xorg-server: Changes to 'debian-wheezy'
Xext/panoramiX.c | 3
Xext/saver.c | 2
Xext/xvdisp.c | 4
configure.ac | 2
debian/changelog | 61
debian/patches/0001-Xi-Silence-some-tautological-warnings.patch | 49
debian/patches/0002-Xi-fix-wrong-extra-length-check-in-ProcXIChangeHiera.patch | 33
debian/patches/0003-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch | 45
debian/patches/16_CVE-2014-mult.diff | 3387 ++++++++++
debian/patches/17_CVE-regressions.diff | 26
debian/patches/CVE-2017-10971.patch | 91
debian/patches/CVE-2017-10972.patch | 31
debian/patches/dix-Allow-zero-height-PutImage-requests.diff | 31
debian/patches/series | 10
debian/patches/xkb-Check-strings-length-against-request-size.diff | 136
debian/patches/xkb-Dont-swap-XkbSetGeometry-data-in-the-input-buffer.diff | 101
dix/dispatch.c | 7
hw/dmx/dmxpict.c | 2
hw/xfree86/dixmods/extmod/xf86vmode.c | 129
hw/xfree86/dri/xf86dri.c | 1
hw/xquartz/pseudoramiX.c | 3
include/dix-config.h.in | 3
include/os.h | 5
os/io.c | 5
os/mitauth.c | 2
os/timingsafe_memcmp.c | 45
render/render.c | 7
xfixes/cursor.c | 5
xfixes/region.c | 3
xfixes/saveset.c | 1
xfixes/xfixes.c | 1
xkb/xkbtext.c | 42
32 files changed, 4185 insertions(+), 88 deletions(-)
New commits:
commit 692b8eeb28df14bae810cd8268468762cb79e2ab
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Tue Nov 21 19:17:17 2017 +0100
Release to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index aa3e2d8..6b92c41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.12.4-6+deb7u8) UNRELEASED; urgency=medium
+xorg-server (2:1.12.4-6+deb7u8) wheezy-security; urgency=medium
* Cherry-pick changes from the jessie branch:
@@ -19,7 +19,7 @@ xorg-server (2:1.12.4-6+deb7u8) UNRELEASED; urgency=medium
* Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
* Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624)
- -- Emilio Pozuelo Monfort <pochu@debian.org> Sun, 19 Nov 2017 20:09:41 +0100
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Sun, 19 Nov 2017 20:27:35 +0100
xorg-server (2:1.12.4-6+deb7u7) wheezy-security; urgency=high
commit 895e1b94e9b1fd6a2caf95834b7fa19eccb5f42f
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Sun Nov 19 20:22:49 2017 +0100
Update changelog
diff --git a/debian/changelog b/debian/changelog
index 56973c0..aa3e2d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+xorg-server (2:1.12.4-6+deb7u8) UNRELEASED; urgency=medium
+
+ * Cherry-pick changes from the jessie branch:
+
+ * render: Fix out of boundary heap access
+ * xkb: Escape non-printable characters correctly.
+ * xkb: Handle xkb formated string output safely (CVE-2017-13723)
+ * os: Make sure big requests have sufficient length.
+ * Unvalidated lengths in
+ - XFree86-VidModeExtension (CVE-2017-12180)
+ - XFree86-DRI (CVE-2017-12182)
+ - XFIXES (CVE-2017-12183)
+ - XINERAMA (CVE-2017-12184)
+ - MIT-SCREEN-SAVER (CVE-2017-12185)
+ - RENDER (CVE-2017-12187)
+ * Xi: Silence some tautological warnings
+ * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
+ * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
+ * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+ * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624)
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Sun, 19 Nov 2017 20:09:41 +0100
+
xorg-server (2:1.12.4-6+deb7u7) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS Team.
commit b3959182a3667e26b55523300938130384bac857
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Sun Nov 19 20:08:18 2017 +0100
Patches for CVE-2017-12178 and CVE-2017-12177
These changes need some of the other patches, so they can't
be cherry-picked, and those patches (16_* in particular) embed
several commits, so let's leave things this way.
diff --git a/debian/patches/0001-Xi-Silence-some-tautological-warnings.patch b/debian/patches/0001-Xi-Silence-some-tautological-warnings.patch
new file mode 100644
index 0000000..45c0874
--- /dev/null
+++ b/debian/patches/0001-Xi-Silence-some-tautological-warnings.patch
@@ -0,0 +1,49 @@
+From 7a7b8c97240112c0b7b279018908410d854b6ccc Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Thu, 15 Oct 2015 22:28:49 -0700
+Subject: [PATCH 1/2] Xi: Silence some tautological warnings
+
+xichangehierarchy.c:424:23: warning: comparison of constant 536870911 with expression of type 'uint16_t'
+ (aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
+ if (stuff->length > (INT_MAX >> 2))
+ ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+xichangehierarchy.c:438:26: warning: comparison of constant 536870911 with expression of type 'uint16_t'
+ (aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
+ ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit ee06f674bbcd796324d6daf69bfb5d8856e94008)
+---
+ Xi/xichangehierarchy.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 27324452d..8d5b577b6 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -421,9 +421,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- if (stuff->length > (INT_MAX >> 2))
+- return BadAlloc;
+- len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++ len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+@@ -435,7 +433,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ SWAPIF(swaps(&any->type));
+ SWAPIF(swaps(&any->length));
+
+- if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
++ if (len < ((size_t)any->length << 2))
+ return BadLength;
+
+ #define CHANGE_SIZE_MATCH(type) \
+--
+2.15.0
+
diff --git a/debian/patches/0002-Xi-fix-wrong-extra-length-check-in-ProcXIChangeHiera.patch b/debian/patches/0002-Xi-fix-wrong-extra-length-check-in-ProcXIChangeHiera.patch
new file mode 100644
index 0000000..ddead33
--- /dev/null
+++ b/debian/patches/0002-Xi-fix-wrong-extra-length-check-in-ProcXIChangeHiera.patch
@@ -0,0 +1,33 @@
+From bdb178fb6cee19e13405a00e7f601eb734981bc2 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Wed, 24 Dec 2014 16:22:18 -0500
+Subject: [PATCH 2/2] Xi: fix wrong extra length check in ProcXIChangeHierarchy
+ (CVE-2017-12178)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
+(cherry picked from commit 6c15122163a2d2615db7e998e8d436815a08dec6)
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 8d5b577b6..0f96c9164 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -421,7 +421,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+2.15.0
+
diff --git a/debian/patches/0003-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch b/debian/patches/0003-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch
new file mode 100644
index 0000000..f108580
--- /dev/null
+++ b/debian/patches/0003-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch
@@ -0,0 +1,45 @@
+From 49afe4200aa94bc54d90ef14cf2867691adbc0b1 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:09:14 -0500
+Subject: [PATCH] dbe: Unvalidated variable-length request in
+ ProcDbeGetVisualInfo (CVE-2017-12177)
+
+v2: Protect against integer overflow (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
+(cherry picked from commit cc41e5b581d287c56f8d7113a97a4882dcfdd696)
+---
+ dbe/dbe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index fc3d475a8..542d08746 100644
+--- a/dbe/dbe.c
++++ b/dbe/dbe.c
+@@ -575,6 +575,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
+ XdbeScreenVisualInfo *pScrVisInfo;
+
+ REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
++ if (stuff->n > UINT32_MAX / sizeof(CARD32))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
+
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
+@@ -926,7 +929,7 @@ SProcDbeSwapBuffers(ClientPtr client)
+
+ swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+- return BadAlloc;
++ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+--
+2.15.0
+
diff --git a/debian/patches/series b/debian/patches/series
index bf3ca1e..0fa4204 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,6 @@ dix-Allow-zero-height-PutImage-requests.diff
xkb-Dont-swap-XkbSetGeometry-data-in-the-input-buffer.diff
xkb-Check-strings-length-against-request-size.diff
CVE-2017-10972.patch
+0001-Xi-Silence-some-tautological-warnings.patch
+0002-Xi-fix-wrong-extra-length-check-in-ProcXIChangeHiera.patch
+0003-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch
commit 92f69eb1d743a335beafc955d8d13fcc9efcb292
Author: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue Feb 28 19:18:25 2017 +0100
Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624
Provide the function definition for systems that don't have it.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c)
diff --git a/configure.ac b/configure.ac
index 7c7e69e..5374703 100644
--- a/configure.ac
+++ b/configure.ac
@@ -215,7 +215,7 @@ dnl Checks for library functions.
AC_CHECK_FUNCS([backtrace ffs geteuid getuid issetugid getresuid \
getdtablesize getifaddrs getpeereid getpeerucred getzoneid \
mmap shmctl64 strncasecmp vasprintf vsnprintf walkcontext])
-AC_REPLACE_FUNCS([strcasecmp strcasestr strlcat strlcpy strndup])
+AC_REPLACE_FUNCS([strcasecmp strcasestr strlcat strlcpy strndup timingsafe_memcmp])
dnl Find the math libary, then check for cbrt function in it.
AC_CHECK_LIB(m, sqrt)
diff --git a/include/dix-config.h.in b/include/dix-config.h.in
index 3fb6413..fca9df8 100644
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
@@ -210,6 +210,9 @@
/* Define to 1 if you have the <sys/utsname.h> header file. */
#undef HAVE_SYS_UTSNAME_H
+/* Define to 1 if you have the `timingsafe_memcmp' function. */
+#undef HAVE_TIMINGSAFE_MEMCMP
+
/* Define to 1 if you have the <tslib.h> header file. */
#undef HAVE_TSLIB_H
diff --git a/include/os.h b/include/os.h
index 4b5b440..e442f69 100644
--- a/include/os.h
+++ b/include/os.h
@@ -558,6 +558,11 @@ extern _X_EXPORT char *
strndup(const char *str, size_t n);
#endif
+#ifndef HAVE_TIMINGSAFE_MEMCMP
+extern _X_EXPORT int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len);
+#endif
+
/* Logging. */
typedef enum _LogParameter {
XLOG_FLUSH,
diff --git a/os/mitauth.c b/os/mitauth.c
index 768a52a..efae440 100644
--- a/os/mitauth.c
+++ b/os/mitauth.c
@@ -76,7 +76,7 @@ MitCheckCookie(unsigned short data_length,
for (auth = mit_auth; auth; auth = auth->next) {
if (data_length == auth->len &&
- memcmp(data, auth->data, (int) data_length) == 0)
+ timingsafe_memcmp(data, auth->data, (int) data_length) == 0)
return auth->id;
}
*reason = "Invalid MIT-MAGIC-COOKIE-1 key";
diff --git a/os/timingsafe_memcmp.c b/os/timingsafe_memcmp.c
new file mode 100644
index 0000000..36ab362
--- /dev/null
+++ b/os/timingsafe_memcmp.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2014 Google Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <limits.h>
+#include <string.h>
+
+int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len)
+{
+ const unsigned char *p1 = b1, *p2 = b2;
+ size_t i;
+ int res = 0, done = 0;
+
+ for (i = 0; i < len; i++) {
+ /* lt is -1 if p1[i] < p2[i]; else 0. */
+ int lt = (p1[i] - p2[i]) >> CHAR_BIT;
+
+ /* gt is -1 if p1[i] > p2[i]; else 0. */
+ int gt = (p2[i] - p1[i]) >> CHAR_BIT;
+
+ /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
+ int cmp = lt - gt;
+
+ /* set res = cmp if !done. */
+ res |= cmp & ~done;
+
+ /* set done if p1[i] != p2[i]. */
+ done |= lt | gt;
+ }
+
+ return (res);
+}
commit 6cf74ab0c9ea5309c782996d3c99cccd46617fc4
Author: Michal Srb <msrb@suse.com>
Date: Thu Jul 27 11:54:26 2017 +0200
xkb: Escape non-printable characters correctly.
XkbStringText escapes non-printable characters using octal numbers. Such escape
sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
in the buffer. Due to char->unsigned int conversion, it would print much longer
string for negative numbers.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)
(cherry picked from commit 3094c4c6d879215923f2183ecd048b4f5429b182)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index f2b29cc..e7dd949 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -603,7 +603,7 @@ XkbStringText(char *str, unsigned format)
}
else {
*out++ = '0';
- sprintf(out, "%o", *in);
+ sprintf(out, "%o", (unsigned char) *in);
while (*out != '\0')
out++;
}
commit 77a355545fc64237e3d4a8f88d24a5ae7f0f82cb
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 10:15:46 2015 -0500
Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
(cherry picked from commit 95f605b42d8bbb6bea2834a1abfc205981c5b803)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index d971805..16a110f 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3606,7 +3606,12 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
commit 659c5cebf8f8570cb3a122a945f022043c80fbbd
Author: Nathan Kidd <nkidd@opentext.com>
Date: Sun Dec 21 01:10:03 2014 -0500
hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
(cherry picked from commit d264da92f7f8129b8aad4f0114a6467fc38fc896)
diff --git a/hw/xfree86/dixmods/extmod/xf86vmode.c b/hw/xfree86/dixmods/extmod/xf86vmode.c
index ac3bee0..43d6158 100644
--- a/hw/xfree86/dixmods/extmod/xf86vmode.c
+++ b/hw/xfree86/dixmods/extmod/xf86vmode.c
@@ -524,6 +524,20 @@ ProcXF86VidModeAddModeLine(ClientPtr client)
DEBUG_P("XF86VidModeAddModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -573,18 +587,6 @@ ProcXF86VidModeAddModeLine(ClientPtr client)
(unsigned long) stuff->after_flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -687,6 +689,20 @@ ProcXF86VidModeDeleteModeLine(ClientPtr client)
DEBUG_P("XF86VidModeDeleteModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -717,18 +733,6 @@ ProcXF86VidModeDeleteModeLine(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
- }
if (len != stuff->privsize) {
if (xf86GetVerbosity() > DEFAULT_XF86VIDMODE_VERBOSITY) {
ErrorF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
@@ -812,6 +816,20 @@ ProcXF86VidModeModModeLine(ClientPtr client)
DEBUG_P("XF86VidModeModModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -838,18 +856,6 @@ ProcXF86VidModeModModeLine(ClientPtr client)
stuff->vtotal, (unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -941,6 +947,19 @@ ProcXF86VidModeValidateModeLine(ClientPtr client)
DEBUG_P("XF86VidModeValidateModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+ len = client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -971,17 +990,6 @@ ProcXF86VidModeValidateModeLine(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
- len = client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1078,6 +1086,20 @@ ProcXF86VidModeSwitchToMode(ClientPtr client)
DEBUG_P("XF86VidModeSwitchToMode");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -1108,18 +1130,6 @@ ProcXF86VidModeSwitchToMode(ClientPtr client)
(unsigned long) stuff->flags);
}
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1458,6 +1468,7 @@ ProcXF86VidModeSetGammaRamp(ClientPtr client)
int length;
REQUEST(xXF86VidModeSetGammaRampReq);
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
index 72ce869..5134a15 100644
--- a/hw/xfree86/dri/xf86dri.c
+++ b/hw/xfree86/dri/xf86dri.c
@@ -564,6 +564,7 @@ static int
SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
{
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length);
swapl(&stuff->screen);
return ProcXF86DRIQueryDirectRenderingCapable(client);
commit 817a68d4bd55d1773aa038213d6e5dfa41c77f41
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 11:43:05 2015 -0500
xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
(cherry picked from commit 61502107a30d64f991784648c3228ebc6694a032)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 7d0b9a1..51e3561 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -298,6 +298,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -433,7 +434,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1317,6 +1318,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
swaps(&stuff->length);
REQUEST_SIZE_MATCH(xXFixesCreatePointerBarrierReq);
swapl(&stuff->barrier);
diff --git a/xfixes/region.c b/xfixes/region.c
index 7110177..2a11730 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -372,6 +372,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -388,7 +389,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index eb3f658..aa365cf 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index f80230f..7002ea5 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -159,6 +159,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
commit a919013ca024f8490d193e2632e59eefd772b716
Author: Nathan Kidd <nkidd@opentext.com>
Date: Fri Jan 9 09:57:23 2015 -0500
Unvalidated lengths
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
(cherry picked from commit c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 3e5cd62..95b5d46 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -985,10 +985,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
xPanoramiXGetScreenSizeReply rep;
int rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
diff --git a/Xext/saver.c b/Xext/saver.c
index 159153c..bd25aa4 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1203,6 +1203,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((pointer *) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 8abd51c..17ab785 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1557,12 +1557,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((pointer *) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
index b1177cf..a8e85c6 100644
--- a/hw/dmx/dmxpict.c
+++ b/hw/dmx/dmxpict.c
@@ -721,6 +721,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
filter = (char *) (stuff + 1);
params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict, filter, params, nparams);
diff --git a/hw/xquartz/pseudoramiX.c b/hw/xquartz/pseudoramiX.c
index 0f591d5..15e03a4 100644
--- a/hw/xquartz/pseudoramiX.c
+++ b/hw/xquartz/pseudoramiX.c
@@ -262,10 +262,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
TRACE();
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= pseudoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
diff --git a/render/render.c b/render/render.c
index 794fa52..34cade2 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1769,6 +1769,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
return result;
}
commit 6684b7a2d3fb4fc595cd2df82a731b054e787d86
Author: Michal Srb <msrb@suse.com>
Date: Fri Jul 7 17:04:03 2017 +0200
os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
(cherry picked from commit e751722a7b0c5b595794e60b054ade0b3f6cdb4d)
diff --git a/os/io.c b/os/io.c
index 8d0e5cc..7162140 100644
--- a/os/io.c
+++ b/os/io.c
@@ -445,6 +445,11 @@ ReadRequestFromClient(ClientPtr client)
if (++timesThisConnection >= MAX_TIMES_PER)
YieldControl();
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;
commit a84d3a2413adaa14e1b5aa71ca42c4d04e6e2b4b
Author: Keith Packard <keithp@keithp.com>
Date: Thu Jul 27 10:08:32 2017 -0700
xkb: Handle xkb formated string output safely (CVE-2017-13723)
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
Reviewed-by: Michal Srb <msrb@suse.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)
(cherry picked from commit 8bd33a2db7337b2801fc630a57e36b6aeea219d9)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index f66a08f..f2b29cc 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -47,23 +47,27 @@
/***====================================================================***/
-#define BUFFER_SIZE 512
-
-static char textBuffer[BUFFER_SIZE];
-static int tbNext = 0;
+#define NUM_BUFFER 8
+static struct textBuffer {
+ int size;
+ char *buffer;
+} textBuffer[NUM_BUFFER];
+static int textBufferIndex;
static char *
tbGetBuffer(unsigned size)
{
- char *rtrn;
+ struct textBuffer *tb;
- if (size >= BUFFER_SIZE)
- return NULL;
- if ((BUFFER_SIZE - tbNext) <= size)
- tbNext = 0;
- rtrn = &textBuffer[tbNext];
- tbNext += size;
- return rtrn;
+ tb = &textBuffer[textBufferIndex];
+ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER;
+
+ if (size > tb->size) {
+ free(tb->buffer);
+ tb->buffer = xnfalloc(size);
+ tb->size = size;
+ }
+ return tb->buffer;
}
/***====================================================================***/
@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format)
int len;
len = strlen(atmstr) + 1;
- if (len > BUFFER_SIZE)
- len = BUFFER_SIZE - 2;
Reply to: