From c2298e0757106c03f2a9a95d5493102f33c3cfdb Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Sun, 8 Feb 2015 20:01:27 -0500 Subject: Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) --- nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c index 922443633..5622f8cee 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c @@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) GC *pGC; unsigned char *data; ITclosurePtr new_closure; + ITclosurePtr old_closure; /* We're putting the client to sleep. We need to save some state. Similar problem to that handled @@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) err = BadAlloc; goto bail; } + old_closure = c; *new_closure = *c; c = new_closure; @@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) if (!data) { xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) { xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) FreeScratchGC(pGC); xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } -- cgit v1.2.3 From 8623faa422c3659903bdb5d19eb8947579e6141f Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Wed, 22 Jan 2014 21:11:16 -0800 Subject: dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4] ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: dix/dispatch.c --- nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index 3d9ee8c7f..e5bec8aba 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; -- cgit v1.2.3 From 2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Fri, 1 May 2015 13:09:24 +0200 Subject: dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418). The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Signed-off-by: Keith Packard --- nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index e5bec8aba..0ed7277a1 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,7 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + -- cgit v1.2.3