summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2015-04-07 15:49:56 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-10 18:10:26 +0100
commit77a44c253b80e0a01ebfca90e5682469df636bee (patch)
treea3aa37e5d97c3a840ebe34c46766004ff6d390bc /meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
parent6cbfe0f354a62dbd9252c58a0af24bec68dfeb5f (diff)
downloadpoky-77a44c253b80e0a01ebfca90e5682469df636bee.tar.gz
xorg-server: Security Advisory - xorg-server - CVE-2015-0255
Updated x11-server packages fix security vulnerability: Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request, where the server trusts the client to send valid string lengths. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. This can lead to information disclosure issues, as well as possibly a denial of service if a similar request can cause the server to crash (CVE-2015-0255). (From OE-Core rev: 564e2f9732ac4318bb5923dd1ff771514c9afd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch145
1 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
new file mode 100644
index 0000000000..b0e2bcad43
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
@@ -0,0 +1,145 @@
1From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Fri, 16 Jan 2015 08:44:45 +0100
4Subject: [PATCH] xkb: Check strings length against request size
5
6Ensure that the given strings length in an XkbSetGeometry request remain
7within the limits of the size of the request.
8
9Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
10Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
11Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
12
13Upstream-Status: backport
14
15Signed-off-by: Li Zhou <li.zhou@windriver.com>
16---
17 xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++------------------------
18 1 file changed, 40 insertions(+), 25 deletions(-)
19
20diff --git a/xkb/xkb.c b/xkb/xkb.c
21index b9a3ac4..f3988f9 100644
22--- a/xkb/xkb.c
23+++ b/xkb/xkb.c
24@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
25
26 /***====================================================================***/
27
28-static char *
29-_GetCountedString(char **wire_inout, Bool swap)
30+static Status
31+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
32 {
33- char *wire, *str;
34+ char *wire, *next;
35 CARD16 len;
36
37 wire = *wire_inout;
38 len = *(CARD16 *) wire;
39- if (swap) {
40+ if (client->swapped) {
41 swaps(&len);
42 }
43- str = malloc(len + 1);
44- if (str) {
45- memcpy(str, &wire[2], len);
46- str[len] = '\0';
47- }
48- wire += XkbPaddedSize(len + 2);
49- *wire_inout = wire;
50- return str;
51+ next = wire + XkbPaddedSize(len + 2);
52+ /* Check we're still within the size of the request */
53+ if (client->req_len <
54+ bytes_to_int32(next - (char *) client->requestBuffer))
55+ return BadValue;
56+ *str = malloc(len + 1);
57+ if (!*str)
58+ return BadAlloc;
59+ memcpy(*str, &wire[2], len);
60+ *(*str + len) = '\0';
61+ *wire_inout = next;
62+ return Success;
63 }
64
65 static Status
66@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
67 xkbAnyDoodadWireDesc any;
68 xkbTextDoodadWireDesc text;
69 XkbDoodadPtr doodad;
70+ Status status;
71
72 dWire = (xkbDoodadWireDesc *) (*wire_inout);
73 any = dWire->any;
74@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
75 doodad->text.width = text.width;
76 doodad->text.height = text.height;
77 doodad->text.color_ndx = dWire->text.colorNdx;
78- doodad->text.text = _GetCountedString(&wire, client->swapped);
79- doodad->text.font = _GetCountedString(&wire, client->swapped);
80+ status = _GetCountedString(&wire, client, &doodad->text.text);
81+ if (status != Success)
82+ return status;
83+ status = _GetCountedString(&wire, client, &doodad->text.font);
84+ if (status != Success) {
85+ free (doodad->text.text);
86+ return status;
87+ }
88 break;
89 case XkbIndicatorDoodad:
90 if (dWire->indicator.onColorNdx >= geom->num_colors) {
91@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
92 }
93 doodad->logo.color_ndx = dWire->logo.colorNdx;
94 doodad->logo.shape_ndx = dWire->logo.shapeNdx;
95- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
96+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
97+ if (status != Success)
98+ return status;
99 break;
100 default:
101 client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
102@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
103 char *wire;
104
105 wire = (char *) &req[1];
106- geom->label_font = _GetCountedString(&wire, client->swapped);
107+ status = _GetCountedString(&wire, client, &geom->label_font);
108+ if (status != Success)
109+ return status;
110
111 for (i = 0; i < req->nProperties; i++) {
112 char *name, *val;
113
114- name = _GetCountedString(&wire, client->swapped);
115- if (!name)
116- return BadAlloc;
117- val = _GetCountedString(&wire, client->swapped);
118- if (!val) {
119+ status = _GetCountedString(&wire, client, &name);
120+ if (status != Success)
121+ return status;
122+ status = _GetCountedString(&wire, client, &val);
123+ if (status != Success) {
124 free(name);
125- return BadAlloc;
126+ return status;
127 }
128 if (XkbAddGeomProperty(geom, name, val) == NULL) {
129 free(name);
130@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
131 for (i = 0; i < req->nColors; i++) {
132 char *name;
133
134- name = _GetCountedString(&wire, client->swapped);
135- if (!name)
136- return BadAlloc;
137+ status = _GetCountedString(&wire, client, &name);
138+ if (status != Success)
139+ return status;
140 if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
141 free(name);
142 return BadAlloc;
143--
1441.7.9.5
145