rev |
line source |
shann@25634
|
1 From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
|
shann@25634
|
2 From: Peter Hutterer <peter.hutterer@who-t.net>
|
shann@25634
|
3 Date: Tue, 29 Nov 2022 12:55:45 +1000
|
shann@25634
|
4 Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
|
shann@25634
|
5
|
shann@25634
|
6 XTestSwapFakeInput assumes all events in this request are
|
shann@25634
|
7 sizeof(xEvent) and iterates through these in 32-byte increments.
|
shann@25634
|
8 However, a GenericEvent may be of arbitrary length longer than 32 bytes,
|
shann@25634
|
9 so any GenericEvent in this list would result in subsequent events to be
|
shann@25634
|
10 misparsed.
|
shann@25634
|
11
|
shann@25634
|
12 Additional, the swapped event is written into a stack-allocated struct
|
shann@25634
|
13 xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
|
shann@25634
|
14 swapping the event may thus smash the stack like an avocado on toast.
|
shann@25634
|
15
|
shann@25634
|
16 Catch this case early and return BadValue for any GenericEvent.
|
shann@25634
|
17 Which is what would happen in unswapped setups anyway since XTest
|
shann@25634
|
18 doesn't support GenericEvent.
|
shann@25634
|
19
|
shann@25634
|
20 CVE-2022-46340, ZDI-CAN 19265
|
shann@25634
|
21
|
shann@25634
|
22 This vulnerability was discovered by:
|
shann@25634
|
23 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
shann@25634
|
24
|
shann@25634
|
25 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
shann@25634
|
26 Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
shann@25634
|
27 ---
|
shann@25634
|
28 Xext/xtest.c | 5 +++--
|
shann@25634
|
29 1 file changed, 3 insertions(+), 2 deletions(-)
|
shann@25634
|
30
|
shann@25634
|
31 diff --git a/Xext/xtest.c b/Xext/xtest.c
|
shann@25634
|
32 index bf27eb590..2985a4ce6 100644
|
shann@25634
|
33 --- a/Xext/xtest.c
|
shann@25634
|
34 +++ b/Xext/xtest.c
|
shann@25634
|
35 @@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
|
shann@25634
|
36
|
shann@25634
|
37 nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
shann@25634
|
38 for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
shann@25634
|
39 + int evtype = ev->u.u.type & 0x177;
|
shann@25634
|
40 /* Swap event */
|
shann@25634
|
41 - proc = EventSwapVector[ev->u.u.type & 0177];
|
shann@25634
|
42 + proc = EventSwapVector[evtype];
|
shann@25634
|
43 /* no swapping proc; invalid event type? */
|
shann@25634
|
44 - if (!proc || proc == NotImplemented) {
|
shann@25634
|
45 + if (!proc || proc == NotImplemented || evtype == GenericEvent) {
|
shann@25634
|
46 client->errorValue = ev->u.u.type;
|
shann@25634
|
47 return BadValue;
|
shann@25634
|
48 }
|
shann@25634
|
49 --
|
shann@25634
|
50 GitLab
|
shann@25634
|
51
|