From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 29 Nov 2022 13:26:57 +1000 Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of ProcXIChangeProperty This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->num_items value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->num_items bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->num_items bytes, i.e. 4GB. The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, so let's fix that too. CVE-2022-46344, ZDI-CAN 19405 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer Acked-by: Olivier Fourdan --- Xi/xiproperty.c | 4 ++-- dix/property.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c index 68c362c628..066ba21fba 100644 --- a/Xi/xiproperty.c +++ b/Xi/xiproperty.c @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); diff --git a/dix/property.c b/dix/property.c index 94ef5a0ec0..acce94b2c6 100644 --- a/dix/property.c +++ b/dix/property.c @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) WindowPtr pWin; char format, mode; unsigned long len; - int sizeInBytes, totalSize, err; + int sizeInBytes, err; + uint64_t totalSize; REQUEST(xChangePropertyReq); -- 2.38.1