Resolves: https://issues.redhat.com/browse/RHEL-97278 Resolves: https://issues.redhat.com/browse/RHEL-97299 Resolves: https://issues.redhat.com/browse/RHEL-97374 Resolves: https://issues.redhat.com/browse/RHEL-97417 Resolves: https://issues.redhat.com/browse/RHEL-97249
90 lines
3.2 KiB
Diff
90 lines
3.2 KiB
Diff
From 6049e1b120c1aa93f23781c0976b1aad64f05f10 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 7 Apr 2025 16:13:34 +0200
|
|
Subject: [PATCH xserver 2/6] os: Do not overflow the integer size with
|
|
BigRequest
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The BigRequest extension allows request larger than the 16-bit length
|
|
limit.
|
|
|
|
It uses integers for the request length and checks for the size not to
|
|
exceed the maxBigRequestSize limit, but does so after translating the
|
|
length to integer by multiplying the given size in bytes by 4.
|
|
|
|
In doing so, it might overflow the integer size limit before actually
|
|
checking for the overflow, defeating the purpose of the test.
|
|
|
|
To avoid the issue, make sure to check that the request size does not
|
|
overflow the maxBigRequestSize limit prior to any conversion.
|
|
|
|
The caller Dispatch() function however expects the return value to be in
|
|
bytes, so we cannot just return the converted value in case of error, as
|
|
that would also overflow the integer size.
|
|
|
|
To preserve the existing API, we use a negative value for the X11 error
|
|
code BadLength as the function only return positive values, 0 or -1 and
|
|
update the caller Dispatch() function to take that case into account to
|
|
return the error code to the offending client.
|
|
|
|
CVE-2025-49176
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa)
|
|
---
|
|
dix/dispatch.c | 9 +++++----
|
|
os/io.c | 4 ++++
|
|
2 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/dix/dispatch.c b/dix/dispatch.c
|
|
index ba01de6cf..c71098ce9 100644
|
|
--- a/dix/dispatch.c
|
|
+++ b/dix/dispatch.c
|
|
@@ -464,9 +464,10 @@ Dispatch(void)
|
|
|
|
/* now, finally, deal with client requests */
|
|
result = ReadRequestFromClient(client);
|
|
- if (result <= 0) {
|
|
- if (result < 0)
|
|
- CloseDownClient(client);
|
|
+ if (result == 0)
|
|
+ break;
|
|
+ else if (result == -1) {
|
|
+ CloseDownClient(client);
|
|
break;
|
|
}
|
|
|
|
@@ -487,7 +488,7 @@ Dispatch(void)
|
|
client->index,
|
|
client->requestBuffer);
|
|
#endif
|
|
- if (result > (maxBigRequestSize << 2))
|
|
+ if (result < 0 || result > (maxBigRequestSize << 2))
|
|
result = BadLength;
|
|
else {
|
|
result = XaceHookDispatch(client, client->majorOp);
|
|
diff --git a/os/io.c b/os/io.c
|
|
index 5b7fac349..5fc05821c 100644
|
|
--- a/os/io.c
|
|
+++ b/os/io.c
|
|
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
|
|
needed = get_big_req_len(request, client);
|
|
}
|
|
client->req_len = needed;
|
|
+ if (needed > MAXINT >> 2) {
|
|
+ /* Check for potential integer overflow */
|
|
+ return -(BadLength);
|
|
+ }
|
|
needed <<= 2; /* needed is in bytes now */
|
|
}
|
|
if (gotnow < needed) {
|
|
--
|
|
2.49.0
|
|
|