x11-base/xwayland/files/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch - third_party/overlays/chromiumos-overlay - Git at Google

 From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 29 Nov 2022 13:26:57 +1000
 Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
  ProcXIChangeProperty

 This fixes an OOB read and the resulting information disclosure.

 Length calculation for the request was clipped to a 32-bit integer. With
 the correct stuff->num_items value the expected request size was
 truncated, passing the REQUEST_FIXED_SIZE check.

 The server then proceeded with reading at least stuff->num_items bytes
 (depending on stuff->format) from the request and stuffing whatever it
 finds into the property. In the process it would also allocate at least
 stuff->num_items bytes, i.e. 4GB.

 The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
 so let's fix that too.

 CVE-2022-46344, ZDI-CAN 19405

 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 Acked-by: Olivier Fourdan <ofourdan@redhat.com>
 ---
  Xi/xiproperty.c | 4 ++--
  dix/property.c  | 3 ++-
  2 files changed, 4 insertions(+), 3 deletions(-)

 diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
 index 68c362c628..066ba21fba 100644
 --- a/Xi/xiproperty.c
 +++ b/Xi/xiproperty.c
 @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
      REQUEST(xChangeDevicePropertyReq);
      DeviceIntPtr dev;
      unsigned long len;
 -    int totalSize;
 +    uint64_t totalSize;
      int rc;

      REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
 @@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
  {
      int rc;
      DeviceIntPtr dev;
 -    int totalSize;
 +    uint64_t totalSize;
      unsigned long len;

      REQUEST(xXIChangePropertyReq);
 diff --git a/dix/property.c b/dix/property.c
 index 94ef5a0ec0..acce94b2c6 100644
 --- a/dix/property.c
 +++ b/dix/property.c
 @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
      WindowPtr pWin;
      char format, mode;
      unsigned long len;
 -    int sizeInBytes, totalSize, err;
 +    int sizeInBytes, err;
 +    uint64_t totalSize;

      REQUEST(xChangePropertyReq);

 --
 2.38.1
	From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
	From: Peter Hutterer <peter.hutterer@who-t.net>
	Date: Tue, 29 Nov 2022 13:26:57 +1000
	Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
	ProcXIChangeProperty

	This fixes an OOB read and the resulting information disclosure.

	Length calculation for the request was clipped to a 32-bit integer. With
	the correct stuff->num_items value the expected request size was
	truncated, passing the REQUEST_FIXED_SIZE check.

	The server then proceeded with reading at least stuff->num_items bytes
	(depending on stuff->format) from the request and stuffing whatever it
	finds into the property. In the process it would also allocate at least
	stuff->num_items bytes, i.e. 4GB.

	The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
	so let's fix that too.

	CVE-2022-46344, ZDI-CAN 19405

	This vulnerability was discovered by:
	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
	---
	Xi/xiproperty.c \| 4 ++--
	dix/property.c \| 3 ++-
	2 files changed, 4 insertions(+), 3 deletions(-)

	diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
	index 68c362c628..066ba21fba 100644
	--- a/Xi/xiproperty.c
	+++ b/Xi/xiproperty.c
	@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
	REQUEST(xChangeDevicePropertyReq);
	DeviceIntPtr dev;
	unsigned long len;
	- int totalSize;
	+ uint64_t totalSize;
	int rc;

	REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
	@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
	{
	int rc;
	DeviceIntPtr dev;
	- int totalSize;
	+ uint64_t totalSize;
	unsigned long len;

	REQUEST(xXIChangePropertyReq);
	diff --git a/dix/property.c b/dix/property.c
	index 94ef5a0ec0..acce94b2c6 100644
	--- a/dix/property.c
	+++ b/dix/property.c
	@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
	WindowPtr pWin;
	char format, mode;
	unsigned long len;
	- int sizeInBytes, totalSize, err;
	+ int sizeInBytes, err;
	+ uint64_t totalSize;

	REQUEST(xChangePropertyReq);

	--
	2.38.1