aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch')
-rw-r--r--debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch114
1 files changed, 114 insertions, 0 deletions
diff --git a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
new file mode 100644
index 000000000..884fa435c
--- /dev/null
+++ b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
@@ -0,0 +1,114 @@
+From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 10:54:41 -0800
+Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension
+ [CVE-2014-8095]
+
+Multiple functions in the Xinput extension handling of requests from
+clients failed to check that the length of the request sent by the
+client was large enough to perform all the required operations and
+thus could read or write to memory outside the bounds of the request
+buffer.
+
+This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
+macro in include/dix.h for the common case of needing to ensure a
+request is large enough to include both the request itself and a
+minimum amount of extra data following the request header.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Conflicts:
+ Xi/chgdctl.c
+ Xi/chgfctl.c
+ Xi/xiallowev.c
+ Xi/xichangecursor.c
+ Xi/xichangehierarchy.c
+ Xi/xigetclientpointer.c
+ Xi/xigrabdev.c
+ Xi/xipassivegrab.c
+ Xi/xiproperty.c
+ Xi/xiquerydevice.c
+ Xi/xiquerypointer.c
+ Xi/xiselectev.c
+ Xi/xisetclientpointer.c
+ Xi/xisetdevfocus.c
+ Xi/xiwarppointer.c
+
+[RHEL5: Xi/xi* files are XI2 ]
+---
+ nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++--
+ nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++
+ nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++
+ nx-X11/programs/Xserver/include/dix.h | 4 ++++
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c
+index 63a3c9c..144a51e 100644
+--- a/nx-X11/programs/Xserver/Xi/chgdctl.c
++++ b/nx-X11/programs/Xserver/Xi/chgdctl.c
+@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client)
+
+ REQUEST(xChangeDeviceControlReq);
+ swaps(&stuff->length, n);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+ swaps(&stuff->control, n);
+ return(ProcXChangeDeviceControl(client));
+ }
+@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client)
+ CARD32 *resolution;
+
+ REQUEST(xChangeDeviceControlReq);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+
+ len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
+ dev = LookupDeviceIntRec (stuff->deviceid);
+diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c
+index fe8bd1f..3ffac39 100644
+--- a/nx-X11/programs/Xserver/Xi/chgfctl.c
++++ b/nx-X11/programs/Xserver/Xi/chgfctl.c
+@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client)
+ xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped)
+ {
++ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2)
++ return BadLength;
+ swaps(&f->num_keysyms,n);
+ }
+ if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
+diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c
+index 9b441f2..0b2a701 100644
+--- a/nx-X11/programs/Xserver/Xi/sendexev.c
++++ b/nx-X11/programs/Xserver/Xi/sendexev.c
+@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client)
+ return Success;
+ }
+
++ if (stuff->num_events == 0)
++ return ret;
++
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
+index d82979c..9fe575e 100644
+--- a/nx-X11/programs/Xserver/include/dix.h
++++ b/nx-X11/programs/Xserver/include/dix.h
+@@ -73,6 +73,10 @@ SOFTWARE.
+ if ((sizeof(req) >> 2) > client->req_len )\
+ return(BadLength)
+
++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
++ return(BadLength)
++
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+ ((n >> 2) >= client->req_len) || \
+--
+2.1.4
+