wok-current view xorg-server/stuff/CVE-2023-6478.patch @ rev 25695
Up linux 5.10.214, Patch xorg-server (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Apr 04 08:53:51 2024 +0000 (5 months ago) |
| parents | |
| children |
line source
1 From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Mon, 27 Nov 2023 16:27:49 +1000
4 Subject: [PATCH] randr: avoid integer truncation in length check of
5 ProcRRChange*Property
7 Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
8 See also xserver@8f454b79 where this same bug was fixed for the core
9 protocol and XI.
11 This fixes an OOB read and the resulting information disclosure.
13 Length calculation for the request was clipped to a 32-bit integer. With
14 the correct stuff->nUnits value the expected request size was
15 truncated, passing the REQUEST_FIXED_SIZE check.
17 The server then proceeded with reading at least stuff->num_items bytes
18 (depending on stuff->format) from the request and stuffing whatever it
19 finds into the property. In the process it would also allocate at least
20 stuff->nUnits bytes, i.e. 4GB.
22 CVE-2023-6478, ZDI-CAN-22561
24 This vulnerability was discovered by:
25 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26 ---
27 randr/rrproperty.c | 2 +-
28 randr/rrproviderproperty.c | 2 +-
29 2 files changed, 2 insertions(+), 2 deletions(-)
31 diff --git a/randr/rrproperty.c b/randr/rrproperty.c
32 index 25469f57b2..c4fef8a1f6 100644
33 --- a/randr/rrproperty.c
34 +++ b/randr/rrproperty.c
35 @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
36 char format, mode;
37 unsigned long len;
38 int sizeInBytes;
39 - int totalSize;
40 + uint64_t totalSize;
41 int err;
43 REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
44 diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
45 index b79c17f9bf..90c5a9a933 100644
46 --- a/randr/rrproviderproperty.c
47 +++ b/randr/rrproviderproperty.c
48 @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
49 char format, mode;
50 unsigned long len;
51 int sizeInBytes;
52 - int totalSize;
53 + uint64_t totalSize;
54 int err;
56 REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
57 --
58 GitLab