diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:26:57 +1000 | ||
4 | Subject: [PATCH] Xi: avoid integer truncation in length check of | ||
5 | ProcXIChangeProperty | ||
6 | |||
7 | This fixes an OOB read and the resulting information disclosure. | ||
8 | |||
9 | Length calculation for the request was clipped to a 32-bit integer. With | ||
10 | the correct stuff->num_items value the expected request size was | ||
11 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
12 | |||
13 | The server then proceeded with reading at least stuff->num_items bytes | ||
14 | (depending on stuff->format) from the request and stuffing whatever it | ||
15 | finds into the property. In the process it would also allocate at least | ||
16 | stuff->num_items bytes, i.e. 4GB. | ||
17 | |||
18 | The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, | ||
19 | so let's fix that too. | ||
20 | |||
21 | CVE-2022-46344, ZDI-CAN 19405 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8] | ||
30 | CVE: CVE-2022-46344 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xi/xiproperty.c | 4 ++-- | ||
34 | dix/property.c | 3 ++- | ||
35 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
38 | index 6ec419e..0cfa6e3 100644 | ||
39 | --- a/Xi/xiproperty.c | ||
40 | +++ b/Xi/xiproperty.c | ||
41 | @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) | ||
42 | REQUEST(xChangeDevicePropertyReq); | ||
43 | DeviceIntPtr dev; | ||
44 | unsigned long len; | ||
45 | - int totalSize; | ||
46 | + uint64_t totalSize; | ||
47 | int rc; | ||
48 | |||
49 | REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); | ||
50 | @@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client) | ||
51 | { | ||
52 | int rc; | ||
53 | DeviceIntPtr dev; | ||
54 | - int totalSize; | ||
55 | + uint64_t totalSize; | ||
56 | unsigned long len; | ||
57 | |||
58 | REQUEST(xXIChangePropertyReq); | ||
59 | diff --git a/dix/property.c b/dix/property.c | ||
60 | index ff1d669..6fdb74a 100644 | ||
61 | --- a/dix/property.c | ||
62 | +++ b/dix/property.c | ||
63 | @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) | ||
64 | WindowPtr pWin; | ||
65 | char format, mode; | ||
66 | unsigned long len; | ||
67 | - int sizeInBytes, totalSize, err; | ||
68 | + int sizeInBytes, err; | ||
69 | + uint64_t totalSize; | ||
70 | |||
71 | REQUEST(xChangePropertyReq); | ||
72 | |||
73 | -- | ||
74 | 2.25.1 | ||
75 | |||