From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 29 Nov 2022 13:26:57 +1000 Subject: Xi: avoid integer truncation in length check of ProcXIChangeProperty This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->num_items value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->num_items bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->num_items bytes, i.e. 4GB. The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, so let's fix that too. CVE-2022-46344, ZDI-CAN 19405 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer Acked-by: Olivier Fourdan --- Xi/xiproperty.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Xi') diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c index 68c362c62..066ba21fb 100644 --- a/Xi/xiproperty.c +++ b/Xi/xiproperty.c @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); -- cgit v1.2.3