diff options
Diffstat (limited to 'debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch')
-rw-r--r-- | debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch new file mode 100644 index 000000000..884fa435c --- /dev/null +++ b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch @@ -0,0 +1,114 @@ +From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 10:54:41 -0800 +Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension + [CVE-2014-8095] + +Multiple functions in the Xinput extension handling of requests from +clients failed to check that the length of the request sent by the +client was large enough to perform all the required operations and +thus could read or write to memory outside the bounds of the request +buffer. + +This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE +macro in include/dix.h for the common case of needing to ensure a +request is large enough to include both the request itself and a +minimum amount of extra data following the request header. + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> + +Conflicts: + Xi/chgdctl.c + Xi/chgfctl.c + Xi/xiallowev.c + Xi/xichangecursor.c + Xi/xichangehierarchy.c + Xi/xigetclientpointer.c + Xi/xigrabdev.c + Xi/xipassivegrab.c + Xi/xiproperty.c + Xi/xiquerydevice.c + Xi/xiquerypointer.c + Xi/xiselectev.c + Xi/xisetclientpointer.c + Xi/xisetdevfocus.c + Xi/xiwarppointer.c + +[RHEL5: Xi/xi* files are XI2 ] +--- + nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++-- + nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++ + nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++ + nx-X11/programs/Xserver/include/dix.h | 4 ++++ + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c +index 63a3c9c..144a51e 100644 +--- a/nx-X11/programs/Xserver/Xi/chgdctl.c ++++ b/nx-X11/programs/Xserver/Xi/chgdctl.c +@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client) + + REQUEST(xChangeDeviceControlReq); + swaps(&stuff->length, n); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + swaps(&stuff->control, n); + return(ProcXChangeDeviceControl(client)); + } +@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client) + CARD32 *resolution; + + REQUEST(xChangeDeviceControlReq); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + + len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2); + dev = LookupDeviceIntRec (stuff->deviceid); +diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c +index fe8bd1f..3ffac39 100644 +--- a/nx-X11/programs/Xserver/Xi/chgfctl.c ++++ b/nx-X11/programs/Xserver/Xi/chgfctl.c +@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client) + xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) + { ++ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2) ++ return BadLength; + swaps(&f->num_keysyms,n); + } + if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms)) +diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c +index 9b441f2..0b2a701 100644 +--- a/nx-X11/programs/Xserver/Xi/sendexev.c ++++ b/nx-X11/programs/Xserver/Xi/sendexev.c +@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client) + return Success; + } + ++ if (stuff->num_events == 0) ++ return ret; ++ + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h +index d82979c..9fe575e 100644 +--- a/nx-X11/programs/Xserver/include/dix.h ++++ b/nx-X11/programs/Xserver/include/dix.h +@@ -73,6 +73,10 @@ SOFTWARE. + if ((sizeof(req) >> 2) > client->req_len )\ + return(BadLength) + ++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ ++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ ++ return(BadLength) ++ + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ + ((n >> 2) >= client->req_len) || \ +-- +2.1.4 + |