• Michal Srb's avatar
    dix: Disallow GenericEvent in SendEvent request. · 215f8949
    Michal Srb authored
    The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
    no less. Both ProcSendEvent and SProcSendEvent verify that the received data
    exactly match the request size. However nothing stops the client from passing
    in event with xEvent::type = GenericEvent and any value of
    xGenericEvent::length.
    
    In the case of ProcSendEvent, the event will be eventually passed to
    WriteEventsToClient which will see that it is Generic event and copy the
    arbitrary length from the receive buffer (and possibly past it) and send it to
    the other client. This allows clients to copy unitialized heap memory out of X
    server or to crash it.
    
    In case of SProcSendEvent, it will attempt to swap the incoming event by
    calling a swapping function from the EventSwapVector array. The swapped event
    is written to target buffer, which in this case is local xEvent variable. The
    xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
    expect that the target buffer has size matching the size of the source
    GenericEvent. This allows clients to cause stack buffer overflows.
    Signed-off-by: default avatarMichal Srb <msrb@suse.com>
    Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
    215f8949
swapreq.c 25.1 KB