summaryrefslogtreecommitdiff
path: root/dix
diff options
context:
space:
mode:
authorPeter Hutterer <peter.hutterer@who-t.net>2022-11-29 13:26:57 +1000
committerPeter Hutterer <peter.hutterer@who-t.net>2022-12-14 11:02:40 +1000
commit8f454b793e1f13c99872c15f0eed1d7f3b823fe8 (patch)
tree34bec7eba46083d8c67cef8b384bc5f32083526f /dix
parentb8a84cb0f2807b07ab70ca9915fcdee21301b8ca (diff)
Xi: avoid integer truncation in length check of ProcXIChangeProperty
This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->num_items value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->num_items bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->num_items bytes, i.e. 4GB. The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, so let's fix that too. CVE-2022-46344, ZDI-CAN 19405 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Diffstat (limited to 'dix')
-rw-r--r--dix/property.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/dix/property.c b/dix/property.c
index 94ef5a0ec..acce94b2c 100644
--- a/dix/property.c
+++ b/dix/property.c
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
WindowPtr pWin;
char format, mode;
unsigned long len;
- int sizeInBytes, totalSize, err;
+ int sizeInBytes, err;
+ uint64_t totalSize;
REQUEST(xChangePropertyReq);