From 48330fbc7cdc7a3de1a4eb1c0af297352075bd8f Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:47 -0500 Subject: [PATCH 28/31] glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8] v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Julien Cristau Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/indirect_texture_compression.c | 4 ++++ glx/single2.c | 23 +++++++++++++++----- glx/single2swap.c | 19 ++++++++++++---- glx/singlepix.c | 44 +++++++++++++++++++++++++------------- glx/singlepixswap.c | 34 ++++++++++++++++++++++++----- 5 files changed, 95 insertions(+), 29 deletions(-) diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c index 5c2d06b..fe6c6fa 100644 --- a/glx/indirect_texture_compression.c +++ b/glx/indirect_texture_compression.c @@ -47,6 +47,8 @@ __glXDisp_GetCompressedTexImageARB(struct __GLXclientStateRec *cl, GLbyte * pc) __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = *(GLenum *) (pc + 0); @@ -93,6 +95,8 @@ __glXDispSwap_GetCompressedTexImageARB(struct __GLXclientStateRec *cl, __glXForceCurrent(cl, bswap_32(req->contextTag), &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); diff --git a/glx/single2.c b/glx/single2.c index 9597d29..d735149 100644 --- a/glx/single2.c +++ b/glx/single2.c @@ -49,11 +49,14 @@ int __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -80,10 +83,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -108,7 +114,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; xGLXRenderModeReply reply; __GLXcontext *cx; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -116,6 +122,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) GLenum newMode; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -192,7 +200,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -211,9 +218,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) int __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -227,10 +237,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) int __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -321,7 +333,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string) int DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; GLenum name; const char *string; @@ -331,6 +343,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) char *buf = NULL, *buf1 = NULL; GLint length = 0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + /* If the client has the opposite byte order, swap the contextTag and * the name. */ @@ -347,7 +361,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) pc += __GLX_SINGLE_HDR_SIZE; name = *(GLenum *) (pc + 0); string = (const char *) CALL_GetString(GET_DISPATCH(), (name)); - client = cl->client; if (string == NULL) string = ""; diff --git a/glx/single2swap.c b/glx/single2swap.c index 1ca5328..907dfdf 100644 --- a/glx/single2swap.c +++ b/glx/single2swap.c @@ -45,6 +45,7 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; @@ -52,6 +53,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -81,12 +84,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -113,7 +119,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -124,6 +130,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -204,7 +212,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -228,11 +235,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -247,12 +257,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -264,7 +276,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) cx->hasUnflushedCommands = GL_FALSE; /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); diff --git a/glx/singlepix.c b/glx/singlepix.c index 4137798..4771fb4 100644 --- a/glx/singlepix.c +++ b/glx/singlepix.c @@ -55,6 +55,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -107,6 +109,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc) char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -169,6 +173,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc) GLubyte answerBuffer[200]; char *answer; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -231,15 +237,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) + if ((compsize = safe_pad(compsize)) < 0) return BadLength; - if (compsize2 < 0) + if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), @@ -265,7 +269,8 @@ int __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -273,7 +278,8 @@ int __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -343,7 +349,8 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -351,7 +358,8 @@ int __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -411,7 +419,8 @@ int __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -419,7 +428,8 @@ int __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -471,7 +481,8 @@ int __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -479,7 +490,8 @@ int __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -540,7 +552,8 @@ int __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -548,6 +561,7 @@ int __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c index 16ea408..7f007b5 100644 --- a/glx/singlepixswap.c +++ b/glx/singlepixswap.c @@ -57,6 +57,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -122,6 +124,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -197,6 +201,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -266,15 +272,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) + if ((compsize = safe_pad(compsize)) < 0) return BadLength; - if (compsize2 < 0) + if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), @@ -302,7 +306,9 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -310,7 +316,9 @@ int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -388,7 +396,9 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -396,7 +406,9 @@ int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -463,7 +475,9 @@ int __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -471,7 +485,9 @@ int __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -529,7 +545,9 @@ int __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -537,7 +555,9 @@ int __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -605,7 +625,9 @@ int __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -613,6 +635,8 @@ int __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } -- 1.9.3