xorg-server: Changes to 'debian-stretch'
Xext/panoramiX.c | 3 -
Xext/saver.c | 2
Xext/shm.c | 1
Xext/vidmode.c | 129 +++++++++++++++++++++++---------------------
Xext/xres.c | 4 +
Xext/xvdisp.c | 4 +
Xi/xibarriers.c | 12 +++-
Xi/xichangehierarchy.c | 2
dbe/dbe.c | 5 +
debian/changelog | 24 ++++++++
dix/dispatch.c | 7 ++
hw/dmx/dmxpict.c | 2
hw/xfree86/common/xf86DGA.c | 81 +++++++++++++++------------
hw/xfree86/dri/xf86dri.c | 1
os/io.c | 5 +
pseudoramiX/pseudoramiX.c | 3 -
render/render.c | 3 +
xfixes/cursor.c | 5 +
xfixes/region.c | 3 -
xfixes/saveset.c | 1
xfixes/xfixes.c | 1
xkb/xkbtext.c | 42 +++++++-------
22 files changed, 214 insertions(+), 126 deletions(-)
New commits:
commit 2ab093a5a0bff9c2ecae5f0fdadf6c3f3c3cc249
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Oct 13 15:03:10 2017 +0200
Update changelog
diff --git a/debian/changelog b/debian/changelog
index e9c17ee..3ad93ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+xorg-server (2:1.19.2-1+deb9u2) UNRELEASED; urgency=high
+
+ * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+ * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
+ (CVE-2017-12177)
+ * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
+ * Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer (CVE-2017-12179)
+ * Unvalidated lengths in
+ - XFree86-VidModeExtension (CVE-2017-12180)
+ - XFree86-DGA (CVE-2017-12181)
+ - XFree86-DRI (CVE-2017-12182)
+ - XFIXES (CVE-2017-12183)
+ - XINERAMA (CVE-2017-12184
+ - MIT-SCREEN-SAVER (CVE-2017-12185
+ - X-Resource (CVE-2017-12186
+ - RENDER (CVE-2017-12187)
+ * os: Make sure big requests have sufficient length.
+ * Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+ * xkb: Handle xkb formated string output safely (CVE-2017-13723)
+ * xkb: Escape non-printable characters correctly.
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 13 Oct 2017 14:59:22 +0200
+
xorg-server (2:1.19.2-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
commit 338ef8d898611f9cc3952cd5887474cfba9925fd
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:15:46 2015 -0500
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 78ac095..73fda38 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
commit 19cc8878d881e7092af02d3bd4ffcbe5fb2f6862
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:09:14 2015 -0500
dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 23f7e16..f31766f 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
XdbeScreenVisualInfo *pScrVisInfo;
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
commit 2181bc704e6cd16ee675da4b356a417cccf9cbec
Author: Nathan Kidd <nkidd@opentext.com>
Date: Wed Dec 24 16:22:18 2014 -0500
Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index f2b7785..7286eff 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
commit 8e2159d9ba380c7c8a046096d82d6f0f524d5597
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:04:41 2015 -0500
Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index 0bc5761..b0a4a92 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
commit 4b7ce33483230b2d882633a019d5b4b3e4f47f25
Author: Nathan Kidd <nkidd@opentext.com>
Date: Sun Dec 21 01:10:03 2014 -0500
hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index ea3ad13..76055c8 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
DEBUG_P("XF86VidModeAddModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
stuff->after_vsyncend, stuff->after_vtotal,
(unsigned long) stuff->after_flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
DEBUG_P("XF86VidModeDeleteModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
- }
if (len != stuff->privsize) {
DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
"len = %d, length = %d\n",
@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
DEBUG_P("XF86VidModeModModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
stuff->vtotal, (unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
DEBUG_P("XF86VidModeValidateModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+ len = client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
- len = client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
DEBUG_P("XF86VidModeSwitchToMode");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
VidModePtr pVidMode;
REQUEST(xXF86VidModeSetGammaRampReq);
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
index c689dcb..039f38d 100644
--- a/hw/xfree86/common/xf86DGA.c
+++ b/hw/xfree86/common/xf86DGA.c
@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
char *deviceName;
int nameSize;
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if (DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty))
@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty, stuff->key))
@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
REQUEST(xXDGAGetViewportStatusReq);
xXDGAGetViewportStatusReply rep;
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
REQUEST(xXDGASyncReq);
xXDGASyncReply rep;
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if (!stuff->mode)
return BadValue;
@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
REQUEST(xXF86DGAQueryDirectVideoReq);
xXF86DGAQueryDirectVideoReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
index 68f8b7e..65f368e 100644
--- a/hw/xfree86/dri/xf86dri.c
+++ b/hw/xfree86/dri/xf86dri.c
@@ -570,6 +570,7 @@ static int
SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
{
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length);
swapl(&stuff->screen);
return ProcXF86DRIQueryDirectRenderingCapable(client);
commit 83dd04f5115df32033b31ecba4c1a5cea3c20865
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 11:43:05 2015 -0500
xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index f009a78..6e84d71 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -281,6 +281,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
int i;
CARD16 *in_devices = (CARD16 *) &stuff[1];
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
diff --git a/xfixes/region.c b/xfixes/region.c
index dd74d7f..f300d2b 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index eb3f658..aa365cf 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index 8d1bd4c..8b45c53 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -160,6 +160,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
commit 478c87e2e09c0f4edc17ae993cc2583d399dd29e
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 09:57:23 2015 -0500
Unvalidated lengths
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 209df29..844ea49 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
xPanoramiXGetScreenSizeReply rep;
int rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
diff --git a/Xext/saver.c b/Xext/saver.c
index 750b8b9..45ac4d2 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
diff --git a/Xext/xres.c b/Xext/xres.c
index ae779df..bc54133 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
ConstructResourceBytesCtx ctx;
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
+ return BadLength;
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(ctx.specs[0]));
@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
int c;
xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
- swapl(&stuff->numSpecs);
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ swapl(&stuff->numSpecs);
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(specs[0]));
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 8a35b7b..4d412b8 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
index 1f1022e..63caec9 100644
--- a/hw/dmx/dmxpict.c
+++ b/hw/dmx/dmxpict.c
@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
filter = (char *) (stuff + 1);
params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
Reply to: