wok-current view xorg-server/stuff/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch @ rev 25640
Patch xorg-server (CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Tue Jan 16 20:32:03 2024 +0000 (5 months ago) |
| parents | |
| children |
line source
1 From dd8caf39e9e15d8f302e54045dd08d8ebf1025dc Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Tue, 5 Jul 2022 09:50:41 +1000
4 Subject: [PATCH] xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
6 XKB often uses a FooCheck and Foo function pair, the former is supposed
7 to check all values in the request and error out on BadLength,
8 BadValue, etc. The latter is then called once we're confident the values
9 are good (they may still fail on an individual device, but that's a
10 different topic).
12 In the case of XkbSetDeviceInfo, those functions were incorrectly
13 named, with XkbSetDeviceInfo ending up as the checker function and
14 XkbSetDeviceInfoCheck as the setter function. As a result, the setter
15 function was called before the checker function, accessing request
16 data and modifying device state before we ensured that the data is
17 valid.
19 In particular, the setter function relied on values being already
20 byte-swapped. This in turn could lead to potential OOB memory access.
22 Fix this by correctly naming the functions and moving the length checks
23 over to the checker function. These were added in 87c64fc5b0 to the
24 wrong function, probably due to the incorrect naming.
26 Fixes ZDI-CAN 16070, CVE-2022-2320.
28 This vulnerability was discovered by:
29 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
31 Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132
33 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
34 ---
35 xkb/xkb.c | 46 +++++++++++++++++++++++++---------------------
36 1 file changed, 25 insertions(+), 21 deletions(-)
38 diff --git a/xkb/xkb.c b/xkb/xkb.c
39 index 64e52611e..34b2c290b 100644
40 --- a/xkb/xkb.c
41 +++ b/xkb/xkb.c
42 @@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
43 static char *
44 CheckSetDeviceIndicators(char *wire,
45 DeviceIntPtr dev,
46 - int num, int *status_rtrn, ClientPtr client)
47 + int num, int *status_rtrn, ClientPtr client,
48 + xkbSetDeviceInfoReq * stuff)
49 {
50 xkbDeviceLedsWireDesc *ledWire;
51 int i;
52 @@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire,
54 ledWire = (xkbDeviceLedsWireDesc *) wire;
55 for (i = 0; i < num; i++) {
56 + if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
57 + *status_rtrn = BadLength;
58 + return (char *) ledWire;
59 + }
60 +
61 if (client->swapped) {
62 swaps(&ledWire->ledClass);
63 swaps(&ledWire->ledID);
64 @@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire,
65 atomWire = (CARD32 *) &ledWire[1];
66 if (nNames > 0) {
67 for (n = 0; n < nNames; n++) {
68 + if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
69 + *status_rtrn = BadLength;
70 + return (char *) atomWire;
71 + }
72 +
73 if (client->swapped) {
74 swapl(atomWire);
75 }
76 @@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire,
77 mapWire = (xkbIndicatorMapWireDesc *) atomWire;
78 if (nMaps > 0) {
79 for (n = 0; n < nMaps; n++) {
80 + if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
81 + *status_rtrn = BadLength;
82 + return (char *) mapWire;
83 + }
84 if (client->swapped) {
85 swaps(&mapWire->virtualMods);
86 swapl(&mapWire->ctrls);
87 @@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire,
88 xkbIndicatorMapWireDesc *mapWire;
89 XkbSrvLedInfoPtr sli;
91 - if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
92 - *status_rtrn = BadLength;
93 - return (char *) ledWire;
94 - }
95 -
96 namec = mapc = statec = 0;
97 sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
98 XkbXI_IndicatorMapsMask);
99 @@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire,
100 memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
101 for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
102 if (ledWire->namesPresent & bit) {
103 - if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
104 - *status_rtrn = BadLength;
105 - return (char *) atomWire;
106 - }
107 sli->names[n] = (Atom) *atomWire;
108 if (sli->names[n] == None)
109 ledWire->namesPresent &= ~bit;
110 @@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire,
111 if (ledWire->mapsPresent) {
112 for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
113 if (ledWire->mapsPresent & bit) {
114 - if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
115 - *status_rtrn = BadLength;
116 - return (char *) mapWire;
117 - }
118 sli->maps[n].flags = mapWire->flags;
119 sli->maps[n].which_groups = mapWire->whichGroups;
120 sli->maps[n].groups = mapWire->groups;
121 @@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire,
122 }
124 static int
125 -_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
126 +_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
127 xkbSetDeviceInfoReq * stuff)
128 {
129 char *wire;
131 wire = (char *) &stuff[1];
132 if (stuff->change & XkbXI_ButtonActionsMask) {
133 + int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
134 + if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
135 + return BadLength;
136 +
137 if (!dev->button) {
138 client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
139 return XkbKeyboardErrorCode;
140 @@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
141 dev->button->numButtons);
142 return BadMatch;
143 }
144 - wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc));
145 + wire += sz;
146 }
147 if (stuff->change & XkbXI_IndicatorsMask) {
148 int status = Success;
150 wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs,
151 - &status, client);
152 + &status, client, stuff);
153 if (status != Success)
154 return status;
155 }
156 @@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
157 }
159 static int
160 -_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
161 - xkbSetDeviceInfoReq * stuff)
162 +_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
163 + xkbSetDeviceInfoReq * stuff)
164 {
165 char *wire;
166 xkbExtensionDeviceNotify ed;
167 @@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
168 if (stuff->firstBtn + stuff->nBtns > nBtns)
169 return BadValue;
170 sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
171 - if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
172 - return BadLength;
173 memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
174 wire += sz;
175 ed.reason |= XkbXI_ButtonActionsMask;
176 --
177 GitLab