aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver
Commit message (Collapse)AuthorAgeFilesLines
* library clean-up: Don't build libNX_Xrandr anymore. Use system's libXrandr ↵Mike Gabriel2015-05-203-4/+4
| | | | shared library.
* library clean-up: Don't build libNX_Xdamage anymore. Use system's libXdamage ↵Mike Gabriel2015-05-011-2/+2
| | | | shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).
* dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).Keith Packard2015-05-011-1/+1
| | | | | | | | | | | | The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) Signed-off-by: Keith Packard <keithp@keithp.com>
* imake cleanup: Drop references to X11 build-logic that is not present in nx-X11.Mike Gabriel2015-04-283-586/+7
|
* library clean-up: Don't build libNX_Xdmcp anymore. Use system's libXdmcp ↵Mike Gabriel2015-04-221-4/+4
| | | | shared library.
* library clean-up: Don't build and link libXfont.a anymore. Use system's ↵pr/libxfont-cleanupMike Gabriel2015-04-2219-76/+38
| | | | libXfont shared library and link dynamically.
* imake cleanup (nx-X11/programs/Xserver/Imakefile): Drop build rules for ↵Mike Gabriel2015-04-171-286/+2
| | | | XF86Server and XorgServer.
* NXAGENT_UPGRADE code cleanup:Mike Gabriel2015-04-1651-38857/+6098
| | | | | | | | | | | NX agent contains/ed two build trees. An old one (probably pre-3.x.y) and a "newer" one. The "newer" code tree used to become enabled by setting NXUpgradeAgentServer in nx-X11/config/cf/host.def to YES. As building the NXUpgradeAgentServer has been the default for years now, we drop all code that does not get used at build time for NXUpgradeAgentServer == YES (i.e., the code that belongs to the pre-3.x.y phase of NX agent).
* imake cleanup: nx-X11/programs/Xserver/Imakefile (drop non-provided Xserver ↵Mike Gabriel2015-04-051-286/+1
| | | | variants)
* imake cleanup: Drop all references to XprtServer and BuildXprint*.Mike Gabriel2015-04-0410-2944/+8
|
* imake cleanup: Drop all references to XdmxServer and BuildXdmx*.Mike Gabriel2015-04-044-1209/+1
|
* imake cleanup: Drop all references to XVirtualFramebufferServer.Mike Gabriel2015-04-042-45/+3
|
* imake cleanup: Drop all references to XNestServer.Mike Gabriel2015-04-042-45/+3
|
* imake cleanup: Drop all references to XWinServer.Mike Gabriel2015-04-041-97/+2
|
* nx-X11: add more NULL guards to TEST and DEBUG sections of Render.c.Mihai Moldovan2015-03-291-65/+90
| | | | Cherry-picked from branch 3.5.0.x.
* nx-X11: fix typo in previous commit.Mihai Moldovan2015-03-291-1/+1
| | | | Cherry-picked from branch 3.5.0.x.
* nx-X11: handle source pictures (those without a Drawable surface) gracefully.Mihai Moldovan2015-03-294-20/+89
| | | | | | | | | | | | | | | | | | | Cherry-picked from branch 3.5.0.x. This is basically a merge of the most current xorg-server (1.17.1) code into nx-X11. It makes sure that for source pictures, which do not have a drawable surface, a filter is selected that is supported on the "main" and all other screens. Alternatively, if the requested filter is not available on all screens and the picture is a source picture, this function fails gracefully. Additionally, the ChangePictureFilter hook is now called for non-source pictures. This also needs an implementation in mipict.{c,h}. The default hook does nothing and returns a success value.
* nx-X11/**: Drop non-imake Makefile* files.Mike Gabriel2015-03-042-726/+0
|
* library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared ↵Mike Gabriel2015-03-032-2/+2
| | | | library.
* xkb: Check strings length against request sizeOlivier Fourdan2015-02-171-25/+41
| | | | | | | | | | | | | | | Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. v3: backport to nx-libs 3.6.x because this is the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) (cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) Signed-off-by: Julien Cristau <jcristau@debian.org>
* xkb: Don't swap XkbSetGeometry data in the input bufferOlivier Fourdan2015-02-171-16/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau <jcristau@debian.org> index 2405090..7db0959 100644
* include: introduce byte counting functions.Peter Hutterer2015-02-171-0/+30
| | | | | | | | | | | | | | | | | | | | This patch adds the following three functions: bits_to_bytes(bits) - the number of bytes needed to hold 'bits' bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than 'bytes'. All three operations are common in protocol processing and currently the server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set of functions reduce the error rate of these (albeit simple) calculations and improve readability of the code. The functions do not check for overflow. v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
* Coverity #844, #845, #846: Fix memory leaks.Daniel Stone2015-02-171-3/+19
| | | | | v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo)
* Make nxagent process aware of its current NX'ish version.Mike Gabriel2015-02-172-3/+9
| | | | | | | | | | | This feature copies the way how X.Org version string and number are propagated at build time. First use case: if people start nxagent, it reports its version number on stderr. This is about being human-friendly. Second use case: None, so far. But it will now be easy to use the NXAGENT_VERSION_STRING in later feature add-ons.
* nx-X11/programs/Xserver/hw/nxagent/: Drop unused VERSION file.Mike Gabriel2015-02-161-1/+0
|
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-161-0/+6
| | | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* Revert "dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]"Mihai Moldovan2015-02-161-6/+0
| | | | This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd.
* glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)Adam Jackson2015-02-144-107/+121
| | | | | | | | | | | | | | | | v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8] (v3)Adam Jackson2015-02-142-46/+71
| | | | | | | | | | | | | | | | | | | | | This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) v3: backport to RHEL5 v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swap
* glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]Adam Jackson2015-02-144-20/+52
| | | | | | | | | | | | | | | | | | | | | | v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fix safe_Add
* glx: Top-level length checking for swapped VendorPrivate requests ↵Adam Jackson2015-02-141-0/+4
| | | | | | | | | | | | | | | [CVE-2014-8098 4/8] v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Integer overflow protection for non-generated render requests (v3) ↵Adam Jackson2015-02-141-31/+37
| | | | | | | | | | | | | | | | | | | | | [CVE-2014-8093 5/6] v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] (v3)Julien Cristau2015-02-142-20/+20
| | | | | | | | | | | | | | | | | v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) v3: backport to RHEL5 hit old paths v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] (v4)Adam Jackson2015-02-141-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) v4: RHEL5: add limits.h, use inline v5: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER ↵Adam Jackson2015-02-141-1/+2
| | | | | | | | | | | | | | | | | | | (v2) [CVE-2014-8093 3/6] If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]Adam Jackson2015-02-142-14/+14
| | | | | | | | | | | | | | | | | | Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] (v2)Adam Jackson2015-02-142-4/+4
| | | | | | | | | | | | | | | | | | | | | If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. v3: backport to nx-libs 3.6.x (Mike DePaulo) v2: backport to RHEL5 - fix swap paths Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swaps
* randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]Alan Coopersmith2015-02-141-0/+3
| | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
* xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]Alan Coopersmith2015-02-141-0/+1
| | | | | | | | | | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> v2: backport to nx-libs 3.6.x (Mike DePaulo) Conflicts: xfixes/select.c
* render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]Alan Coopersmith2015-02-141-1/+16
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
* render: check request size before reading it [CVE-2014-8100 1/2]Julien Cristau2015-02-141-1/+2
| | | | | | | | | | | | | Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c
* Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]Alan Coopersmith2015-02-141-0/+20
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xext/xvdisp.c
* xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]Alan Coopersmith2015-02-141-0/+1
| | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
* Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]Alan Coopersmith2015-02-144-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xi/chgdctl.c Xi/chgfctl.c Xi/xiallowev.c Xi/xichangecursor.c Xi/xichangehierarchy.c Xi/xigetclientpointer.c Xi/xigrabdev.c Xi/xipassivegrab.c Xi/xiproperty.c Xi/xiquerydevice.c Xi/xiquerypointer.c Xi/xiselectev.c Xi/xisetclientpointer.c Xi/xisetdevfocus.c Xi/xiwarppointer.c [RHEL5: Xi/xi* files are XI2 ]
* dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]Alan Coopersmith2015-02-141-3/+8
| | | | | | | | | | | | | | | | | | | | | | ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read from a buffer. The length is never validated, which can lead to out of bound reads, and possibly returning the data read from out of bounds to the misbehaving client via an X Error packet. SProcDbeSwapBuffers() swaps data (for correct endianness) before handing it off to the real proc. While doing the swapping, the length field is not validated, which can cause memory corruption. v2: reorder checks to avoid compilers optimizing out checks for overflow that happen after we'd already have done the overflowing multiplications. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dbe/dbe.c
* dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]Alan Coopersmith2015-02-141-1/+4
| | | | | | | | | | | | | Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> RHEL5: add #include <stdint.h> for uint64_t v3: backport to nx-libs 3.6.x (Mike DePaulo)
* dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]Alan Coopersmith2015-02-142-15/+34
| | | | | | | | | | | | | | | | | | RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> Conflicts: dix/region.c include/regionstr.h
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-141-0/+6
| | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]Alan Coopersmith2015-02-141-1/+3
| | | | | | | | | | | | | | | | | ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
* unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]Alan Coopersmith2015-02-141-0/+4
| | | | | | | | | | | | | | | | | | authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c