diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 27 Nov 2023 16:27:49 +1000 | ||
4 | Subject: [PATCH] randr: avoid integer truncation in length check of | ||
5 | ProcRRChange*Property | ||
6 | |||
7 | Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. | ||
8 | See also xserver@8f454b79 where this same bug was fixed for the core | ||
9 | protocol and XI. | ||
10 | |||
11 | This fixes an OOB read and the resulting information disclosure. | ||
12 | |||
13 | Length calculation for the request was clipped to a 32-bit integer. With | ||
14 | the correct stuff->nUnits value the expected request size was | ||
15 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
16 | |||
17 | The server then proceeded with reading at least stuff->num_items bytes | ||
18 | (depending on stuff->format) from the request and stuffing whatever it | ||
19 | finds into the property. In the process it would also allocate at least | ||
20 | stuff->nUnits bytes, i.e. 4GB. | ||
21 | |||
22 | CVE-2023-6478, ZDI-CAN-22561 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] | ||
28 | CVE: CVE-2023-6478 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | randr/rrproperty.c | 2 +- | ||
32 | randr/rrproviderproperty.c | 2 +- | ||
33 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
36 | index 25469f57b2..c4fef8a1f6 100644 | ||
37 | --- a/randr/rrproperty.c | ||
38 | +++ b/randr/rrproperty.c | ||
39 | @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) | ||
40 | char format, mode; | ||
41 | unsigned long len; | ||
42 | int sizeInBytes; | ||
43 | - int totalSize; | ||
44 | + uint64_t totalSize; | ||
45 | int err; | ||
46 | |||
47 | REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); | ||
48 | diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c | ||
49 | index b79c17f9bf..90c5a9a933 100644 | ||
50 | --- a/randr/rrproviderproperty.c | ||
51 | +++ b/randr/rrproviderproperty.c | ||
52 | @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) | ||
53 | char format, mode; | ||
54 | unsigned long len; | ||
55 | int sizeInBytes; | ||
56 | - int totalSize; | ||
57 | + uint64_t totalSize; | ||
58 | int err; | ||
59 | |||
60 | REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); | ||
61 | -- | ||
62 | GitLab | ||
63 | |||