diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch new file mode 100644 index 000000000..5d018b1c8 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch @@ -0,0 +1,74 @@ +From ffd61dce4f10aba286ede4143c7763fda315fc49 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 23:12:04 -0800 +Subject: [PATCH 07/31] dbe: unvalidated lengths in DbeSwapBuffers calls + [CVE-2014-8097] + +ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read +from a buffer. The length is never validated, which can lead to out of +bound reads, and possibly returning the data read from out of bounds to +the misbehaving client via an X Error packet. + +SProcDbeSwapBuffers() swaps data (for correct endianness) before +handing it off to the real proc. While doing the swapping, the +length field is not validated, which can cause memory corruption. + +v2: reorder checks to avoid compilers optimizing out checks for overflow +that happen after we'd already have done the overflowing multiplications. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> +--- + dbe/dbe.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 379feb1..f5a1940 100644 +--- a/dbe/dbe.c ++++ b/dbe/dbe.c +@@ -454,18 +454,20 @@ ProcDbeSwapBuffers(ClientPtr client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ + + if (nStuff == 0) { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return Success; + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *) & stuff[1]; +@@ -956,13 +958,16 @@ static int + SProcDbeSwapBuffers(ClientPtr client) + { + REQUEST(xDbeSwapBuffersReq); +- register int i; ++ unsigned int i; + xDbeSwapInfo *pSwapInfo; + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { + pSwapInfo = (xDbeSwapInfo *) stuff + 1; +-- +1.9.3 + |