1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From 352687dcfcfc35fe3817c9baf1bc891401165605 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:36 -0500
Subject: [PATCH 18/31] glx: Be more paranoid about variable-length requests
[CVE-2014-8093 1/6]
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
glx/glxcmds.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index c1f4e22..5b50785 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2008,7 +2008,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
@@ -2125,7 +2125,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--
1.9.3
|