |
for (d = 0; d < sWire->nDoodads; d++) {
|
|
|
b1c97a |
- status = _CheckSetDoodad(&wire, geom, section, client);
|
|
|
b1c97a |
+ status = _CheckSetDoodad(&wire, req, geom, section, client);
|
|
|
b1c97a |
if (status != Success)
|
|
|
b1c97a |
return status;
|
|
|
b1c97a |
}
|
|
|
b1c97a |
@@ -5409,7 +5430,7 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
|
b1c97a |
register int o;
|
|
|
b1c97a |
|
|
|
b1c97a |
for (o = 0; o < sWire->nOverlays; o++) {
|
|
|
b1c97a |
- status = _CheckSetOverlay(&wire, geom, section, client);
|
|
|
b1c97a |
+ status = _CheckSetOverlay(&wire, req, geom, section, client);
|
|
|
b1c97a |
if (status != Success)
|
|
|
b1c97a |
return status;
|
|
|
b1c97a |
}
|
|
|
b1c97a |
@@ -5443,6 +5464,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
|
|
|
b1c97a |
xkbOutlineWireDesc *olWire;
|
|
|
b1c97a |
XkbOutlinePtr ol;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
shape =
|
|
|
b1c97a |
XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
|
|
|
b1c97a |
if (!shape)
|
|
|
b1c97a |
@@ -5453,12 +5477,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
|
|
|
b1c97a |
XkbPointPtr pt;
|
|
|
b1c97a |
xkbPointWireDesc *ptWire;
|
|
|
b1c97a |
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
ol = XkbAddGeomOutline(shape, olWire->nPoints);
|
|
|
b1c97a |
if (!ol)
|
|
|
b1c97a |
return BadAlloc;
|
|
|
b1c97a |
ol->corner_radius = olWire->cornerRadius;
|
|
|
b1c97a |
ptWire = (xkbPointWireDesc *) &olWire[1];
|
|
|
b1c97a |
for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) {
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
pt->x = ptWire->x;
|
|
|
b1c97a |
pt->y = ptWire->y;
|
|
|
b1c97a |
if (client->swapped) {
|
|
|
b1c97a |
@@ -5564,12 +5594,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
|
|
|
b1c97a |
return status;
|
|
|
b1c97a |
|
|
|
b1c97a |
for (i = 0; i < req->nDoodads; i++) {
|
|
|
b1c97a |
- status = _CheckSetDoodad(&wire, geom, NULL, client);
|
|
|
b1c97a |
+ status = _CheckSetDoodad(&wire, req, geom, NULL, client);
|
|
|
b1c97a |
if (status != Success)
|
|
|
b1c97a |
return status;
|
|
|
b1c97a |
}
|
|
|
b1c97a |
|
|
|
b1c97a |
for (i = 0; i < req->nKeyAliases; i++) {
|
|
|
b1c97a |
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
|
|
|
b1c97a |
+ return BadLength;
|
|
|
b1c97a |
+
|
|
|
b1c97a |
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
|
|
|
b1c97a |
return BadAlloc;
|
|
|
b1c97a |
wire += 2 * XkbKeyNameLength;
|
|
|
b1c97a |
--
|
|
|
b1c97a |
2.36.1
|
|
|
b1c97a |
|