diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch new file mode 100644 index 0000000000..a6c97485cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 12:55:45 +1000 | ||
4 | Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput | ||
5 | |||
6 | XTestSwapFakeInput assumes all events in this request are | ||
7 | sizeof(xEvent) and iterates through these in 32-byte increments. | ||
8 | However, a GenericEvent may be of arbitrary length longer than 32 bytes, | ||
9 | so any GenericEvent in this list would result in subsequent events to be | ||
10 | misparsed. | ||
11 | |||
12 | Additional, the swapped event is written into a stack-allocated struct | ||
13 | xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, | ||
14 | swapping the event may thus smash the stack like an avocado on toast. | ||
15 | |||
16 | Catch this case early and return BadValue for any GenericEvent. | ||
17 | Which is what would happen in unswapped setups anyway since XTest | ||
18 | doesn't support GenericEvent. | ||
19 | |||
20 | CVE-2022-46340, ZDI-CAN 19265 | ||
21 | |||
22 | This vulnerability was discovered by: | ||
23 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
24 | |||
25 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
26 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | |||
28 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63] | ||
29 | CVE: CVE-2022-46340 | ||
30 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
31 | --- | ||
32 | Xext/xtest.c | 5 +++-- | ||
33 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/Xext/xtest.c b/Xext/xtest.c | ||
36 | index 38b8012..bf11789 100644 | ||
37 | --- a/Xext/xtest.c | ||
38 | +++ b/Xext/xtest.c | ||
39 | @@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) | ||
40 | |||
41 | nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); | ||
42 | for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { | ||
43 | + int evtype = ev->u.u.type & 0x177; | ||
44 | /* Swap event */ | ||
45 | - proc = EventSwapVector[ev->u.u.type & 0177]; | ||
46 | + proc = EventSwapVector[evtype]; | ||
47 | /* no swapping proc; invalid event type? */ | ||
48 | - if (!proc || proc == NotImplemented) { | ||
49 | + if (!proc || proc == NotImplemented || evtype == GenericEvent) { | ||
50 | client->errorValue = ev->u.u.type; | ||
51 | return BadValue; | ||
52 | } | ||
53 | -- | ||
54 | 2.25.1 | ||
55 | |||