xorg-server: Changes to 'debian-jessie'
Xext/panoramiX.c | 3
Xext/saver.c | 2
Xext/shm.c | 1
Xext/xres.c | 4 -
Xext/xvdisp.c | 4 -
Xi/xibarriers.c | 12 +++
Xi/xichangehierarchy.c | 6 -
dbe/dbe.c | 5 +
debian/changelog | 26 ++++++++
dix/dispatch.c | 7 +-
hw/dmx/dmxpict.c | 2
hw/xfree86/common/xf86DGA.c | 81 ++++++++++++++------------
hw/xfree86/common/xf86vmode.c | 129 ++++++++++++++++++++++--------------------
hw/xfree86/dri/xf86dri.c | 1
os/io.c | 5 +
pseudoramiX/pseudoramiX.c | 3
render/render.c | 7 ++
xfixes/cursor.c | 5 +
xfixes/region.c | 3
xfixes/saveset.c | 1
xfixes/xfixes.c | 1
xkb/xkbtext.c | 42 ++++++-------
22 files changed, 221 insertions(+), 129 deletions(-)
New commits:
commit fe4b80e8d0993e2e89e4b5bddab9d1d35fadd254
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Oct 13 12:01:00 2017 +0200
Changelog update
diff --git a/debian/changelog b/debian/changelog
index 80ad59d..867cbf7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+xorg-server (2:1.16.4-1+deb8u2) UNRELEASED; urgency=high
+
+ * render: Fix out of boundary heap access
+ * Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+ * xkb: Escape non-printable characters correctly.
+ * xkb: Handle xkb formated string output safely (CVE-2017-13723)
+ * os: Make sure big requests have sufficient length.
+ * Unvalidated lengths in
+ - XFree86-VidModeExtension (CVE-2017-12180)
+ - XFree86-DGA (CVE-2017-12181)
+ - XFree86-DRI (CVE-2017-12182)
+ - XFIXES (CVE-2017-12183)
+ - XINERAMA (CVE-2017-12184)
+ - MIT-SCREEN-SAVER (CVE-2017-12185)
+ - X-Resource (CVE-2017-12186)
+ - RENDER (CVE-2017-12187)
+ * Xi: Test exact size of XIBarrierReleasePointer
+ * Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer (CVE-2017-12179)
+ * Xi: Silence some tautological warnings
+ * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
+ * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
+ * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 13 Oct 2017 11:55:04 +0200
+
xorg-server (2:1.16.4-1+deb8u1) jessie-security; urgency=medium
* CVE-2017-10971 CVE-2017-10972
commit 542ccdcf2b9dd696004bab2e3644d07461835602
Author: Michal Srb <msrb@suse.com>
Date: Thu Jul 27 11:54:26 2017 +0200
xkb: Escape non-printable characters correctly.
XkbStringText escapes non-printable characters using octal numbers. Such escape
sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
in the buffer. Due to char->unsigned int conversion, it would print much longer
string for negative numbers.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)
(cherry picked from commit 3094c4c6d879215923f2183ecd048b4f5429b182)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index 9f2c5d3..74d2235 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -603,7 +603,7 @@ XkbStringText(char *str, unsigned format)
}
else {
*out++ = '0';
- sprintf(out, "%o", *in);
+ sprintf(out, "%o", (unsigned char) *in);
while (*out != '\0')
out++;
}
commit 1caf94cc4c7ac51a925f11c1d9de7eeb8c6e4b4e
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:15:46 2015 -0500
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
(cherry picked from commit 95f605b42d8bbb6bea2834a1abfc205981c5b803)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 4e24e62..e50a021 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3614,7 +3614,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
commit 49afe4200aa94bc54d90ef14cf2867691adbc0b1
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:09:14 2015 -0500
dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
(cherry picked from commit cc41e5b581d287c56f8d7113a97a4882dcfdd696)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index fc3d475..542d087 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -575,6 +575,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
XdbeScreenVisualInfo *pScrVisInfo;
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -926,7 +929,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
commit bdb178fb6cee19e13405a00e7f601eb734981bc2
Author: Nathan Kidd <nkidd@opentext.com>
Date: Wed Dec 24 16:22:18 2014 -0500
Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
(cherry picked from commit 6c15122163a2d2615db7e998e8d436815a08dec6)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 8d5b577..0f96c91 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -421,7 +421,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
commit 7a7b8c97240112c0b7b279018908410d854b6ccc
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date: Thu Oct 15 22:28:49 2015 -0700
Xi: Silence some tautological warnings
xichangehierarchy.c:424:23: warning: comparison of constant 536870911 with expression of type 'uint16_t'
(aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
if (stuff->length > (INT_MAX >> 2))
~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
xichangehierarchy.c:438:26: warning: comparison of constant 536870911 with expression of type 'uint16_t'
(aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ee06f674bbcd796324d6daf69bfb5d8856e94008)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 2732445..8d5b577 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -421,9 +421,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- if (stuff->length > (INT_MAX >> 2))
- return BadAlloc;
- len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
@@ -435,7 +433,7 @@ ProcXIChangeHierarchy(ClientPtr client)
SWAPIF(swaps(&any->type));
SWAPIF(swaps(&any->length));
- if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
+ if (len < ((size_t)any->length << 2))
return BadLength;
#define CHANGE_SIZE_MATCH(type) \
commit 70bd4d33207372778ed3a2718ab1ea644b4c5adf
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:04:41 2015 -0500
Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
(cherry picked from commit c77cd08efcf386bcc5d8dfbd0427134b2b2d0888)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index 0bc5761..b0a4a92 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
commit 9a2e0fc2018f708b1879f84eaa49476dbebb3f2d
Author: Nathan Kidd <nkidd@opentext.com>
Date: Sun Dec 21 01:10:03 2014 -0500
hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
(cherry picked from commit d264da92f7f8129b8aad4f0114a6467fc38fc896)
diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
index b9e1e3f..81ca776 100644
--- a/hw/xfree86/common/xf86DGA.c
+++ b/hw/xfree86/common/xf86DGA.c
@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
char *deviceName;
int nameSize;
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if (DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty))
@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty, stuff->key))
@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
REQUEST(xXDGAGetViewportStatusReq);
xXDGAGetViewportStatusReply rep;
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
REQUEST(xXDGASyncReq);
xXDGASyncReply rep;
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if (!stuff->mode)
return BadValue;
@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
REQUEST(xXF86DGAQueryDirectVideoReq);
xXF86DGAQueryDirectVideoReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
diff --git a/hw/xfree86/common/xf86vmode.c b/hw/xfree86/common/xf86vmode.c
index 2b07833..63df14f 100644
--- a/hw/xfree86/common/xf86vmode.c
+++ b/hw/xfree86/common/xf86vmode.c
@@ -532,6 +532,20 @@ ProcXF86VidModeAddModeLine(ClientPtr client)
DEBUG_P("XF86VidModeAddModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -581,18 +595,6 @@ ProcXF86VidModeAddModeLine(ClientPtr client)
(unsigned long) stuff->after_flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -695,6 +697,20 @@ ProcXF86VidModeDeleteModeLine(ClientPtr client)
DEBUG_P("XF86VidModeDeleteModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -725,18 +741,6 @@ ProcXF86VidModeDeleteModeLine(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
- }
if (len != stuff->privsize) {
if (xf86GetVerbosity() > DEFAULT_XF86VIDMODE_VERBOSITY) {
ErrorF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
@@ -820,6 +824,20 @@ ProcXF86VidModeModModeLine(ClientPtr client)
DEBUG_P("XF86VidModeModModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -846,18 +864,6 @@ ProcXF86VidModeModModeLine(ClientPtr client)
stuff->vtotal, (unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -949,6 +955,19 @@ ProcXF86VidModeValidateModeLine(ClientPtr client)
DEBUG_P("XF86VidModeValidateModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+ len = client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -979,17 +998,6 @@ ProcXF86VidModeValidateModeLine(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
- len = client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1087,6 +1095,20 @@ ProcXF86VidModeSwitchToMode(ClientPtr client)
DEBUG_P("XF86VidModeSwitchToMode");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -1117,18 +1139,6 @@ ProcXF86VidModeSwitchToMode(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1470,6 +1480,7 @@ ProcXF86VidModeSetGammaRamp(ClientPtr client)
int length;
REQUEST(xXF86VidModeSetGammaRampReq);
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
index 086e833..49bd6d2 100644
--- a/hw/xfree86/dri/xf86dri.c
+++ b/hw/xfree86/dri/xf86dri.c
@@ -570,6 +570,7 @@ static int
SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
{
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length);
swapl(&stuff->screen);
return ProcXF86DRIQueryDirectRenderingCapable(client);
commit 0beb544b29c6e94fa1cf105c42fec4f786900efa
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 11:43:05 2015 -0500
xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
(cherry picked from commit 61502107a30d64f991784648c3228ebc6694a032)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 31a408f..26b2053 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -280,6 +280,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -415,7 +416,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1010,6 +1011,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
int i;
CARD16 *in_devices = (CARD16 *) &stuff[1];
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
diff --git a/xfixes/region.c b/xfixes/region.c
index f9de525..899c8c2 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -374,6 +374,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -390,7 +391,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index eb3f658..aa365cf 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index 3307f87..1c254e0 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -160,6 +160,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
commit 3dc11889861ef45bbf73deb8ed93e55195b82c07
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 09:57:23 2015 -0500
Unvalidated lengths
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
Reply to: