Xi: avoid integer truncation in length check of ProcXIChangeProperty (8f454b79) · Commits · xorg / xserver · GitLab

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

Commit 8f454b79 authored Nov 29, 2022 by Peter Hutterer

Xi: avoid integer truncation in length check of ProcXIChangeProperty



This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.

The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.

CVE-2022-46344, ZDI-CAN 19405

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>

parent b8a84cb0

Hide whitespace changes

Inline Side-by-side

Peter Hutterer @whot
mentioned in merge request !1216 (merged)
· Dec 13, 2023

mentioned in merge request !1216 (merged)

mentioned in merge request !1216

Toggle commit list

Please register or to comment