Skip to content

N
nx-libs
Commit 45878811 authored by Mike Gabriel's avatar Mike Gabriel
Browse files
Options

40 patches, fixing several X.Org CVEs in NX.

* Security fixes: - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not all patches from a CVE patch series appear here, then it means that the affected file/code is not used in NX at build time. - X.Org CVE-2011-2895: 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch - X.Org CVE-2011-4028: 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch - X.Org CVE-2013-4396: 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch - X.Org CVE-2013-6462: 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch - X.Org CVE-2014-0209: 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch - X.Org CVE-2014-0210: 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch - X.Org CVE-2014-0211: 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch - X.Org CVE-2014-8092: 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch - X.Org CVE-2014-8097: 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch - X.Org CVE-2014-8095: 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch - X.Org CVE-2014-8096: 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch - X.Org CVE-2014-8099: 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch - X.Org CVE-2014-8100: 1027-render-check-request-size-before-reading-it-CVE-2014.patch 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch - X.Org CVE-2014-8102: 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch - X.Org CVE-2014-8101: 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch - X.Org CVE-2014-8093: 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch 1036-glx-Integer-overflow-protection-for-non-generated-re.patch - X.Org CVE-2014-8098: 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch 1038-glx-Length-checking-for-non-generated-single-request.patch 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch - Security fixes with no assigned CVE: 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
parent f46d1179
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 3021 additions and 0 deletions
debian/changelog
View file @ 45878811
......@@ -121,6 +121,73 @@ nx-libs (2:3.5.0.29-0x2go2) UNRELEASED; urgency=medium
launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
(Fixes: #744).
[ Michael DePaulo ]
* Security fixes:
- Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
all patches from a CVE patch series appear here, then it means that
the affected file/code is not used in NX at build time.
- X.Org CVE-2011-2895:
1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
- X.Org CVE-2011-4028:
1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
- X.Org CVE-2013-4396:
1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
- X.Org CVE-2013-6462:
1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
- X.Org CVE-2014-0209:
1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
- X.Org CVE-2014-0210:
1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
- X.Org CVE-2014-0211:
1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
- X.Org CVE-2014-8092:
1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
- X.Org CVE-2014-8097:
1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
- X.Org CVE-2014-8095:
1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
- X.Org CVE-2014-8096:
1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
- X.Org CVE-2014-8099:
1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
- X.Org CVE-2014-8100:
1027-render-check-request-size-before-reading-it-CVE-2014.patch
1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
- X.Org CVE-2014-8102:
1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
- X.Org CVE-2014-8101:
1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
- X.Org CVE-2014-8093:
1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
1036-glx-Integer-overflow-protection-for-non-generated-re.patch
- X.Org CVE-2014-8098:
1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
1038-glx-Length-checking-for-non-generated-single-request.patch
1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
- Security fixes with no assigned CVE:
1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
[ Mihai Moldovan ]
* Change string "X2go" to "X2Go" where appropriate.
......
debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch 0 → 100644
View file @ 45878811
From af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 19:15:20 -0500
Subject: [PATCH 01/40] LZW decompress: fix for CVE-2011-2895 From
xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Specially crafted LZW stream can crash an application using libXfont
that is used to open untrusted font files. With X server, this may
allow privilege escalation when exploited
---
nx-X11/lib/font/fontfile/decompress.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
index a4c5468..553b315 100644
--- a/nx-X11/lib/font/fontfile/decompress.c
+++ b/nx-X11/lib/font/fontfile/decompress.c
@@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f)
*/
while ( code >= 256 )
{
+ if (stackp - de_stack >= STACK_SIZE - 1)
+ return BUFFILEEOF;
*stackp++ = file->tab_suffix[code];
code = file->tab_prefix[code];
}
--
2.1.4
debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch 0 → 100644
View file @ 45878811
From df4a3b7270539843ae76275485ca76efcdf361d9 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 19:16:38 -0500
Subject: [PATCH 02/40] Fix CVE-2011-4028: File disclosure vulnerability.
upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
---
nx-X11/programs/Xserver/os/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c
index 9b2431a..79e49d5 100644
--- a/nx-X11/programs/Xserver/os/utils.c
+++ b/nx-X11/programs/Xserver/os/utils.c
@@ -483,7 +483,7 @@ LockServer(void)
/*
* Read the pid from the existing file
*/
- lfd = open(LockFile, O_RDONLY);
+ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
if (lfd < 0) {
unlink(tmp);
FatalError("Can't read lock file %s\n", LockFile);
--
2.1.4
debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch 0 → 100644
View file @ 45878811
From 72790a55862f9a2232ba0cd7b072bbe3887cd820 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 20:01:27 -0500
Subject: [PATCH 03/40] Avoid use-after-free in dix/dixfonts.c: doImageText()
[CVE-2013-4396] from xorg/Xserver
http://lists.x.org/archives/xorg-announce/2013-October/002332.html
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
---
nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c
index 193f555..42fd647 100644
--- a/nx-X11/programs/Xserver/dix/dixfonts.c
+++ b/nx-X11/programs/Xserver/dix/dixfonts.c
@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1571,6 +1572,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1578,6 +1580,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
if (!data)
{
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1589,6 +1592,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
{
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1602,6 +1606,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
FreeScratchGC(pGC);
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
--
2.1.4
debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch 0 → 100644
View file @ 45878811
From ac6694378e0ed4bdffa6e1318c9d4beda24a6b0e Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 20:12:25 -0500
Subject: [PATCH 04/40] CVE-2013-6462: unlimited sscanf overflows stack buffer
in bdfReadCharacters() from xorg/lib/libXfont
http://lists.x.org/archives/xorg-announce/2014-January/002389.html
Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
---
nx-X11/lib/font/bitmap/bdfread.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/bitmap/bdfread.c b/nx-X11/lib/font/bitmap/bdfread.c
index a6f0c1e..bccabd7 100644
--- a/nx-X11/lib/font/bitmap/bdfread.c
+++ b/nx-X11/lib/font/bitmap/bdfread.c
@@ -344,7 +344,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
--
2.1.4
debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch 0 → 100644
View file @ 45878811
From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 20:28:30 -0500
Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in
FontFileAddEntry() from xorg/lib/libXfont commit
2f5e57317339c526e6eaee1010b0e2ab8089c42e
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
---
nx-X11/lib/font/fontfile/fontdir.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c
index 8f75d8b..899ff05 100644
--- a/nx-X11/lib/font/fontfile/fontdir.c
+++ b/nx-X11/lib/font/fontfile/fontdir.c
@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
if (table->sorted)
return (FontEntryPtr) 0; /* "cannot" happen */
if (table->used == table->size) {
+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
+ /* If we've read so many entries we're going to ask for 2gb
+ or more of memory, something is so wrong with this font
+ directory that we should just give up before we overflow. */
+ return NULL;
newsize = table->size + 100;
entry = (FontEntryPtr) xrealloc(table->entries,
newsize * sizeof(FontEntryRec));
--
2.1.4
debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch 0 → 100644
View file @ 45878811
From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 20:53:14 -0500
Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in
lexAlias() from xorg/lib/libXfont commit
05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
---
nx-X11/lib/font/fontfile/dirfile.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/nx-X11/lib/font/fontfile/dirfile.c b/nx-X11/lib/font/fontfile/dirfile.c
index f390391..3a2fead 100644
--- a/nx-X11/lib/font/fontfile/dirfile.c
+++ b/nx-X11/lib/font/fontfile/dirfile.c
@@ -45,6 +45,7 @@ in this Software without prior written authorization from The Open Group.
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
+#include <limits.h>
static Bool AddFileNameAliases ( FontDirectoryPtr dir );
static int ReadFontAlias ( char *directory, Bool isFile,
@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken)
int nsize;
char *nbuf;
+ if (tokenSize >= (INT_MAX >> 2))
+ /* Stop before we overflow */
+ return EALLOC;
nsize = tokenSize ? (tokenSize << 1) : 64;
nbuf = (char *) xrealloc(tokenBuf, nsize);
if (!nbuf)
--
2.1.4
debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch 0 → 100644
View file @ 45878811
From 94c6de0649cd295044b1e4ff7265949c9c787519 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:03:33 -0500
Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in
_fs_recv_conn_setup() from xorg/lib/libXfont commit
891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
---
nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index bac0b8e..0fdcc1d 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret;
fsConnSetup *setup;
FSFpeAltPtr alts;
- int i, alt_len;
+ unsigned int i, alt_len;
int setup_len;
char *alt_save, *alt_names;
@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
}
if (setup->num_alternates)
{
+ size_t alt_name_len = setup->alternate_len << 2;
alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
- sizeof (FSFpeAltRec) +
- (setup->alternate_len << 2));
+ sizeof (FSFpeAltRec) + alt_name_len);
if (alts)
{
alt_names = (char *) (setup + 1);
@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
{
alts[i].subset = alt_names[0];
alt_len = alt_names[1];
+ if (alt_len >= alt_name_len) {
+ /*
+ * Length is longer than setup->alternate_len
+ * told us to allocate room for, assume entire
+ * alternate list is corrupted.
+ */
+#ifdef DEBUG
+ fprintf (stderr,
+ "invalid alt list (length %lx >= %lx)\n",
+ (long) alt_len, (long) alt_name_len);
+#endif
+ free(alts);
+ return FSIO_ERROR;
+ }
alts[i].name = alt_save;
memcpy (alt_save, alt_names + 2, alt_len);
alt_save[alt_len] = '\0';
alt_save += alt_len + 1;
+ alt_name_len -= alt_len + 1;
alt_names += _fs_pad_length (alt_len + 2);
}
conn->numAlts = setup->num_alternates;
--
2.1.4
debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch 0 → 100644
View file @ 45878811
From a2c7cd9fef2d7d108e224ab47e77130dc98b249d Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:33:30 -0500
Subject: [PATCH 08/40] Don't crash when we receive an FS_Error from the font
server (Guillem Jover). from xorg/lib/libXfont commit
bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
---
nx-X11/lib/font/fc/fserve.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 0fdcc1d..c159b2b 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2366,7 +2366,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
_fs_free_props (&binfo->info);
rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
- if (rep == 0)
+ if (!rep || rep->type == FS_Error)
{
if (ret == FSIO_BLOCK)
return StillWorking;
--
2.1.4
debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch 0 → 100644
View file @ 45878811
From 50e80a06c84375e39af02b24f01a949cb565a49d Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:39:55 -0500
Subject: [PATCH 09/40] CVE-2014-0210: unvalidated lengths when reading replies
from font server from xorg/lib/libXfont commit
cbb64aef35960b2882be721f4b8fbaa0fb649d12
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
---
nx-X11/lib/font/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
1 file changed, 38 insertions(+), 6 deletions(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index c159b2b..ca10aa4 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -94,6 +94,12 @@ in this Software without prior written authorization from The Open Group.
(pci)->descent || \
(pci)->characterWidth)
+/*
+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
+ * so this converts for doing size comparisons.
+ */
+#define LENGTHOF(r) (SIZEOF(r) >> 2)
+
extern void ErrorF(const char *f, ...);
static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -209,9 +215,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
rep->sequenceNumber,
conn->reqbuffer[i].opcode);
}
+
+#define _fs_reply_failed(rep, name, op) do { \
+ if (rep) { \
+ if (rep->type == FS_Error) \
+ fprintf (stderr, "Error: %d Request: %s\n", \
+ ((fsError *)rep)->request, #name); \
+ else \
+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
+ #name, rep->length, op, LENGTHOF(name)); \
+ } \
+} while (0)
+
#else
#define _fs_add_req_log(conn,op) ((conn)->current_seq++)
#define _fs_add_rep_log(conn,rep)
+#define _fs_reply_failed(rep,name,op)
#endif
static Bool
@@ -693,13 +712,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
int ret;
rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
{
if (ret == FSIO_BLOCK)
return StillWorking;
if (rep)
_fs_done_read (conn, rep->length << 2);
fs_cleanup_bfont (bfont);
+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
return BadFontName;
}
@@ -835,13 +856,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
int ret;
rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ (rep->length < LENGTHOF(fsQueryXInfoReply)))
{
if (ret == FSIO_BLOCK)
return StillWorking;
if (rep)
_fs_done_read (conn, rep->length << 2);
fs_cleanup_bfont (bfont);
+ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
return BadFontName;
}
@@ -962,13 +985,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FontInfoRec *fi = &bfont->pfont->info;
rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
{
if (ret == FSIO_BLOCK)
return StillWorking;
if (rep)
_fs_done_read (conn, rep->length << 2);
fs_cleanup_bfont (bfont);
+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
return BadFontName;
}
@@ -1833,13 +1858,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
unsigned long minchar, maxchar;
rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
{
if (ret == FSIO_BLOCK)
return StillWorking;
if (rep)
_fs_done_read (conn, rep->length << 2);
err = AllocError;
+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
goto bail;
}
@@ -2243,12 +2270,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
int err;
rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ (rep->length < LENGTHOF(fsListFontsReply)))
{
if (ret == FSIO_BLOCK)
return StillWorking;
if (rep)
_fs_done_read (conn, rep->length << 2);
+ _fs_reply_failed (rep, fsListFontsReply, "<");
return AllocError;
}
data = (char *) rep + SIZEOF (fsListFontsReply);
@@ -2366,12 +2395,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
_fs_free_props (&binfo->info);
rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
- if (!rep || rep->type == FS_Error)
+ if (!rep || rep->type == FS_Error ||
+ ((rep->nameLength != 0) &&
+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
{
if (ret == FSIO_BLOCK)
return StillWorking;
binfo->status = FS_LFWI_FINISHED;
err = AllocError;
+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
goto done;
}
/*
--
2.1.4
debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch 0 → 100644
View file @ 45878811
From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:43:42 -0500
Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in
fs_get_reply/_fs_start_read from xorg/lib/libXfont commit
0f1a5d372c143f91a602bdf10c917d7eabaee09b
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
---
nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index ca10aa4..7762653 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group.
*/
#define LENGTHOF(r) (SIZEOF(r) >> 2)
+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
+
extern void ErrorF(const char *f, ...);
static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error)
rep = (fsGenericReply *) buf;
+ /*
+ * Refuse to accept replies longer than a maximum reasonable length,
+ * before we pass to _fs_start_read, since it will try to resize the
+ * incoming connection buffer to this size. Also avoids integer overflow
+ * on 32-bit systems.
+ */
+ if (rep->length > MAX_REPLY_LENGTH)
+ {
+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
+ " from font server\n", rep->length);
+ _fs_connection_died (conn);
+ *error = FSIO_ERROR;
+ return 0;
+ }
+
ret = _fs_start_read (conn, rep->length << 2, &buf);
if (ret != FSIO_READY)
{
--
2.1.4
debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch 0 → 100644
View file @ 45878811
From c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:08:09 -0500
Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in
fs_read_query_info() from xorg/lib/libXfont commit
491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
---
nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++-----
nx-X11/lib/font/fc/fserve.c | 40 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 52 insertions(+), 7 deletions(-)
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index 9ff54f5..d41e0b8 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
for (i = 0; i < nprops; i++, dprop++, is_str++)
{
memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+ if ((local_off.name.position >= pi->data_len) ||
+ (local_off.name.length >
+ (pi->data_len - local_off.name.position)))
+ goto bail;
dprop->name = MakeAtom(&pdc[local_off.name.position],
local_off.name.length, 1);
if (local_off.type != PropTypeString) {
@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
dprop->value = local_off.value.position;
} else {
*is_str = TRUE;
+ if ((local_off.value.position >= pi->data_len) ||
+ (local_off.value.length >
+ (pi->data_len - local_off.value.position)))
+ goto bail;
dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
local_off.value.length, 1);
if (dprop->value == BAD_RESOURCE)
{
- xfree (pfi->props);
- pfi->nprops = 0;
- pfi->props = 0;
- pfi->isStringProp = 0;
- return -1;
+ bail:
+ xfree (pfi->props);
+ pfi->nprops = 0;
+ pfi->props = 0;
+ pfi->isStringProp = 0;
+ return -1;
}
}
off_adr += SIZEOF(fsPropOffset);
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 7762653..2a6f6c9 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -865,6 +865,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSFpePtr conn = (FSFpePtr) fpe->private;
fsQueryXInfoReply *rep;
char *buf;
+ long bufleft; /* length of reply left to use */
fsPropInfo *pi;
fsPropOffset *po;
pointer pd;
@@ -895,7 +896,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
buf = (char *) rep;
buf += SIZEOF(fsQueryXInfoReply);
-
+
+ bufleft = rep->length << 2;
+ bufleft -= SIZEOF(fsQueryXInfoReply);
+
/* move the data over */
fsUnpack_XFontInfoHeader(rep, pInfo);
@@ -903,19 +907,51 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
_fs_init_fontinfo(conn, pInfo);
/* Compute offsets into the reply */
+ if (bufleft < SIZEOF(fsPropInfo))
+ {
+ ret = -1;
+#ifdef DEBUG
+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
+ bufleft);
+#endif
+ goto bail;
+ }
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
+ if (bufleft < pi->data_len)
+ {
+ ret = -1;
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
+ bufleft, pi->data_len);
+#endif
+ goto bail;
+ }
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF(fsPropOffset);
+ bufleft -= pi->data_len;
+ {
+ ret = -1;
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
+ bufleft, pi->data_len);
+#endif
+ goto bail;
+ }
pd = (pointer) buf;
buf += pi->data_len;
+ bufleft -= pi->data_len;
/* convert the properties and step over the reply */
ret = _fs_convert_props(pi, po, pd, pInfo);
+ bail:
_fs_done_read (conn, rep->length << 2);
-
+
if (ret == -1)
{
fs_cleanup_bfont (bfont);
--
2.1.4
debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch 0 → 100644
View file @ 45878811
From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:19:01 -0500
Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in
fs_read_extent_info() from xorg/lib/libXfont commit
c578408c1fd4db09e4e3173f8a9e65c81cc187c1
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
---
nx-X11/lib/font/fc/fserve.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 2a6f6c9..639964c 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group.
#include "fservestr.h"
#include <X11/fonts/fontutil.h>
#include <errno.h>
+#include <limits.h>
#include <time.h>
#define Time_t time_t
@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
numInfos *= 2;
haveInk = TRUE;
}
- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos);
+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXExtents16: numInfos (%d) >= %ld\n",
+ numInfos, (INT_MAX / sizeof(CharInfoRec)));
+#endif
+ pCI = NULL;
+ }
+ else
+ pCI = malloc(sizeof(CharInfoRec) * numInfos);
if (!pCI)
{
--
2.1.4
debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch 0 → 100644
View file @ 45878811
From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:23:51 -0500
Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
---
nx-X11/lib/font/fc/fsconvert.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index d41e0b8..afa2c32 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
FSGlyphPtr glyphs;
FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
- glyphs = xalloc (sizeof (FSGlyphRec) + size);
+ if (size < (INT_MAX - sizeof (FSGlyphRec)))
+ glyphs = xalloc (sizeof (FSGlyphRec) + size);
+ else
+ glyphs = NULL;
+ if (glyphs == NULL)
+ return NULL;
glyphs->next = fsfont->glyphs;
fsfont->glyphs = glyphs;
return (pointer) (glyphs + 1);
--
2.1.4
debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch 0 → 100644
View file @ 45878811
From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:26:16 -0500
Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in
fs_read_extent_info() from xorg/lib/libXfont commit
a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
---
nx-X11/lib/font/fc/fserve.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 639964c..79de4f3 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
#endif
pCI = NULL;
}
+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+ / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+ numExtents, rep->length,
+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+ pCI = NULL;
+ }
else
pCI = malloc(sizeof(CharInfoRec) * numInfos);
--
2.1.4
debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch 0 → 100644
View file @ 45878811
From ece51493f1d970f45e53588e33a700464a42fbab Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:27:47 -0500
Subject: [PATCH 15/40] CVE-2014-0210: unvalidated length fields in
fs_read_glyphs() from xorg/lib/libXfont commit
520683652564c2a4e42328ae23eef9bb63271565
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
---
nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 79de4f3..26218e5 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FontInfoPtr pfi = &pfont->info;
fsQueryXBitmaps16Reply *rep;
char *buf;
+ long bufleft; /* length of reply left to use */
fsOffset32 *ppbits;
fsOffset32 local_off;
char *off_adr;
@@ -1947,9 +1948,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
buf = (char *) rep;
buf += SIZEOF (fsQueryXBitmaps16Reply);
+ bufleft = rep->length << 2;
+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply);
+
+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)
+ {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",
+ rep->num_chars, bufleft, SIZEOF (fsOffset32));
+#endif
+ err = AllocError;
+ goto bail;
+ }
ppbits = (fsOffset32 *) buf;
buf += SIZEOF (fsOffset32) * (rep->num_chars);
+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);
+ if (bufleft < rep->nbytes)
+ {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",
+ rep->nbytes, bufleft);
+#endif
+ err = AllocError;
+ goto bail;
+ }
pbitmaps = (pointer ) buf;
if (blockrec->type == FS_LOAD_GLYPHS)
@@ -2007,7 +2032,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
*/
if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))
{
- if (local_off.length)
+ if (local_off.length &&
+ (local_off.position < rep->nbytes) &&
+ (local_off.length <= (rep->nbytes - local_off.position)))
{
bits = allbits;
allbits += local_off.length;
--
2.1.4
debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch 0 → 100644
View file @ 45878811
From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:35:21 -0500
Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in
fs_read_list() from xorg/lib/libXfont commit
5fa73ac18474be3032ee7af9c6e29deab163ea39
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
---
nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 26218e5..60d9017 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
fsListFontsReply *rep;
char *data;
+ long dataleft; /* length of reply left to use */
int length,
i,
ret;
@@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
return AllocError;
}
data = (char *) rep + SIZEOF (fsListFontsReply);
+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
err = Successful;
/* copy data into FontPathRecord */
for (i = 0; i < rep->nFonts; i++)
{
+ if (dataleft < 1)
+ break;
length = *(unsigned char *)data++;
+ dataleft--; /* used length byte */
+ if (length > dataleft) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFonts: name length (%d) > dataleft (%ld)\n",
+ length, dataleft);
+#endif
+ err = BadFontName;
+ break;
+ }
err = AddFontNamesName(blist->names, data, length);
if (err != Successful)
break;
data += length;
+ dataleft -= length;
}
_fs_done_read (conn, rep->length << 2);
return err;
--
2.1.4
debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch 0 → 100644
View file @ 45878811
From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:38:32 -0500
Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in
fs_read_list_info() from xorg/lib/libXfont commit
d338f81df1e188eb16e1d6aeea7f4800f89c1218
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
---
nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 55 insertions(+), 1 deletion(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 60d9017..6ba3ad4 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
fsListFontsWithXInfoReply *rep;
char *buf;
+ long bufleft;
FSFpePtr conn = (FSFpePtr) fpe->private;
fsPropInfo *pi;
fsPropOffset *po;
@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
}
buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
-
+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply);
+
/*
* The original FS implementation didn't match
* the spec, version 1 was respecified to match the FS.
@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
*/
if (conn->fsMajorVersion <= 1)
{
+ if (rep->nameLength > bufleft) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
+ (int) rep->nameLength, bufleft);
+#endif
+ err = AllocError;
+ goto done;
+ }
+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
+ bufleft -= _fs_pad_length (rep->nameLength);
}
pi = (fsPropInfo *) buf;
+ if (SIZEOF (fsPropInfo) > bufleft) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n",
+ (int) SIZEOF (fsPropInfo), bufleft);
+#endif
+ err = AllocError;
+ goto done;
+ }
+ bufleft -= SIZEOF (fsPropInfo);
buf += SIZEOF (fsPropInfo);
po = (fsPropOffset *) buf;
+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n",
+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft);
+#endif
+ err = AllocError;
+ goto done;
+ }
+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset);
buf += pi->num_offsets * SIZEOF (fsPropOffset);
pd = (pointer) buf;
+ if (pi->data_len > bufleft) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n",
+ pi->data_len, bufleft);
+#endif
+ err = AllocError;
+ goto done;
+ }
+ bufleft -= pi->data_len;
buf += pi->data_len;
if (conn->fsMajorVersion > 1)
{
+ if (rep->nameLength > bufleft) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
+ (int) rep->nameLength, bufleft);
+#endif
+ err = AllocError;
+ goto done;
+ }
+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
+ bufleft -= _fs_pad_length (rep->nameLength);
}
#ifdef DEBUG
--
2.1.4
debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch 0 → 100644
View file @ 45878811
From 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 17 Jan 2014 18:54:03 -0800
Subject: [PATCH 18/40] unchecked malloc may allow unauthed client to crash
Xserver [CVE-2014-8091]
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/rpcauth.c
---
nx-X11/programs/Xserver/os/rpcauth.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c
index 3c5cb59..a12931e 100644
--- a/nx-X11/programs/Xserver/os/rpcauth.c
+++ b/nx-X11/programs/Xserver/os/rpcauth.c
@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = (char *) xalloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *)&msg, 0, sizeof(msg));
--
2.1.4
debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch 0 → 100644
View file @ 45878811
From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 21:11:16 -0800
Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
---
nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
index 6941456..5ad2f5a 100644
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
-
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;
--
2.1.4
debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch 0 → 100644
View file @ 45878811
From d4c76981f7fddb364166464c571ed8d3de3086cd Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 6 Jan 2014 23:30:14 -0800
Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
---
nx-X11/programs/Xserver/os/access.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c
index b6a70a7..0e9d138 100644
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1719,6 +1719,10 @@ GetHosts (
{
nHosts++;
n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n)
{
@@ -1730,6 +1734,8 @@ GetHosts (
for (host = validhosts; host; host = host->next)
{
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ break;
((xHostEntry *)ptr)->family = host->family;
((xHostEntry *)ptr)->length = len;
ptr += sizeof(xHostEntry);
--
2.1.4
debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch 0 → 100644
View file @ 45878811
From ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 22:37:15 -0800
Subject: [PATCH 21/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
3/4]
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
---
nx-X11/programs/Xserver/include/regionstr.h | 10 +++++---
nx-X11/programs/Xserver/mi/miregion.c | 39 ++++++++++++++++++++---------
2 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h
index 000bf3f..cf41170 100644
--- a/nx-X11/programs/Xserver/include/regionstr.h
+++ b/nx-X11/programs/Xserver/include/regionstr.h
@@ -53,6 +53,9 @@ SOFTWARE.
typedef struct _Region RegionRec, *RegionPtr;
+#include <stddef.h>
+#include <limits.h>
+
#include "miscstruct.h"
/* Return values from RectIn() */
@@ -93,7 +96,7 @@ extern RegDataRec miBrokenData;
#define REGION_BOX(reg,i) (&REGION_BOXPTR(reg)[i])
#define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects)
#define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1)
-#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)))
+#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0)
/* Keith recommends weaning the region code of pScreen argument */
#define REG_pScreen screenInfo.screens[0]
@@ -257,9 +260,10 @@ extern RegDataRec miBrokenData;
} \
else \
{ \
+ size_t rgnSize; \
(_pReg)->extents = miEmptyBox; \
- if (((_size) > 1) && ((_pReg)->data = \
- (RegDataPtr)xalloc(REGION_SZOF(_size)))) \
+ if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \
+ ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \
{ \
(_pReg)->data->size = (_size); \
(_pReg)->data->numRects = 0; \
diff --git a/nx-X11/programs/Xserver/mi/miregion.c b/nx-X11/programs/Xserver/mi/miregion.c
index df33248..5ec4ec5 100644
--- a/nx-X11/programs/Xserver/mi/miregion.c
+++ b/nx-X11/programs/Xserver/mi/miregion.c
@@ -172,7 +172,6 @@ Equipment Corporation.
((r1)->y1 <= (r2)->y1) && \
((r1)->y2 >= (r2)->y2) )
-#define xallocData(n) (RegDataPtr)xalloc(REGION_SZOF(n))
#define xfreeData(reg) if ((reg)->data && (reg)->data->size) xfree((reg)->data)
#define RECTALLOC_BAIL(pReg,n,bail) \
@@ -209,8 +208,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
#define DOWNSIZE(reg,numRects) \
if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
{ \
- RegDataPtr NewData; \
- NewData = (RegDataPtr)xrealloc((reg)->data, REGION_SZOF(numRects)); \
+ size_t NewSize = REGION_SZOF(numRects); \
+ RegDataPtr NewData = \
+ (NewSize > 0) ? (RegDataPtr)xrealloc((reg)->data, NewSize) : NULL; \
if (NewData) \
{ \
NewData->size = (numRects); \
@@ -337,7 +337,7 @@ miRegionCreate(rect, size)
int size;
{
register RegionPtr pReg;
-
+ size_t newSize;
pReg = (RegionPtr)xalloc(sizeof(RegionRec));
if (!pReg)
return &miBrokenRegion;
@@ -349,7 +349,9 @@ miRegionCreate(rect, size)
else
{
pReg->extents = miEmptyBox;
- if ((size > 1) && (pReg->data = xallocData(size)))
+ newSize = REGION_SZOF(size);
+ if ((size > 1) && (newSize > 0) &&
+ (pReg->data = xalloc(newSize)))
{
pReg->data->size = size;
pReg->data->numRects = 0;
@@ -371,6 +373,8 @@ miRegionInit(pReg, rect, size)
BoxPtr rect;
int size;
{
+ size_t newSize;
+
if (rect)
{
pReg->extents = *rect;
@@ -379,7 +383,9 @@ miRegionInit(pReg, rect, size)
else
{
pReg->extents = miEmptyBox;
- if ((size > 1) && (pReg->data = xallocData(size)))
+ newSize = REGION_SZOF(size);
+ if ((size > 1) && (newSize > 0) &&
+ (pReg->data = xalloc(newSize)))
{
pReg->data->size = size;
pReg->data->numRects = 0;
@@ -423,11 +429,13 @@ miRectAlloc(
int n)
{
RegDataPtr data;
+ size_t rgnSize;
if (!pRgn->data)
{
n++;
- pRgn->data = xallocData(n);
+ rgnSize = REGION_SZOF(n);
+ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL;
if (!pRgn->data)
return miRegionBreak (pRgn);
pRgn->data->numRects = 1;
@@ -435,7 +443,8 @@ miRectAlloc(
}
else if (!pRgn->data->size)
{
- pRgn->data = xallocData(n);
+ rgnSize = REGION_SZOF(n);
+ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL;
if (!pRgn->data)
return miRegionBreak (pRgn);
pRgn->data->numRects = 0;
@@ -449,7 +458,8 @@ miRectAlloc(
n = 250;
}
n += pRgn->data->numRects;
- data = (RegDataPtr)xrealloc(pRgn->data, REGION_SZOF(n));
+ rgnSize = REGION_SZOF(n);
+ data = (rgnSize > 0) ? xrealloc(pRgn->data, rgnSize) : NULL;
if (!data)
return miRegionBreak (pRgn);
pRgn->data = data;
@@ -476,8 +486,10 @@ miRegionCopy(dst, src)
}
if (!dst->data || (dst->data->size < src->data->numRects))
{
+ size_t newSize = REGION_SZOF(src->data->numRects);
xfreeData(dst);
- dst->data = xallocData(src->data->numRects);
+
+ dst->data = newSize > 0 ? xalloc(newSize) : NULL;
if (!dst->data)
return miRegionBreak (dst);
dst->data->size = src->data->numRects;
@@ -1667,6 +1679,7 @@ miRectsToRegion(nrects, prect, ctype)
register BoxPtr pBox;
register int i;
int x1, y1, x2, y2;
+ size_t newSize;
pRgn = miRegionCreate(NullBox, 0);
if (REGION_NAR (pRgn))
@@ -1691,7 +1704,8 @@ miRectsToRegion(nrects, prect, ctype)
}
return pRgn;
}
- pData = xallocData(nrects);
+ newSize = REGION_SZOF(nrects);
+ pData = newSize > 0 ? xalloc(newSize) : NULL;
if (!pData)
{
miRegionBreak (pRgn);
@@ -2206,8 +2220,9 @@ miRegionDataCopy(
}
if (!dst->data || (dst->data->size < src->data->numRects))
{
+ size_t newSize = REGION_SZOF(src->data->numRects);
xfreeData(dst);
- dst->data = xallocData(src->data->numRects);
+ dst->data = newSize > 0 ? xalloc(newSize) : NULL;
if (!dst->data)
return miRegionBreak (dst);
}
--
2.1.4
debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch 0 → 100644
View file @ 45878811
From 82d7279ebfa04f319e68145b3adbf65716e59584 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 23:44:46 -0800
Subject: [PATCH 22/40] dix: integer overflow in REQUEST_FIXED_SIZE()
[CVE-2014-8092 4/4]
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
RHEL5: add #include <stdint.h> for uint64_t
v3: backport to nx-libs 3.6.x (Mike DePaulo)
---
nx-X11/programs/Xserver/include/dix.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
index 1b8fc42..d82979c 100644
--- a/nx-X11/programs/Xserver/include/dix.h
+++ b/nx-X11/programs/Xserver/include/dix.h
@@ -50,6 +50,8 @@ SOFTWARE.
#ifndef DIX_H
#define DIX_H
+#include <stdint.h>
+
#include "gc.h"
#include "window.h"
#include "input.h"
@@ -73,7 +75,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
--
2.1.4
debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch 0 → 100644
View file @ 45878811
From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 23:12:04 -0800
Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls
[CVE-2014-8097]
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dbe/dbe.c
---
nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c
index c0d6131..5a1e9b0 100644
--- a/nx-X11/programs/Xserver/dbe/dbe.c
+++ b/nx-X11/programs/Xserver/dbe/dbe.c
@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client)
if (nStuff == 0)
{
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return(Success);
}
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client)
ClientPtr client;
{
REQUEST(xDbeSwapBuffersReq);
- register int i, n;
+ unsigned int i, n;
xDbeSwapInfo *pSwapInfo;
@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client)
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n, n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
{
--
2.1.4
debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch 0 → 100644
View file @ 45878811
From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 10:54:41 -0800
Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension
[CVE-2014-8095]
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xi/chgdctl.c
Xi/chgfctl.c
Xi/xiallowev.c
Xi/xichangecursor.c
Xi/xichangehierarchy.c
Xi/xigetclientpointer.c
Xi/xigrabdev.c
Xi/xipassivegrab.c
Xi/xiproperty.c
Xi/xiquerydevice.c
Xi/xiquerypointer.c
Xi/xiselectev.c
Xi/xisetclientpointer.c
Xi/xisetdevfocus.c
Xi/xiwarppointer.c
[RHEL5: Xi/xi* files are XI2 ]
---
nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++--
nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++
nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++
nx-X11/programs/Xserver/include/dix.h | 4 ++++
4 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c
index 63a3c9c..144a51e 100644
--- a/nx-X11/programs/Xserver/Xi/chgdctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgdctl.c
@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control, n);
return(ProcXChangeDeviceControl(client));
}
@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client)
CARD32 *resolution;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
dev = LookupDeviceIntRec (stuff->deviceid);
diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c
index fe8bd1f..3ffac39 100644
--- a/nx-X11/programs/Xserver/Xi/chgfctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgfctl.c
@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped)
{
+ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2)
+ return BadLength;
swaps(&f->num_keysyms,n);
}
if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c
index 9b441f2..0b2a701 100644
--- a/nx-X11/programs/Xserver/Xi/sendexev.c
+++ b/nx-X11/programs/Xserver/Xi/sendexev.c
@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client)
return Success;
}
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
index d82979c..9fe575e 100644
--- a/nx-X11/programs/Xserver/include/dix.h
+++ b/nx-X11/programs/Xserver/include/dix.h
@@ -73,6 +73,10 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
((n >> 2) >= client->req_len) || \
--
2.1.4
debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch 0 → 100644
View file @ 45878811
From 0d53194f7ef5980a7cd78950a4f3eb2b56e65746 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 17:18:54 -0800
Subject: [PATCH 25/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
[CVE-2014-8096]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
nx-X11/programs/Xserver/Xext/xcmisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/nx-X11/programs/Xserver/Xext/xcmisc.c b/nx-X11/programs/Xserver/Xext/xcmisc.c
index c7bb72d..0a9a090 100644
--- a/nx-X11/programs/Xserver/Xext/xcmisc.c
+++ b/nx-X11/programs/Xserver/Xext/xcmisc.c
@@ -228,6 +228,7 @@ SProcXCMiscGetXIDList(client)
{
register int n;
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length, n);
swapl(&stuff->count, n);
--
2.1.4
debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch 0 → 100644
View file @ 45878811
From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:23:17 -0800
Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped
procs [CVE-2014-8099]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xext/xvdisp.c
---
nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c
index 21ab0b6..b361c0f 100644
--- a/nx-X11/programs/Xserver/Xext/xvdisp.c
+++ b/nx-X11/programs/Xserver/Xext/xvdisp.c
@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client)
{
register char n;
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length, n);
return ProcXvQueryExtension(client);
}
@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client)
{
register char n;
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return ProcXvQueryAdaptors(client);
@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client)
{
register char n;
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryEncodings(client);
@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client)
{
register char n;
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client)
{
register char n;
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client)
{
register char n;
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client)
{
register char n;
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client)
{
register char n;
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client)
{
register char n;
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client)
{
register char n;
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client)
{
register char n;
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client)
{
register char n;
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->drawable, n);
return ProcXvSelectVideoNotify(client);
@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client)
{
register char n;
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvSelectPortNotify(client);
@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client)
{
register char n;
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client)
{
register char n;
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client)
{
register char n;
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client)
{
register char n;
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swaps(&stuff->vid_w, n);
@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client)
{
register char n;
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryPortAttributes(client);
@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client)
{
register char n;
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->id, n);
swaps(&stuff->width, n);
@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client)
{
register char n;
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvListImageFormats(client);
--
2.1.4
debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch 0 → 100644
View file @ 45878811
From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 28 Oct 2014 10:30:04 +0100
Subject: [PATCH 27/40] render: check request size before reading it
[CVE-2014-8100 1/2]
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
---
nx-X11/programs/Xserver/render/render.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index d25d497..ebbce81 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client)
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
--
2.1.4
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch 0 → 100644
View file @ 45878811
From 9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:51:29 -0800
Subject: [PATCH 28/40] render: unvalidated lengths in Render extn. swapped
procs [CVE-2014-8100 2/2]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
render/render.c
---
nx-X11/programs/Xserver/render/render.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index ebbce81..eee21db 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
@@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n);
swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->pid, n);
swapl(&stuff->drawable, n);
@@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swapl(&stuff->mask, n);
@@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client)
{
register int n;
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
SwapRestS(stuff);
@@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client)
{
register int n;
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->mask, n);
@@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client)
{
register int n;
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->dst, n);
@@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->format, n);
@@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->existing, n);
@@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end;
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n);
@@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
SwapRestL(stuff);
@@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
-
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+
switch (stuff->renderReqType) {
default: size = 1; break;
case X_RenderCompositeGlyphs16: size = 2; break;
--
2.1.4
debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch 0 → 100644
View file @ 45878811
From c12a473f29cfadb62d38b0fffc36762d8e626676 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 20:02:20 -0800
Subject: [PATCH 29/40] xfixes: unvalidated length in
SProcXFixesSelectSelectionInput [CVE-2014-8102]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Conflicts:
xfixes/select.c
---
nx-X11/programs/Xserver/xfixes/select.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/nx-X11/programs/Xserver/xfixes/select.c b/nx-X11/programs/Xserver/xfixes/select.c
index c72e19e..4b8bd01 100755
--- a/nx-X11/programs/Xserver/xfixes/select.c
+++ b/nx-X11/programs/Xserver/xfixes/select.c
@@ -216,6 +216,7 @@ SProcXFixesSelectSelectionInput (ClientPtr client)
register int n;
REQUEST(xXFixesSelectSelectionInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
swapl(&stuff->selection, n);
--
2.1.4
debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch 0 → 100644
View file @ 45878811
From cea44678dd6a9418460ead314fb2106924b081f7 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:38:09 -0800
Subject: [PATCH 30/40] randr: unvalidated lengths in RandR extension swapped
procs [CVE-2014-8101]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c
index 80d16b7..c4425ec 100644
--- a/nx-X11/programs/Xserver/randr/rrsdispatch.c
+++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c
@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
register int n;
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
swapl(&stuff->minorVersion, n);
@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
register int n;
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
register int n;
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
swaps(&stuff->enable, n);
--
2.1.4
debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch 0 → 100644
View file @ 45878811
From 5c43bb2484414b37115dac56dc76f1ecf4c05837 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:36 -0500
Subject: [PATCH 31/40] glx: Be more paranoid about variable-length requests
[CVE-2014-8093 1/6] (v2)
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
v2: backport to RHEL5 - fix swap paths
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fixup swaps
---
nx-X11/programs/Xserver/GL/glx/glxcmds.c | 4 ++--
nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
index ca5eee8..02f3ba7 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
@@ -1484,7 +1484,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
return BadLength;
@@ -1601,7 +1601,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
*/
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
index 595e814..027cba7 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -535,7 +535,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
return BadLength;
@@ -659,7 +659,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
*/
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
--
2.1.4
debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch 0 → 100644
View file @ 45878811
From cdf0c3e65670c797a4fd0617d44d2bdff4011815 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:37 -0500
Subject: [PATCH 32/40] glx: Be more strict about rejecting invalid image sizes
[CVE-2014-8093 2/6]
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/singlepix.c | 14 +++++++-------
nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 14 +++++++-------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c
index 845c46a..be804d8 100644
--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c
+++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c
@@ -70,7 +70,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -130,7 +130,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -227,7 +227,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
if (compsize2 < 0) compsize2 = 0;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -291,7 +291,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -346,7 +346,7 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -389,7 +389,7 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -436,7 +436,7 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
index ff68ece..cdc6f16 100644
--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
@@ -79,7 +79,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -148,7 +148,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -257,7 +257,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
if (compsize2 < 0) compsize2 = 0;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -328,7 +328,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -390,7 +390,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -439,7 +439,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -491,7 +491,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0) return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
--
2.1.4
debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch 0 → 100644
View file @ 45878811
From d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:38 -0500
Subject: [PATCH 33/40] glx: Additional paranoia in __glXGetAnswerBuffer /
__GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/unpack.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/unpack.h b/nx-X11/programs/Xserver/GL/glx/unpack.h
index 723fb85..94bdae8 100644
--- a/nx-X11/programs/Xserver/GL/glx/unpack.h
+++ b/nx-X11/programs/Xserver/GL/glx/unpack.h
@@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \
--
2.1.4
debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch 0 → 100644
View file @ 45878811
From 1a9f23118787be611b6db51e4eac864c43c702d9 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:40 -0500
Subject: [PATCH 34/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
(v4)
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
v4: RHEL5: add limits.h, use inline
v5: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/glxserver.h | 41 ++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
index e8449b2..4047574 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
@@ -54,6 +54,7 @@
#include "GL/glx_ansic.h"
+#include <limits.h>
/*
** The X header misc.h defines these math functions.
*/
@@ -223,6 +224,46 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
/*
* Routines for computing the size of variably-sized rendering commands.
*/
+static __inline__ int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static __inline__ int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static __inline__ int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
--
2.1.4
debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch 0 → 100644
View file @ 45878811
From 78b38a8a37e6105360c82a710ef62c92643ea4c1 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 10 Nov 2014 12:13:41 -0500
Subject: [PATCH 35/40] glx: Length checking for GLXRender requests (v2)
[CVE-2014-8098 2/8] (v3)
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
v3: backport to RHEL5 hit old paths
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/glxcmds.c | 20 ++++++++++----------
nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 20 ++++++++++----------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
index 02f3ba7..831c65b 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
@@ -1443,7 +1443,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData *entry;
- int extra;
+ int extra = 0;
void (* proc)(GLbyte *);
/*
@@ -1454,6 +1454,9 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -1480,22 +1483,19 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
client->errorValue = commandsDone;
return __glXBadRenderRequest;
}
+
+ if (cmdlen < entry->bytes) {
+ return BadLength;
+ }
+
if (entry->varsize) {
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
if (extra < 0) {
return BadLength;
}
- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes)) {
- return BadLength;
- }
}
- if (left < cmdlen) {
+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
return BadLength;
}
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
index 027cba7..7174fda 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -498,7 +498,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData *entry;
- int extra;
+ int extra = 0;
void (* proc)(GLbyte *);
/*
@@ -511,6 +511,9 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
if ( (opcode >= __GLX_MIN_RENDER_OPCODE) &&
(opcode <= __GLX_MAX_RENDER_OPCODE) ) {
entry = &__glXRenderSizeTable[opcode];
@@ -531,22 +534,19 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
client->errorValue = commandsDone;
return __glXBadRenderRequest;
}
+
+ if (cmdlen < entry->bytes) {
+ return BadLength;
+ }
+
if (entry->varsize) {
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
if (extra < 0) {
return BadLength;
}
- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes)) {
- return BadLength;
- }
}
- if (left < cmdlen) {
+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
return BadLength;
}
--
2.1.4
debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch 0 → 100644
View file @ 45878811
From ddb1235bc621d06bf28309be70c173ae06131edf Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:42 -0500
Subject: [PATCH 36/40] glx: Integer overflow protection for non-generated
render requests (v3) [CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/rensize.c | 68 +++++++++++++++++---------------
1 file changed, 37 insertions(+), 31 deletions(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
index 7ab02d2..9bf0d00 100644
--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
@@ -167,16 +167,10 @@ int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
return __glXTexEnvfvReqSize( pc, swap );
}
-static int Map1Size( GLint k, GLint order)
-{
- if (order <= 0 || k < 0) return -1;
- return k * order;
-}
-
int __glXMap1dReqSize(GLbyte *pc, Bool swap )
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum*) (pc + 16);
order = *(GLint*) (pc + 20);
@@ -184,14 +178,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glMap1d_size( target );
- return 8 * Map1Size( k, order );
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
int __glXMap1fReqSize(GLbyte *pc, Bool swap )
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *)(pc + 0);
order = *(GLint *)(pc + 12);
@@ -199,20 +194,21 @@ int __glXMap1fReqSize(GLbyte *pc, Bool swap )
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1;
- return k * majorOrder * minorOrder;
+ if (majorOrder < 1 || minorOrder < 1) return -1;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
int __glXMap2dReqSize(GLbyte *pc, Bool swap )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 32);
uorder = *(GLint *)(pc + 36);
@@ -222,14 +218,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glMap2d_size( target );
- return 8 * Map2Size( k, uorder, vorder );
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
int __glXMap2fReqSize(GLbyte *pc, Bool swap )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 0);
uorder = *(GLint *)(pc + 12);
@@ -239,8 +234,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glMap2f_size( target );
- return 4 * Map2Size( k, uorder, vorder );
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
@@ -315,13 +309,16 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w==0 || h==0 || d == 0) return 0;
+ /* proxy targets have no data */
switch( target ) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -338,6 +335,12 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -345,11 +348,13 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
groupsPerRow = w;
}
rowSize = (groupsPerRow + 7) >> 3;
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+ return safe_mul(safe_add(h, skipRows), rowSize);
} else {
switch(format) {
case GL_COLOR_INDEX:
@@ -430,23 +435,25 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
} else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- } else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -873,10 +880,9 @@ int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize( format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment );
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize( format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment );
- return image1size + image2size;
+ return safe_add(safe_pad(image1size), image2size);
}
--
2.1.4
debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch 0 → 100644
View file @ 45878811
From ad29acd7697e18333e164b1746f61c5a9e29a436 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:44 -0500
Subject: [PATCH 37/40] glx: Top-level length checking for swapped
VendorPrivate requests [CVE-2014-8098 4/8]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
index 7174fda..2685355 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -797,10 +797,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -835,10 +837,12 @@ int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc)
int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
--
2.1.4
debian/patches/series
View file @ 45878811
......@@ -72,5 +72,45 @@
0991_fix-hr-typos.full+lite.patch
0991_fix-hr-typos.full.patch
0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch
1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
1027-render-check-request-size-before-reading-it-CVE-2014.patch
1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
1036-glx-Integer-overflow-protection-for-non-generated-re.patch
1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
1038-glx-Length-checking-for-non-generated-single-request.patch
1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment