[X2Go-Commits] [nx-libs] 36/52: Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]

git-admin at x2go.org git-admin at x2go.org
Sat Feb 14 17:47:14 CET 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit fde1375e373137ac52d0530b819bf9df64ab14c1
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sun Jan 26 10:54:41 2014 -0800

    Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
    
    Multiple functions in the Xinput extension handling of requests from
    clients failed to check that the length of the request sent by the
    client was large enough to perform all the required operations and
    thus could read or write to memory outside the bounds of the request
    buffer.
    
    This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
    macro in include/dix.h for the common case of needing to ensure a
    request is large enough to include both the request itself and a
    minimum amount of extra data following the request header.
    
    v2: backport to nx-libs 3.6.x (Mike DePaulo)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    
    Conflicts:
    	Xi/chgdctl.c
    	Xi/chgfctl.c
    	Xi/xiallowev.c
    	Xi/xichangecursor.c
    	Xi/xichangehierarchy.c
    	Xi/xigetclientpointer.c
    	Xi/xigrabdev.c
    	Xi/xipassivegrab.c
    	Xi/xiproperty.c
    	Xi/xiquerydevice.c
    	Xi/xiquerypointer.c
    	Xi/xiselectev.c
    	Xi/xisetclientpointer.c
    	Xi/xisetdevfocus.c
    	Xi/xiwarppointer.c
    
    [RHEL5: Xi/xi* files are XI2 ]
---
 nx-X11/programs/Xserver/Xi/chgdctl.c  |    4 ++--
 nx-X11/programs/Xserver/Xi/chgfctl.c  |    2 ++
 nx-X11/programs/Xserver/Xi/sendexev.c |    3 +++
 nx-X11/programs/Xserver/include/dix.h |    4 ++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c
index 63a3c9c..144a51e 100644
--- a/nx-X11/programs/Xserver/Xi/chgdctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgdctl.c
@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client)
 
     REQUEST(xChangeDeviceControlReq);
     swaps(&stuff->length, n);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
     swaps(&stuff->control, n);
     return(ProcXChangeDeviceControl(client));
     }
@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client)
     CARD32 *resolution;
 
     REQUEST(xChangeDeviceControlReq);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
 
     len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
     dev = LookupDeviceIntRec (stuff->deviceid);
diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c
index fe8bd1f..3ffac39 100644
--- a/nx-X11/programs/Xserver/Xi/chgfctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgfctl.c
@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client)
 	    xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
 	    if (client->swapped)
 		{
+		if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2)
+		    return BadLength;
 		swaps(&f->num_keysyms,n);
 		}
 	    if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c
index 9b441f2..0b2a701 100644
--- a/nx-X11/programs/Xserver/Xi/sendexev.c
+++ b/nx-X11/programs/Xserver/Xi/sendexev.c
@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client)
 	return Success;
 	}
 
+    if (stuff->num_events == 0)
+        return ret;
+
     /* The client's event type must be one defined by an extension. */
 
     first = ((xEvent *) &stuff[1]);
diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
index d82979c..9fe575e 100644
--- a/nx-X11/programs/Xserver/include/dix.h
+++ b/nx-X11/programs/Xserver/include/dix.h
@@ -73,6 +73,10 @@ SOFTWARE.
     if ((sizeof(req) >> 2) > client->req_len )\
          return(BadLength)
 
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+         return(BadLength)
+
 #define REQUEST_FIXED_SIZE(req, n)\
     if (((sizeof(req) >> 2) > client->req_len) || \
         ((n >> 2) >= client->req_len) || \

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git


More information about the x2go-commits mailing list