Skip to content

N
nx-libs
Switch branch/tag
Find file
BlameHistoryPermalink
  • Mike Gabriel's avatar
    40 patches, fixing several X.Org CVEs in NX. · 45878811
    Mike Gabriel authored 
    * Security fixes:
  - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
    all patches from a CVE patch series appear here, then it means that
    the affected file/code is not used in NX at build time.
  - X.Org CVE-2011-2895:
      1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
  - X.Org CVE-2011-4028:
      1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
  - X.Org CVE-2013-4396:
      1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
  - X.Org CVE-2013-6462:
      1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
  - X.Org CVE-2014-0209:
      1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
      1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
  - X.Org CVE-2014-0210:
      1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
      1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
      1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
      1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
      1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
      1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
      1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
  - X.Org CVE-2014-0211:
      1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
      1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
      1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
      1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
  - X.Org CVE-2014-8092:
      1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
      1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
      1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
      1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
  - X.Org CVE-2014-8097:
      1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
  - X.Org CVE-2014-8095:
      1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
  - X.Org CVE-2014-8096:
      1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
  - X.Org CVE-2014-8099:
      1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
  - X.Org CVE-2014-8100:
      1027-render-check-request-size-before-reading-it-CVE-2014.patch
      1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
  - X.Org CVE-2014-8102:
      1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
  - X.Org CVE-2014-8101:
      1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
  - X.Org CVE-2014-8093:
      1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
      1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
      1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
      1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
      1036-glx-Integer-overflow-protection-for-non-generated-re.patch
  - X.Org CVE-2014-8098:
      1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
      1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
      1038-glx-Length-checking-for-non-generated-single-request.patch
      1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
      1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
  - Security fixes with no assigned CVE:
      1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
    45878811
1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch 5.45 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 
From 50e80a06c84375e39af02b24f01a949cb565a49d Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:39:55 -0500
Subject: [PATCH 09/40] CVE-2014-0210: unvalidated lengths when reading replies
 from font server from xorg/lib/libXfont commit
 cbb64aef35960b2882be721f4b8fbaa0fb649d12

Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
---
 nx-X11/lib/font/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index c159b2b..ca10aa4 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -94,6 +94,12 @@ in this Software without prior written authorization from The Open Group.
 			     (pci)->descent || \
 			     (pci)->characterWidth)
 
+/*
+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
+ * so this converts for doing size comparisons.
+ */
+#define LENGTHOF(r)	(SIZEOF(r) >> 2)
+
 extern void ErrorF(const char *f, ...);
 
 static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -209,9 +215,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
 		 rep->sequenceNumber,
 		 conn->reqbuffer[i].opcode);
 }
+
+#define _fs_reply_failed(rep, name, op) do {                            \
+    if (rep) {                                                          \
+        if (rep->type == FS_Error)                                      \
+            fprintf (stderr, "Error: %d Request: %s\n",                 \
+                     ((fsError *)rep)->request, #name);                 \
+        else                                                            \
+            fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n",     \
+                     #name, rep->length, op, LENGTHOF(name));           \
+    }                                                                   \
+} while (0)
+
 #else
 #define _fs_add_req_log(conn,op)    ((conn)->current_seq++)
 #define _fs_add_rep_log(conn,rep)
+#define _fs_reply_failed(rep,name,op)
 #endif
 
 static Bool
@@ -693,13 +712,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     int			    ret;
 
     rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
-    if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+	(rep->length != LENGTHOF(fsOpenBitmapFontReply)))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	if (rep)
 	    _fs_done_read (conn, rep->length << 2);
 	fs_cleanup_bfont (bfont);
+	_fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
 	return BadFontName;
     }
 	   
@@ -835,13 +856,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     int			ret;
 
     rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
-    if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+	(rep->length < LENGTHOF(fsQueryXInfoReply)))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	if (rep)
 	    _fs_done_read (conn, rep->length << 2);
 	fs_cleanup_bfont (bfont);
+	_fs_reply_failed (rep, fsQueryXInfoReply, "<");
 	return BadFontName;
     }
 	
@@ -962,13 +985,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     FontInfoRec		    *fi = &bfont->pfont->info;
 
     rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
-    if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+	(rep->length < LENGTHOF(fsQueryXExtents16Reply)))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	if (rep)
 	    _fs_done_read (conn, rep->length << 2);
 	fs_cleanup_bfont (bfont);
+	_fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
 	return BadFontName;
     }
 	
@@ -1833,13 +1858,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     unsigned long	    minchar, maxchar;
 
     rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
-    if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+	(rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	if (rep)
 	    _fs_done_read (conn, rep->length << 2);
 	err = AllocError;
+	_fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
 	goto bail;
     }
 
@@ -2243,12 +2270,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     int			err;
 
     rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
-    if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+	(rep->length < LENGTHOF(fsListFontsReply)))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	if (rep)
 	    _fs_done_read (conn, rep->length << 2);
+	_fs_reply_failed (rep, fsListFontsReply, "<");
 	return AllocError;
     }
     data = (char *) rep + SIZEOF (fsListFontsReply);
@@ -2366,12 +2395,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     _fs_free_props (&binfo->info);
 
     rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
-	if (!rep || rep->type == FS_Error)
+    if (!rep || rep->type == FS_Error ||
+       ((rep->nameLength != 0) &&
+        (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
     {
 	if (ret == FSIO_BLOCK)
 	    return StillWorking;
 	binfo->status = FS_LFWI_FINISHED;
 	err = AllocError;
+	_fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
 	goto done;
     }
     /*
-- 
2.1.4