wok-current annotate xorg-server/stuff/CVE-2022-46340.patch @ rev 25640

Patch xorg-server (CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886)
author Stanislas Leduc <shann@slitaz.org>
date Tue Jan 16 20:32:03 2024 +0000 (8 months ago)
parents
children
rev   line source
shann@25634 1 From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
shann@25634 2 From: Peter Hutterer <peter.hutterer@who-t.net>
shann@25634 3 Date: Tue, 29 Nov 2022 12:55:45 +1000
shann@25634 4 Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
shann@25634 5
shann@25634 6 XTestSwapFakeInput assumes all events in this request are
shann@25634 7 sizeof(xEvent) and iterates through these in 32-byte increments.
shann@25634 8 However, a GenericEvent may be of arbitrary length longer than 32 bytes,
shann@25634 9 so any GenericEvent in this list would result in subsequent events to be
shann@25634 10 misparsed.
shann@25634 11
shann@25634 12 Additional, the swapped event is written into a stack-allocated struct
shann@25634 13 xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
shann@25634 14 swapping the event may thus smash the stack like an avocado on toast.
shann@25634 15
shann@25634 16 Catch this case early and return BadValue for any GenericEvent.
shann@25634 17 Which is what would happen in unswapped setups anyway since XTest
shann@25634 18 doesn't support GenericEvent.
shann@25634 19
shann@25634 20 CVE-2022-46340, ZDI-CAN 19265
shann@25634 21
shann@25634 22 This vulnerability was discovered by:
shann@25634 23 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
shann@25634 24
shann@25634 25 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
shann@25634 26 Acked-by: Olivier Fourdan <ofourdan@redhat.com>
shann@25634 27 ---
shann@25634 28 Xext/xtest.c | 5 +++--
shann@25634 29 1 file changed, 3 insertions(+), 2 deletions(-)
shann@25634 30
shann@25634 31 diff --git a/Xext/xtest.c b/Xext/xtest.c
shann@25634 32 index bf27eb590..2985a4ce6 100644
shann@25634 33 --- a/Xext/xtest.c
shann@25634 34 +++ b/Xext/xtest.c
shann@25634 35 @@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
shann@25634 36
shann@25634 37 nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
shann@25634 38 for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
shann@25634 39 + int evtype = ev->u.u.type & 0x177;
shann@25634 40 /* Swap event */
shann@25634 41 - proc = EventSwapVector[ev->u.u.type & 0177];
shann@25634 42 + proc = EventSwapVector[evtype];
shann@25634 43 /* no swapping proc; invalid event type? */
shann@25634 44 - if (!proc || proc == NotImplemented) {
shann@25634 45 + if (!proc || proc == NotImplemented || evtype == GenericEvent) {
shann@25634 46 client->errorValue = ev->u.u.type;
shann@25634 47 return BadValue;
shann@25634 48 }
shann@25634 49 --
shann@25634 50 GitLab
shann@25634 51