| From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001 |
| From: Peter Hutterer <peter.hutterer@who-t.net> |
| Date: Tue, 29 Nov 2022 12:55:45 +1000 |
| Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in |
| XTestSwapFakeInput |
| |
| XTestSwapFakeInput assumes all events in this request are |
| sizeof(xEvent) and iterates through these in 32-byte increments. |
| However, a GenericEvent may be of arbitrary length longer than 32 bytes, |
| so any GenericEvent in this list would result in subsequent events to be |
| misparsed. |
| |
| Additional, the swapped event is written into a stack-allocated struct |
| xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, |
| swapping the event may thus smash the stack like an avocado on toast. |
| |
| Catch this case early and return BadValue for any GenericEvent. |
| Which is what would happen in unswapped setups anyway since XTest |
| doesn't support GenericEvent. |
| |
| CVE-2022-46340, ZDI-CAN 19265 |
| |
| This vulnerability was discovered by: |
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| |
| Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
| --- |
| Xext/xtest.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/Xext/xtest.c b/Xext/xtest.c |
| index bf27eb590b..2985a4ce6e 100644 |
| --- a/Xext/xtest.c |
| +++ b/Xext/xtest.c |
| @@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) |
| |
| nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); |
| for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { |
| + int evtype = ev->u.u.type & 0x177; |
| /* Swap event */ |
| - proc = EventSwapVector[ev->u.u.type & 0177]; |
| + proc = EventSwapVector[evtype]; |
| /* no swapping proc; invalid event type? */ |
| - if (!proc || proc == NotImplemented) { |
| + if (!proc || proc == NotImplemented || evtype == GenericEvent) { |
| client->errorValue = ev->u.u.type; |
| return BadValue; |
| } |
| -- |
| 2.38.1 |
| |