diff options
Diffstat (limited to 'patches/source/xorg-server-xwayland/CVE-2022-46341.patch')
-rw-r--r-- | patches/source/xorg-server-xwayland/CVE-2022-46341.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/patches/source/xorg-server-xwayland/CVE-2022-46341.patch b/patches/source/xorg-server-xwayland/CVE-2022-46341.patch new file mode 100644 index 000000000..d68fad74d --- /dev/null +++ b/patches/source/xorg-server-xwayland/CVE-2022-46341.patch @@ -0,0 +1,82 @@ +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:55:32 +1000 +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 + +The XKB protocol effectively prevents us from ever using keycodes above +255. For buttons it's theoretically possible but realistically too niche +to worry about. For all other passive grabs, the detail must be zero +anyway. + +This fixes an OOB write: + +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a +temporary grab struct which contains tempGrab->detail.exact = stuff->detail. +For matching existing grabs, DeleteDetailFromMask is called with the +stuff->detail value. This function creates a new mask with the one bit +representing stuff->detail cleared. + +However, the array size for the new mask is 8 * sizeof(CARD32) bits, +thus any detail above 255 results in an OOB array write. + +CVE-2022-46341, ZDI-CAN 19381 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xi/xipassivegrab.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index 2769fb7c9..c9ac2f855 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) + return BadValue; + } + ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never ++ * implement this. Just return an error for all keycodes that ++ * cannot work anyway, same for buttons > 255. */ ++ if (stuff->detail > 255) ++ return XIAlreadyGrabbed; ++ + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], + stuff->mask_len * 4) != Success) + return BadValue; +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) + ¶m, XI2, &mask); + break; + case XIGrabtypeKeycode: +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never +- * implement this. Just return an error for all keycodes that +- * cannot work anyway */ +- if (stuff->detail > 255) +- status = XIAlreadyGrabbed; +- else +- status = GrabKey(client, dev, mod_dev, stuff->detail, +- ¶m, XI2, &mask); ++ status = GrabKey(client, dev, mod_dev, stuff->detail, ++ ¶m, XI2, &mask); + break; + case XIGrabtypeEnter: + case XIGrabtypeFocusIn: +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) + return BadValue; + } + ++ /* We don't allow passive grabs for details > 255 anyway */ ++ if (stuff->detail > 255) { ++ client->errorValue = stuff->detail; ++ return BadValue; ++ } ++ + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); + if (rc != Success) + return rc; +-- +GitLab + |