X Strike Force XFree86 SVN commit: rev 966 - in branches/4.1.0/woody/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force XFree86 SVN commit: rev 966 - in branches/4.1.0/woody/debian: . patches
From: X Strike Force SVN Repository Admin <branden+svnadmin@deadbeast.net>
Date: Thu, 22 Jan 2004 20:10:57 -0500 (EST)
Message-id: <[🔎] 20040123011057.4D1535C05F@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org
Author: branden
Date: 2004-01-22 20:10:54 -0500 (Thu, 22 Jan 2004)
New Revision: 966

Added:
   branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
Modified:
   branches/4.1.0/woody/debian/changelog
Log:
Backport fix for denial-of-service attacks against X server from XFree86
CVS.

Add validation for the screen number parameter received over the wire by
the X server's DRI extension code, and fix some similar checks in the GLX
code.  This fixes X server segfaults when an invalid screen value is
provided (#A.1434, Felix K?\195?\188hling).


Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog	2004-01-22 20:39:21 UTC (rev 965)
+++ branches/4.1.0/woody/debian/changelog	2004-01-23 01:10:54 UTC (rev 966)
@@ -1,18 +1,26 @@
 xfree86 (4.1.0-16woody2) stable-security; urgency=high
 
-  * Security update release.  Resolves the following issue:
+  * Security update release.  Resolves the following issues:
     + CAN-2003-0690: xdm does not verify whether the pam_setcred function call
       succeeds, which may allow attackers to gain root privileges by
       triggering error conditions within PAM modules, as demonstrated in
       certain configurations of the MIT pam_krb5 module.
+    + Denial-of-service attacks against X server by clients using the GLX
+      extension and Direct Rendering Infrastructure.
 
   * Patch xdm to call pam_strerror(), log the returned error, and exit the
     StartClient() function with a zero exit status (failure) if pam_setcred()
     returns a value other than PAM_SUCCESS.
     - debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
 
- -- Branden Robinson <branden@debian.org>  Wed, 21 Jan 2004 17:19:48 -0500
+  * Add validation for the screen number parameter received over the wire by
+    the X server's DRI extension code, and fix some similar checks in the GLX
+    code.  This fixes X server segfaults when an invalid screen value is
+    provided (#A.1434, Felix K�).
+    - debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
 
+ -- Branden Robinson <branden@debian.org>  Thu, 22 Jan 2004 20:07:06 -0500
+
 xfree86 (4.1.0-16woody1) stable-security; urgency=high
 
   * Security update release.  Resolves the following issues:

Added: branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff	2004-01-22 20:39:21 UTC (rev 965)
+++ branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff	2004-01-23 01:10:54 UTC (rev 966)
@@ -0,0 +1,208 @@
+$Id$
+
+xc/programs/Xserver/GL/dri/xf86dri.c @ 1.12
+xc/programs/Xserver/GL/glx/glxcmds.c @ 1.9
+ 628. Add validation for the screen number parameter received over the wire
+      by the X server's DRI extension code, and fix some similar checks in
+      the GLX code.  This fixes X server segfaults when an invalid screen
+      value is provided (#A.1434, Felix Kühling).
+
+--- xc/programs/Xserver/GL/dri/xf86dri.c	29 Oct 2002 20:28:57 -0000	1.10
++++ xc/programs/Xserver/GL/dri/xf86dri.c	13 Dec 2002 15:51:57 -0000
+@@ -155,6 +155,11 @@
+ 
+     REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+     REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -184,6 +189,10 @@
+ 
+     REQUEST(xXF86DRIOpenConnectionReq);
+     REQUEST_SIZE_MATCH(xXF86DRIOpenConnectionReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     if (!DRIOpenConnection( screenInfo.screens[stuff->screen], 
+ 			    &hSAREA,
+@@ -221,6 +230,10 @@
+     
+     REQUEST(xXF86DRIAuthConnectionReq);
+     REQUEST_SIZE_MATCH(xXF86DRIAuthConnectionReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     rep.type = X_Reply;
+     rep.length = 0;
+@@ -242,6 +255,10 @@
+ {
+     REQUEST(xXF86DRICloseConnectionReq);
+     REQUEST_SIZE_MATCH(xXF86DRICloseConnectionReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     DRICloseConnection( screenInfo.screens[stuff->screen]);
+ 
+@@ -258,6 +275,10 @@
+ 
+     REQUEST(xXF86DRIGetClientDriverNameReq);
+     REQUEST_SIZE_MATCH(xXF86DRIGetClientDriverNameReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     DRIGetClientDriverName( screenInfo.screens[stuff->screen],
+ 			    (int *)&rep.ddxDriverMajorVersion,
+@@ -295,6 +316,11 @@
+ 
+     REQUEST(xXF86DRICreateContextReq);
+     REQUEST_SIZE_MATCH(xXF86DRICreateContextReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -329,6 +355,10 @@
+ {
+     REQUEST(xXF86DRIDestroyContextReq);
+     REQUEST_SIZE_MATCH(xXF86DRIDestroyContextReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     if (!DRIDestroyContext( screenInfo.screens[stuff->screen],
+ 			    stuff->context)) {
+@@ -348,6 +378,11 @@
+ 
+     REQUEST(xXF86DRICreateDrawableReq);
+     REQUEST_SIZE_MATCH(xXF86DRICreateDrawableReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -378,6 +413,10 @@
+     REQUEST(xXF86DRIDestroyDrawableReq);
+     DrawablePtr pDrawable;
+     REQUEST_SIZE_MATCH(xXF86DRIDestroyDrawableReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
+ 
+     if (!(pDrawable = (DrawablePtr)SecurityLookupDrawable(
+ 						(Drawable)stuff->drawable,
+@@ -409,6 +448,11 @@
+ 
+     REQUEST(xXF86DRIGetDrawableInfoReq);
+     REQUEST_SIZE_MATCH(xXF86DRIGetDrawableInfoReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -483,6 +527,11 @@
+ 
+     REQUEST(xXF86DRIGetDeviceInfoReq);
+     REQUEST_SIZE_MATCH(xXF86DRIGetDeviceInfoReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -528,6 +577,11 @@
+     DrawablePtr                 pDrawable;
+ 
+     REQUEST_SIZE_MATCH(xXF86DRIOpenFullScreenReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type           = X_Reply;
+     rep.length         = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -554,6 +608,11 @@
+     DrawablePtr                  pDrawable;
+ 
+     REQUEST_SIZE_MATCH(xXF86DRICloseFullScreenReq);
++    if (stuff->screen >= screenInfo.numScreens) {
++	client->errorValue = stuff->screen;
++	return BadValue;
++    }
++
+     rep.type           = X_Reply;
+     rep.length         = 0;
+     rep.sequenceNumber = client->sequence;
+--- xc/programs/Xserver/GL/glx/glxcmds.c	25 Nov 2002 19:58:38 -0000	1.8
++++ xc/programs/Xserver/GL/glx/glxcmds.c	13 Dec 2002 15:52:01 -0000
+@@ -761,7 +761,7 @@
+     int i, p;
+ 
+     screen = req->screen;
+-    if (screen > screenInfo.numScreens) {
++    if (screen >= screenInfo.numScreens) {
+ 	/* The client library must send a valid screen number. */
+ 	client->errorValue = screen;
+ 	return BadValue;
+@@ -1466,7 +1466,7 @@
+     ClientPtr client = cl->client;
+     xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *) pc;
+     xGLXQueryExtensionsStringReply reply;
+-    GLint screen;
++    GLuint screen;
+     size_t n, length;
+     const char *ptr;
+     char *buf;
+@@ -1475,7 +1475,7 @@
+     /*
+     ** Check if screen exists.
+     */
+-    if ((screen < 0) || (screen >= screenInfo.numScreens)) {
++    if (screen >= screenInfo.numScreens) {
+ 	client->errorValue = screen;
+ 	return BadValue;
+     }
+@@ -1511,7 +1511,7 @@
+     xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) pc;
+     xGLXQueryServerStringReply reply;
+     int name;
+-    GLint screen;
++    GLuint screen;
+     size_t n, length;
+     const char *ptr;
+     char *buf;
+@@ -1521,7 +1521,7 @@
+     /*
+     ** Check if screen exists.
+     */
+-    if ((screen < 0) || (screen >= screenInfo.numScreens)) {
++    if (screen >= screenInfo.numScreens) {
+ 	client->errorValue = screen;
+ 	return BadValue;
+     }


Property changes on: branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
___________________________________________________________________
Name: svn:keywords
   + Id
Reply to:
Prev by Date: Bug#229097: debconf: should tell the user the file is not going to be rewritten earlier
Next by Date: Bug#228665: xserver-xfree86: [mouse] SendCoreEvents + ServerLayout entry leads to doubled events
Previous by thread: Bug#229097: debconf: should tell the user the file is not going to be rewritten earlier
Next by thread: Bug#148775: Tested patch
Index(es):
- Date
- Thread