diff options
author | Li Zhou <li.zhou@windriver.com> | 2015-04-07 15:49:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-04-10 18:10:26 +0100 |
commit | 77a44c253b80e0a01ebfca90e5682469df636bee (patch) | |
tree | a3aa37e5d97c3a840ebe34c46766004ff6d390bc /meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch | |
parent | 6cbfe0f354a62dbd9252c58a0af24bec68dfeb5f (diff) | |
download | poky-77a44c253b80e0a01ebfca90e5682469df636bee.tar.gz |
xorg-server: Security Advisory - xorg-server - CVE-2015-0255
Updated x11-server packages fix security vulnerability:
Olivier Fourdan from Red Hat has discovered a protocol handling issue in
the way the X server code base handles the XkbSetGeometry request, where
the server trusts the client to send valid string lengths. A malicious
client with string lengths exceeding the request length can cause the server
to copy adjacent memory data into the XKB structs. This data is then
available to the client via the XkbGetGeometry request. This can lead to
information disclosure issues, as well as possibly a denial of service if a
similar request can cause the server to crash (CVE-2015-0255).
(From OE-Core rev: 564e2f9732ac4318bb5923dd1ff771514c9afd2f)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch new file mode 100644 index 0000000000..b0e2bcad43 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Fri, 16 Jan 2015 08:44:45 +0100 | ||
4 | Subject: [PATCH] xkb: Check strings length against request size | ||
5 | |||
6 | Ensure that the given strings length in an XkbSetGeometry request remain | ||
7 | within the limits of the size of the request. | ||
8 | |||
9 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
10 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
11 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
12 | |||
13 | Upstream-Status: backport | ||
14 | |||
15 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
16 | --- | ||
17 | xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++------------------------ | ||
18 | 1 file changed, 40 insertions(+), 25 deletions(-) | ||
19 | |||
20 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
21 | index b9a3ac4..f3988f9 100644 | ||
22 | --- a/xkb/xkb.c | ||
23 | +++ b/xkb/xkb.c | ||
24 | @@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) | ||
25 | |||
26 | /***====================================================================***/ | ||
27 | |||
28 | -static char * | ||
29 | -_GetCountedString(char **wire_inout, Bool swap) | ||
30 | +static Status | ||
31 | +_GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
32 | { | ||
33 | - char *wire, *str; | ||
34 | + char *wire, *next; | ||
35 | CARD16 len; | ||
36 | |||
37 | wire = *wire_inout; | ||
38 | len = *(CARD16 *) wire; | ||
39 | - if (swap) { | ||
40 | + if (client->swapped) { | ||
41 | swaps(&len); | ||
42 | } | ||
43 | - str = malloc(len + 1); | ||
44 | - if (str) { | ||
45 | - memcpy(str, &wire[2], len); | ||
46 | - str[len] = '\0'; | ||
47 | - } | ||
48 | - wire += XkbPaddedSize(len + 2); | ||
49 | - *wire_inout = wire; | ||
50 | - return str; | ||
51 | + next = wire + XkbPaddedSize(len + 2); | ||
52 | + /* Check we're still within the size of the request */ | ||
53 | + if (client->req_len < | ||
54 | + bytes_to_int32(next - (char *) client->requestBuffer)) | ||
55 | + return BadValue; | ||
56 | + *str = malloc(len + 1); | ||
57 | + if (!*str) | ||
58 | + return BadAlloc; | ||
59 | + memcpy(*str, &wire[2], len); | ||
60 | + *(*str + len) = '\0'; | ||
61 | + *wire_inout = next; | ||
62 | + return Success; | ||
63 | } | ||
64 | |||
65 | static Status | ||
66 | @@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, | ||
67 | xkbAnyDoodadWireDesc any; | ||
68 | xkbTextDoodadWireDesc text; | ||
69 | XkbDoodadPtr doodad; | ||
70 | + Status status; | ||
71 | |||
72 | dWire = (xkbDoodadWireDesc *) (*wire_inout); | ||
73 | any = dWire->any; | ||
74 | @@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, | ||
75 | doodad->text.width = text.width; | ||
76 | doodad->text.height = text.height; | ||
77 | doodad->text.color_ndx = dWire->text.colorNdx; | ||
78 | - doodad->text.text = _GetCountedString(&wire, client->swapped); | ||
79 | - doodad->text.font = _GetCountedString(&wire, client->swapped); | ||
80 | + status = _GetCountedString(&wire, client, &doodad->text.text); | ||
81 | + if (status != Success) | ||
82 | + return status; | ||
83 | + status = _GetCountedString(&wire, client, &doodad->text.font); | ||
84 | + if (status != Success) { | ||
85 | + free (doodad->text.text); | ||
86 | + return status; | ||
87 | + } | ||
88 | break; | ||
89 | case XkbIndicatorDoodad: | ||
90 | if (dWire->indicator.onColorNdx >= geom->num_colors) { | ||
91 | @@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, | ||
92 | } | ||
93 | doodad->logo.color_ndx = dWire->logo.colorNdx; | ||
94 | doodad->logo.shape_ndx = dWire->logo.shapeNdx; | ||
95 | - doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); | ||
96 | + status = _GetCountedString(&wire, client, &doodad->logo.logo_name); | ||
97 | + if (status != Success) | ||
98 | + return status; | ||
99 | break; | ||
100 | default: | ||
101 | client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); | ||
102 | @@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | ||
103 | char *wire; | ||
104 | |||
105 | wire = (char *) &req[1]; | ||
106 | - geom->label_font = _GetCountedString(&wire, client->swapped); | ||
107 | + status = _GetCountedString(&wire, client, &geom->label_font); | ||
108 | + if (status != Success) | ||
109 | + return status; | ||
110 | |||
111 | for (i = 0; i < req->nProperties; i++) { | ||
112 | char *name, *val; | ||
113 | |||
114 | - name = _GetCountedString(&wire, client->swapped); | ||
115 | - if (!name) | ||
116 | - return BadAlloc; | ||
117 | - val = _GetCountedString(&wire, client->swapped); | ||
118 | - if (!val) { | ||
119 | + status = _GetCountedString(&wire, client, &name); | ||
120 | + if (status != Success) | ||
121 | + return status; | ||
122 | + status = _GetCountedString(&wire, client, &val); | ||
123 | + if (status != Success) { | ||
124 | free(name); | ||
125 | - return BadAlloc; | ||
126 | + return status; | ||
127 | } | ||
128 | if (XkbAddGeomProperty(geom, name, val) == NULL) { | ||
129 | free(name); | ||
130 | @@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | ||
131 | for (i = 0; i < req->nColors; i++) { | ||
132 | char *name; | ||
133 | |||
134 | - name = _GetCountedString(&wire, client->swapped); | ||
135 | - if (!name) | ||
136 | - return BadAlloc; | ||
137 | + status = _GetCountedString(&wire, client, &name); | ||
138 | + if (status != Success) | ||
139 | + return status; | ||
140 | if (!XkbAddGeomColor(geom, name, geom->num_colors)) { | ||
141 | free(name); | ||
142 | return BadAlloc; | ||
143 | -- | ||
144 | 1.7.9.5 | ||
145 | |||