wok-current diff xorg-server/stuff/CVE-2022-46344.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/CVE-2022-46344.patch Sun Jan 14 08:12:37 2024 +0000 1.3 @@ -0,0 +1,71 @@ 1.4 +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 1.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 1.6 +Date: Tue, 29 Nov 2022 13:26:57 +1000 1.7 +Subject: [PATCH] Xi: avoid integer truncation in length check of 1.8 + ProcXIChangeProperty 1.9 + 1.10 +This fixes an OOB read and the resulting information disclosure. 1.11 + 1.12 +Length calculation for the request was clipped to a 32-bit integer. With 1.13 +the correct stuff->num_items value the expected request size was 1.14 +truncated, passing the REQUEST_FIXED_SIZE check. 1.15 + 1.16 +The server then proceeded with reading at least stuff->num_items bytes 1.17 +(depending on stuff->format) from the request and stuffing whatever it 1.18 +finds into the property. In the process it would also allocate at least 1.19 +stuff->num_items bytes, i.e. 4GB. 1.20 + 1.21 +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, 1.22 +so let's fix that too. 1.23 + 1.24 +CVE-2022-46344, ZDI-CAN 19405 1.25 + 1.26 +This vulnerability was discovered by: 1.27 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 1.28 + 1.29 +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> 1.30 +Acked-by: Olivier Fourdan <ofourdan@redhat.com> 1.31 +--- 1.32 + Xi/xiproperty.c | 4 ++-- 1.33 + dix/property.c | 3 ++- 1.34 + 2 files changed, 4 insertions(+), 3 deletions(-) 1.35 + 1.36 +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c 1.37 +index 68c362c62..066ba21fb 100644 1.38 +--- a/Xi/xiproperty.c 1.39 ++++ b/Xi/xiproperty.c 1.40 +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) 1.41 + REQUEST(xChangeDevicePropertyReq); 1.42 + DeviceIntPtr dev; 1.43 + unsigned long len; 1.44 +- int totalSize; 1.45 ++ uint64_t totalSize; 1.46 + int rc; 1.47 + 1.48 + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); 1.49 +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) 1.50 + { 1.51 + int rc; 1.52 + DeviceIntPtr dev; 1.53 +- int totalSize; 1.54 ++ uint64_t totalSize; 1.55 + unsigned long len; 1.56 + 1.57 + REQUEST(xXIChangePropertyReq); 1.58 +diff --git a/dix/property.c b/dix/property.c 1.59 +index 94ef5a0ec..acce94b2c 100644 1.60 +--- a/dix/property.c 1.61 ++++ b/dix/property.c 1.62 +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) 1.63 + WindowPtr pWin; 1.64 + char format, mode; 1.65 + unsigned long len; 1.66 +- int sizeInBytes, totalSize, err; 1.67 ++ int sizeInBytes, err; 1.68 ++ uint64_t totalSize; 1.69 + 1.70 + REQUEST(xChangePropertyReq); 1.71 + 1.72 +-- 1.73 +GitLab 1.74 +