CVE-2015-0255.patch revision 1432
1432N/AFrom 747cea16c4de1f48e838e1388301a2e24a3da6c4 Mon Sep 17 00:00:00 2001
1432N/AFrom: Olivier Fourdan <ofourdan@redhat.com>
1432N/ADate: Fri, 16 Jan 2015 20:08:59 +0100
1432N/ASubject: [PATCH 1/2] xkb: Don't swap XkbSetGeometry data in the input buffer
1432N/A
1432N/AThe XkbSetGeometry request embeds data which needs to be swapped when the
1432N/Aserver and the client have different endianess.
1432N/A
1432N/A_XkbSetGeometry() invokes functions that swap these data directly in the
1432N/Ainput buffer.
1432N/A
1432N/AHowever, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
1432N/A(if there is more than one keyboard), thus causing on swapped clients the
1432N/Asame data to be swapped twice in memory, further causing a server crash
1432N/Abecause the strings lengths on the second time are way off bounds.
1432N/A
1432N/ATo allow _XkbSetGeometry() to run reliably more than once with swapped
1432N/Aclients, do not swap the data in the buffer, use variables instead.
1432N/A
1432N/ASigned-off-by: Olivier Fourdan <ofourdan@redhat.com>
1432N/ASigned-off-by: Peter Hutterer <peter.hutterer@who-t.net>
1432N/A(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
1432N/A(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
1432N/ASigned-off-by: Julien Cristau <jcristau@debian.org>
1432N/A---
1432N/A xkb/xkb.c | 35 +++++++++++++++++++----------------
1432N/A 1 file changed, 19 insertions(+), 16 deletions(-)
1432N/A
1432N/Adiff --git a/xkb/xkb.c b/xkb/xkb.c
1432N/Aindex dc570f0..6fc938b 100644
1432N/A--- a/xkb/xkb.c
1432N/A+++ b/xkb/xkb.c
1432N/A@@ -4961,14 +4961,13 @@ static char *
1432N/A _GetCountedString(char **wire_inout, Bool swap)
1432N/A {
1432N/A char *wire, *str;
1432N/A- CARD16 len, *plen;
1432N/A+ CARD16 len;
1432N/A
1432N/A wire = *wire_inout;
1432N/A- plen = (CARD16 *) wire;
1432N/A+ len = *(CARD16 *) wire;
1432N/A if (swap) {
1432N/A- swaps(plen);
1432N/A+ swaps(&len);
1432N/A }
1432N/A- len = *plen;
1432N/A str = malloc(len + 1);
1432N/A if (str) {
1432N/A memcpy(str, &wire[2], len);
1432N/A@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
1432N/A {
1432N/A char *wire;
1432N/A xkbDoodadWireDesc *dWire;
1432N/A+ xkbAnyDoodadWireDesc any;
1432N/A+ xkbTextDoodadWireDesc text;
1432N/A XkbDoodadPtr doodad;
1432N/A
1432N/A dWire = (xkbDoodadWireDesc *) (*wire_inout);
1432N/A+ any = dWire->any;
1432N/A wire = (char *) &dWire[1];
1432N/A if (client->swapped) {
1432N/A- swapl(&dWire->any.name);
1432N/A- swaps(&dWire->any.top);
1432N/A- swaps(&dWire->any.left);
1432N/A- swaps(&dWire->any.angle);
1432N/A+ swapl(&any.name);
1432N/A+ swaps(&any.top);
1432N/A+ swaps(&any.left);
1432N/A+ swaps(&any.angle);
1432N/A }
1432N/A CHK_ATOM_ONLY(dWire->any.name);
1432N/A- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
1432N/A+ doodad = XkbAddGeomDoodad(geom, section, any.name);
1432N/A if (!doodad)
1432N/A return BadAlloc;
1432N/A doodad->any.type = dWire->any.type;
1432N/A doodad->any.priority = dWire->any.priority;
1432N/A- doodad->any.top = dWire->any.top;
1432N/A- doodad->any.left = dWire->any.left;
1432N/A- doodad->any.angle = dWire->any.angle;
1432N/A+ doodad->any.top = any.top;
1432N/A+ doodad->any.left = any.left;
1432N/A+ doodad->any.angle = any.angle;
1432N/A switch (doodad->any.type) {
1432N/A case XkbOutlineDoodad:
1432N/A case XkbSolidDoodad:
1432N/A@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
1432N/A dWire->text.colorNdx);
1432N/A return BadMatch;
1432N/A }
1432N/A+ text = dWire->text;
1432N/A if (client->swapped) {
1432N/A- swaps(&dWire->text.width);
1432N/A- swaps(&dWire->text.height);
1432N/A+ swaps(&text.width);
1432N/A+ swaps(&text.height);
1432N/A }
1432N/A- doodad->text.width = dWire->text.width;
1432N/A- doodad->text.height = dWire->text.height;
1432N/A+ doodad->text.width = text.width;
1432N/A+ doodad->text.height = text.height;
1432N/A doodad->text.color_ndx = dWire->text.colorNdx;
1432N/A doodad->text.text = _GetCountedString(&wire, client->swapped);
1432N/A doodad->text.font = _GetCountedString(&wire, client->swapped);
1432N/A--
1432N/A1.7.9.2
1432N/A
1432N/AFrom 8f61533b16635a0a13f4048235246edb138fa40b Mon Sep 17 00:00:00 2001
1432N/AFrom: Olivier Fourdan <ofourdan@redhat.com>
1432N/ADate: Fri, 16 Jan 2015 08:44:45 +0100
1432N/ASubject: [PATCH 2/2] xkb: Check strings length against request size
1432N/A
1432N/AEnsure that the given strings length in an XkbSetGeometry request remain
1432N/Awithin the limits of the size of the request.
1432N/A
1432N/ASigned-off-by: Olivier Fourdan <ofourdan@redhat.com>
1432N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1432N/ASigned-off-by: Peter Hutterer <peter.hutterer@who-t.net>
1432N/A(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
1432N/A(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
1432N/ASigned-off-by: Julien Cristau <jcristau@debian.org>
1432N/A---
1432N/A xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++------------------------
1432N/A 1 file changed, 40 insertions(+), 25 deletions(-)
1432N/A
1432N/Adiff --git a/xkb/xkb.c b/xkb/xkb.c
1432N/Aindex 6fc938b..c8a9e9e 100644
1432N/A--- a/xkb/xkb.c
1432N/A+++ b/xkb/xkb.c
1432N/A@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
1432N/A
1432N/A /***====================================================================***/
1432N/A
1432N/A-static char *
1432N/A-_GetCountedString(char **wire_inout, Bool swap)
1432N/A+static Status
1432N/A+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
1432N/A {
1432N/A- char *wire, *str;
1432N/A+ char *wire, *next;
1432N/A CARD16 len;
1432N/A
1432N/A wire = *wire_inout;
1432N/A len = *(CARD16 *) wire;
1432N/A- if (swap) {
1432N/A+ if (client->swapped) {
1432N/A swaps(&len);
1432N/A }
1432N/A- str = malloc(len + 1);
1432N/A- if (str) {
1432N/A- memcpy(str, &wire[2], len);
1432N/A- str[len] = '\0';
1432N/A- }
1432N/A- wire += XkbPaddedSize(len + 2);
1432N/A- *wire_inout = wire;
1432N/A- return str;
1432N/A+ next = wire + XkbPaddedSize(len + 2);
1432N/A+ /* Check we're still within the size of the request */
1432N/A+ if (client->req_len <
1432N/A+ bytes_to_int32(next - (char *) client->requestBuffer))
1432N/A+ return BadValue;
1432N/A+ *str = malloc(len + 1);
1432N/A+ if (!*str)
1432N/A+ return BadAlloc;
1432N/A+ memcpy(*str, &wire[2], len);
1432N/A+ *(*str + len) = '\0';
1432N/A+ *wire_inout = next;
1432N/A+ return Success;
1432N/A }
1432N/A
1432N/A static Status
1432N/A@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
1432N/A xkbAnyDoodadWireDesc any;
1432N/A xkbTextDoodadWireDesc text;
1432N/A XkbDoodadPtr doodad;
1432N/A+ Status status;
1432N/A
1432N/A dWire = (xkbDoodadWireDesc *) (*wire_inout);
1432N/A any = dWire->any;
1432N/A@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
1432N/A doodad->text.width = text.width;
1432N/A doodad->text.height = text.height;
1432N/A doodad->text.color_ndx = dWire->text.colorNdx;
1432N/A- doodad->text.text = _GetCountedString(&wire, client->swapped);
1432N/A- doodad->text.font = _GetCountedString(&wire, client->swapped);
1432N/A+ status = _GetCountedString(&wire, client, &doodad->text.text);
1432N/A+ if (status != Success)
1432N/A+ return status;
1432N/A+ status = _GetCountedString(&wire, client, &doodad->text.font);
1432N/A+ if (status != Success) {
1432N/A+ free (doodad->text.text);
1432N/A+ return status;
1432N/A+ }
1432N/A break;
1432N/A case XkbIndicatorDoodad:
1432N/A if (dWire->indicator.onColorNdx >= geom->num_colors) {
1432N/A@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
1432N/A }
1432N/A doodad->logo.color_ndx = dWire->logo.colorNdx;
1432N/A doodad->logo.shape_ndx = dWire->logo.shapeNdx;
1432N/A- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
1432N/A+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
1432N/A+ if (status != Success)
1432N/A+ return status;
1432N/A break;
1432N/A default:
1432N/A client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
1432N/A@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
1432N/A char *wire;
1432N/A
1432N/A wire = (char *) &req[1];
1432N/A- geom->label_font = _GetCountedString(&wire, client->swapped);
1432N/A+ status = _GetCountedString(&wire, client, &geom->label_font);
1432N/A+ if (status != Success)
1432N/A+ return status;
1432N/A
1432N/A for (i = 0; i < req->nProperties; i++) {
1432N/A char *name, *val;
1432N/A
1432N/A- name = _GetCountedString(&wire, client->swapped);
1432N/A- if (!name)
1432N/A- return BadAlloc;
1432N/A- val = _GetCountedString(&wire, client->swapped);
1432N/A- if (!val) {
1432N/A+ status = _GetCountedString(&wire, client, &name);
1432N/A+ if (status != Success)
1432N/A+ return status;
1432N/A+ status = _GetCountedString(&wire, client, &val);
1432N/A+ if (status != Success) {
1432N/A free(name);
1432N/A- return BadAlloc;
1432N/A+ return status;
1432N/A }
1432N/A if (XkbAddGeomProperty(geom, name, val) == NULL) {
1432N/A free(name);
1432N/A@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
1432N/A for (i = 0; i < req->nColors; i++) {
1432N/A char *name;
1432N/A
1432N/A- name = _GetCountedString(&wire, client->swapped);
1432N/A- if (!name)
1432N/A- return BadAlloc;
1432N/A+ status = _GetCountedString(&wire, client, &name);
1432N/A+ if (status != Success)
1432N/A+ return status;
1432N/A if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
1432N/A free(name);
1432N/A return BadAlloc;
1432N/A--
1432N/A1.7.9.2
1432N/A