XLibre/xserver
1
1
Fork 0
mirror of https://github.com/X11Libre/xserver.git synced 2026-03-24 14:34:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4b925d388f76764dcb02dfd1cd7276262dcd7d74
xserver/Xi
History
Peter Hutterer 8a1fa008b2 Xi: avoid integer truncation in length check of ProcXIChangeProperty 
This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.

The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.

CVE-2022-46344, ZDI-CAN 19405

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 8f454b793e)
2022-12-14 11:24:46 +10:00
..
allowev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
allowev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgdctl.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
chgdctl.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgfctl.c
Fix XChangeFeedbackControl() request underflow
2021-04-13 14:28:13 +02:00
chgfctl.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgkbd.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
chgkbd.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgkmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
chgkmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgprop.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
chgprop.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
chgptr.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
chgptr.h
Xi: Remove redundant declaration.
2012-05-14 13:17:30 +01:00
closedev.c
Fix spelling/wording issues
2020-07-05 13:07:33 -07:00
closedev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
devbell.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
devbell.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
exevents.c
dix: Correctly save replayed event into GrabInfoRec
2022-07-01 15:15:15 +03:00
exglobals.h
xinput: Remove PropagateMask
2020-03-30 21:48:11 +00:00
extinit.c
xi: Implement conversions from internal to Xi2 gesture event structs
2021-05-30 13:26:37 +03:00
getbmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getbmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getdctl.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getdctl.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getfctl.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getfctl.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getfocus.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getfocus.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getkmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getkmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getmmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getmmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getprop.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getprop.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getselev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getselev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
getvers.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
getvers.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
grabdev.c
Fix spelling/wording issues
2020-07-05 13:07:33 -07:00
grabdev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
grabdevb.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
grabdevb.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
grabdevk.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
grabdevk.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
gtmotion.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
gtmotion.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
listdev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
listdev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
Makefile.am
Build Xi/stubs.c once as a convenience library, rather than once for each DDX which wants to use it
2014-03-27 14:09:43 +00:00
meson.build
Add a Meson build system alongside autotools.
2017-04-26 15:25:27 -07:00
opendev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
opendev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
queryst.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
queryst.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
selectev.c
xinput: Remove ExtExclusiveMasks
2020-03-30 21:48:11 +00:00
selectev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
sendexev.c
Xi: Do not try to swap GenericEvent.
2017-06-19 11:58:56 +10:00
sendexev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
setbmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
setbmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
setdval.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
setdval.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
setfocus.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
setfocus.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
setmmap.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
setmmap.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
setmode.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
setmode.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
stubs.c
ddx: add new call to purge input devices that weren't added
2016-10-26 15:35:07 +10:00
ungrdev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
ungrdev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
ungrdevb.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
ungrdevb.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
ungrdevk.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
ungrdevk.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiallowev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xiallowev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xibarriers.c
Xi: lock the input thread for any pointer barrier list manipulation
2019-02-14 09:10:58 +10:00
xibarriers.h
Xi: free barrier code at reset time
2013-05-07 09:41:19 +10:00
xichangecursor.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xichangecursor.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xichangehierarchy.c
Fix XIChangeHierarchy() integer underflow
2020-08-25 17:01:29 +02:00
xichangehierarchy.h
xinput: Silence a warning from gcc 11
2021-08-17 16:02:44 -04:00
xigetclientpointer.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xigetclientpointer.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xigrabdev.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xigrabdev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xipassivegrab.c
Xi: disallow passive grabs with a detail > 255
2022-12-14 11:24:39 +10:00
xipassivegrab.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiproperty.c
Xi: avoid integer truncation in length check of ProcXIChangeProperty
2022-12-14 11:24:46 +10:00
xiproperty.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiquerydevice.c
Xi: Work around broken libxcb that doesn't ignore unknown device classes
2021-05-30 13:46:59 +03:00
xiquerydevice.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiquerypointer.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xiquerypointer.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiqueryversion.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xiqueryversion.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiselectev.c
xi: Implement selection logic for gesture event types
2021-05-30 13:26:33 +03:00
xiselectev.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xisetclientpointer.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xisetclientpointer.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xisetdevfocus.c
dispatch: Mark swapped dispatch as _X_COLD
2017-03-01 10:16:20 -05:00
xisetdevfocus.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00
xiwarppointer.c
Xi: Use WarpPointerProc hook on XI pointer warping implementation
2017-06-07 14:49:04 +10:00
xiwarppointer.h
Introduce a consistent coding style
2012-03-21 13:54:42 -07:00