From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 18 Aug 2020 14:46:32 +0200 Subject: [PATCH 1/4] Correct bounds checking in XkbSetNames() CVE-2020-14345 / ZDI 11428 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb --- xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/xkb/xkb.c b/xkb/xkb.c index d93078a6e..8e016cd74 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; #define CHK_REQ_KEY_RANGE(err,first,num,r) \ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) +static Bool +_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { + char *cstuff = (char *)stuff; + char *cfrom = (char *)from; + char *cto = (char *)to; + + return cfrom < cto && + cfrom >= cstuff && + cfrom < cstuff + ((size_t)client->req_len << 2) && + cto >= cstuff && + cto <= cstuff + ((size_t)client->req_len << 2); +} + /***====================================================================***/ int @@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, client->errorValue = _XkbErrCode2(0x04, stuff->firstType); return BadAccess; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) + return BadLength; old = tmp; tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); if (!tmp) { @@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, } width = (CARD8 *) tmp; tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); + if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) + return BadLength; type = &xkb->map->types[stuff->firstKTLevel]; for (i = 0; i < stuff->nKTLevels; i++, type++) { if (width[i] == 0) @@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, type->num_levels, width[i]); return BadMatch; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) + return BadLength; tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); if (!tmp) { client->errorValue = bad; @@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, client->errorValue = 0x08; return BadMatch; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, + tmp + Ones(stuff->indicators))) + return BadLength; tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, client->swapped, &bad); if (!tmp) { @@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, client->errorValue = 0x09; return BadMatch; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, + tmp + Ones(stuff->virtualMods))) + return BadLength; tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, (CARD32) stuff->virtualMods, client->swapped, &bad); @@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, client->errorValue = 0x0a; return BadMatch; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, + tmp + Ones(stuff->groupNames))) + return BadLength; tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, (CARD32) stuff->groupNames, client->swapped, &bad); @@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, stuff->nKeys); return BadValue; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) + return BadLength; tmp += stuff->nKeys; } if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { + if (!_XkbCheckRequestBounds(client, stuff, tmp, + tmp + (stuff->nKeyAliases * 2))) + return BadLength; tmp += stuff->nKeyAliases * 2; } if (stuff->which & XkbRGNamesMask) { @@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); return BadValue; } + if (!_XkbCheckRequestBounds(client, stuff, tmp, + tmp + stuff->nRadioGroups)) + return BadLength; tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); if (!tmp) { client->errorValue = bad; @@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client) /* check device-independent stuff */ tmp = (CARD32 *) &stuff[1]; + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbKeycodesNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { @@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client) return BadAtom; } } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbGeometryNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { @@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client) return BadAtom; } } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbSymbolsNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { @@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client) return BadAtom; } } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbPhysSymbolsNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { @@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client) return BadAtom; } } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbTypesNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { @@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client) return BadAtom; } } + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) + return BadLength; if (stuff->which & XkbCompatNameMask) { tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); if (!tmp) { -- GitLab From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 18 Aug 2020 14:49:04 +0200 Subject: [PATCH 2/4] Fix XIChangeHierarchy() integer underflow CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb --- Xi/xichangehierarchy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c index cbdd91258..504defe56 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c @@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; - len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); + len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; while (stuff->num_changes--) { -- GitLab From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 18 Aug 2020 14:52:29 +0200 Subject: [PATCH 3/4] Fix XkbSelectEvents() integer underflow CVE-2020-14361 ZDI-CAN 11573 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb --- xkb/xkbSwap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c index 1c1ed5ff4..50cabb90e 100644 --- a/xkb/xkbSwap.c +++ b/xkb/xkbSwap.c @@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) register unsigned bit, ndx, maskLeft, dataLeft, size; from.c8 = (CARD8 *) &stuff[1]; - dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); + dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) -- GitLab From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 18 Aug 2020 14:55:01 +0200 Subject: [PATCH 4/4] Fix XRecordRegisterClients() Integer underflow CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb --- record/record.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/record/record.c b/record/record.c index f2d38c877..be154525d 100644 --- a/record/record.c +++ b/record/record.c @@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) } /* SProcRecordQueryVersion */ static int _X_COLD -SwapCreateRegister(xRecordRegisterClientsReq * stuff) +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) { int i; XID *pClientID; @@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) swapl(&stuff->nRanges); pClientID = (XID *) &stuff[1]; if (stuff->nClients > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID); } if (stuff->nRanges > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - stuff->nClients) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); @@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */ -- GitLab