diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:55:32 +1000 | ||
4 | Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 | ||
5 | |||
6 | The XKB protocol effectively prevents us from ever using keycodes above | ||
7 | 255. For buttons it's theoretically possible but realistically too niche | ||
8 | to worry about. For all other passive grabs, the detail must be zero | ||
9 | anyway. | ||
10 | |||
11 | This fixes an OOB write: | ||
12 | |||
13 | ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a | ||
14 | temporary grab struct which contains tempGrab->detail.exact = stuff->detail. | ||
15 | For matching existing grabs, DeleteDetailFromMask is called with the | ||
16 | stuff->detail value. This function creates a new mask with the one bit | ||
17 | representing stuff->detail cleared. | ||
18 | |||
19 | However, the array size for the new mask is 8 * sizeof(CARD32) bits, | ||
20 | thus any detail above 255 results in an OOB array write. | ||
21 | |||
22 | CVE-2022-46341, ZDI-CAN 19381 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b] | ||
31 | CVE: CVE-2022-46341 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | Xi/xipassivegrab.c | 22 ++++++++++++++-------- | ||
35 | 1 file changed, 14 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
38 | index d30f51f..89a5910 100644 | ||
39 | --- a/Xi/xipassivegrab.c | ||
40 | +++ b/Xi/xipassivegrab.c | ||
41 | @@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
42 | return BadValue; | ||
43 | } | ||
44 | |||
45 | + /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
46 | + * implement this. Just return an error for all keycodes that | ||
47 | + * cannot work anyway, same for buttons > 255. */ | ||
48 | + if (stuff->detail > 255) | ||
49 | + return XIAlreadyGrabbed; | ||
50 | + | ||
51 | if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], | ||
52 | stuff->mask_len * 4) != Success) | ||
53 | return BadValue; | ||
54 | @@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
55 | ¶m, XI2, &mask); | ||
56 | break; | ||
57 | case XIGrabtypeKeycode: | ||
58 | - /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
59 | - * implement this. Just return an error for all keycodes that | ||
60 | - * cannot work anyway */ | ||
61 | - if (stuff->detail > 255) | ||
62 | - status = XIAlreadyGrabbed; | ||
63 | - else | ||
64 | - status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
65 | - ¶m, XI2, &mask); | ||
66 | + status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
67 | + ¶m, XI2, &mask); | ||
68 | break; | ||
69 | case XIGrabtypeEnter: | ||
70 | case XIGrabtypeFocusIn: | ||
71 | @@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) | ||
72 | return BadValue; | ||
73 | } | ||
74 | |||
75 | + /* We don't allow passive grabs for details > 255 anyway */ | ||
76 | + if (stuff->detail > 255) { | ||
77 | + client->errorValue = stuff->detail; | ||
78 | + return BadValue; | ||
79 | + } | ||
80 | + | ||
81 | rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); | ||
82 | if (rc != Success) | ||
83 | return rc; | ||
84 | -- | ||
85 | 2.25.1 | ||
86 | |||