From 26120df7aae6b5bf8086fb4d871d3b1a07ddacdb Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Thu, 10 Oct 2024 10:37:28 +0200 Subject: [PATCH xserver] xkb: Fix buffer overflow in _XkbSetCompatMap() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer Tested-by: Peter Hutterer Reviewed-by: José Expósito (cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3) Part-of: --- xkb/xkb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index 8d52e25df..8b63e34b5 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, XkbSymInterpretPtr sym; unsigned int skipped = 0; - if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { - compat->num_si = req->firstSI + req->nSI; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; compat->sym_interpret = reallocarray(compat->sym_interpret, - compat->num_si, + compat->size_si, sizeof(XkbSymInterpretRec)); if (!compat->sym_interpret) { - compat->num_si = 0; + compat->num_si = compat->size_si = 0; return BadAlloc; } } -- 2.47.0