dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]

GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c

dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
b6b5b14e · Alan Coopersmith · Mihai Moldovan · 03a2922d · b6b5b14e
Commit b6b5b14e authored Jan 06, 2014 by Alan Coopersmith Committed by Mihai Moldovan Feb 16, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

access.c nx-X11/programs/Xserver/os/access.c +6 -0

No files found.
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1719,6 +1719,10 @@ GetHosts (
    {
 	nHosts++;
 	n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1024*1024)
+            break;
    }
    if (n)
    {
@@ -1730,6 +1734,8 @@ GetHosts (
        for (host = validhosts; host; host = host->next)
 	{
 	    len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+                break;
 	    ((xHostEntry *)ptr)->family = host->family;
 	    ((xHostEntry *)ptr)->length = len;
 	    ptr += sizeof(xHostEntry);