diff options
Diffstat (limited to 'debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch')
| -rw-r--r-- | debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch new file mode 100644 index 000000000..ba883427f --- /dev/null +++ b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch @@ -0,0 +1,65 @@ +From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 21:43:42 -0500 +Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in + fs_get_reply/_fs_start_read from xorg/lib/libXfont commit + 0f1a5d372c143f91a602bdf10c917d7eabaee09b + +fs_get_reply() would take any reply size, multiply it by 4 and pass to +_fs_start_read. If that size was bigger than the current reply buffer +size, _fs_start_read would add it to the existing buffer size plus the +buffer size increment constant and realloc the buffer to that result. + +This math could overflow, causing the code to allocate a smaller +buffer than the amount it was about to read into that buffer from +the network. It could also succeed, allowing the remote font server +to cause massive allocations in the X server, possibly using up all +the address space in a 32-bit X server, allowing the triggering of +other bugs in code that fails to handle malloc failure properly. + +This patch protects against both problems, by disconnecting any +font server trying to feed us more than (the somewhat arbitrary) +64 mb in a single reply. +--- + nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index ca10aa4..7762653 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group. + */ + #define LENGTHOF(r) (SIZEOF(r) >> 2) + ++/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ ++#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) ++ + extern void ErrorF(const char *f, ...); + + static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); +@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error) + + rep = (fsGenericReply *) buf; + ++ /* ++ * Refuse to accept replies longer than a maximum reasonable length, ++ * before we pass to _fs_start_read, since it will try to resize the ++ * incoming connection buffer to this size. Also avoids integer overflow ++ * on 32-bit systems. ++ */ ++ if (rep->length > MAX_REPLY_LENGTH) ++ { ++ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" ++ " from font server\n", rep->length); ++ _fs_connection_died (conn); ++ *error = FSIO_ERROR; ++ return 0; ++ } ++ + ret = _fs_start_read (conn, rep->length << 2, &buf); + if (ret != FSIO_READY) + { +-- +2.1.4 + |